Q: 2
What is needed to assess risk mitigation effectiveness in an organization?
Options
Discussion
Option C makes sense because just following standards or tracking KPIs doesn't directly tell you if controls are actually reducing risk cost-effectively. For risk mitigation, the effectiveness of controls vs their expense is what matters. I've seen similar questions in practice tests, and they focus on actual control outcomes not just inventory or compliance numbers. Pretty sure C is right here, unless I'm missing something.
D tbh, because an updated list of vulnerable systems (D) helps you spot ongoing exposure and new risks. C looks tempting but feels more like a cost review step than actual effectiveness monitoring. Not 100% sure, anyone see it differently?
C , D is tempting but just knowing vulnerabilities doesn't show if controls actually mitigate risk. Anyone disagree?
I think C, had something like this in a mock exam and C was the best match there too.
Don't think it's C. D fits if you're talking about keeping track of what systems are still at risk.
Anyone else think option B could apply if the focus is on regulatory requirements, not just risk reduction?
C, seen this on other practice exams too. D is a trap since just listing assets doesn't measure if controls actually work.
Pretty sure it should be C. To see if risk mitigation is really working, you have to look at whether the controls are actually cost-effective and reducing risk, not just if systems are documented (D is more about asset inventory). Seen similar questions in practice material. Anyone see an argument for B here?
Not sure D fits, since effectiveness means checking if controls actually make a difference. C is what Cisco pushes here.
Be respectful. No spam.
