Effective CISSP Questions

Your company decides to implement fine-grained attribute-based access control (ABAC) and separate data and resources into micro-segments. Which of the following best describes this initiative in terms of risk treatment?
A. Risk avoidance
B. Risk share
C. Risk modification
D. Risk retention

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Risk modification.

ABAC and micro-segments are implemented to mitigate/modify risks or reduce their uncertainty and/or effect (impact). This question follows ISO 27005 and uses its terminologies to describe the risk treatment options (risk response strategies). 

Risk Context and Glossary

Risk management can be conducted in various contexts, e.g., different levels/tiers (organization, business processes, or information systems) or functions (financial, HR, or information security). It’s crucial to create a common glossary to communicate risk effectively. There are many risk management frameworks or standards that provide a shared glossary, such as ISO 31000, ISO 27005, NIST FARM, COSO, and PMI PMBOK.

The Effective CISSP: Security and Risk Management has more details.

The Effective CISSP - SRM



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

您的公司決定實施細粒度的基於屬性的訪問控制(ABAC),並將數據和資源分成微區段(micro-segments)。 從風險處置的角度來看,下列哪一項最能描述這個的作法?
A. 規避風險
B. 風險分擔
C. 風險修改
D. 風險保留


2 thoughts on “CISSP PRACTICE QUESTIONS – 20201031

Leave a Reply