ある組織では、解雇された従業員のアカウントが企業ポリシーで定められた期間内に無効化または削除されていないことが判明しました。理由が不明なため、組織は詳細な情報を取得するために 3 か月間状況を監視することにしました。この決定の結果、次のようなリスクが発生しました。
正解:B
Risk acceptance is a risk response strategy that involves acknowledging the existence and potential impact of a risk, but deciding not to take any action to reduce or eliminate it. Risk acceptance can be appropriate when the cost or effort of implementing a risk response outweighs the benefit, or when there are no feasible or effective risk responses available. An organization has identified that terminated employee accounts are not disabled or deleted within the time required by corporate policy, which poses a security risk to the organization. The organization is unsure of the reason for this issue, and has decided to monitor the situation for three months to obtain more information, rather than taking any immediate action to resolve the issue. As a result of this decision, the risk has been accepted, as the organization has chosen to tolerate the risk exposure for a certain period of time, and has not implemented any controls or measures to prevent or reduce the risk occurrence or impact. References = Risk Response Strategies: Avoid, Transfer, Mitigate, Accept, Risk Response Strategies: What They Are and How to Use Them, Risk Response Strategy:
Definition, Types, and Examples.