What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?
A) probability calculation
B) documented control strategy
C) risk acceptance plan
D) mitigation plan

Question

Quizplus · Accepted Answer

Each information asset-threat pair should have a documented control strategy that clearly identifies any residual risk that remains after the proposed strategy has been executed. While probability calculations, risk acceptance plans, and mitigation plans may contribute to identifying residual risk, they are not sufficient on their own. A documented control strategy outlines the specific controls that will be implemented to reduce the risk associated with a given threat to an information asset.

What Should Each Information Asset-Threat Pair Have at a Minimum