When implementing the wireless network, you gave up WEP and turned to WPA2 because WEP has been cracked. Which of the following best describes your risk treatment or response strategy? (Wentz QOTD)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Modify.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
No matter which encryption scheme we implement, it mitigates risk. ISO 27005 uses the term “risk modification” to express the concept of risk mitigation. If we decide to avoid the risk, replacing wireless with Ethernet is an excellent example of risk avoidance. Some may use the term “eliminate” to express the idea of risk avoidance. However, I don’t use “eliminate” as it implies eradicating risk. Risk transference typically involves a third party, e.g., the insurance company or outsourcing contractor.
It’s common for organizations or institutions, e.g., PMI, to treat risk as an opportunity (positive effect) or threat (negative effect). Risk practitioners prepare risk response strategies or risk treatment options to handle risks.
在建置無線網路時，因為 WEP 已被破解，所以您放棄了 WEP，轉而使用 WPA2。 以下哪一項最能描述您的風險處理或應對策略？ (Wentz QOTD)