ECCouncil Updated 712-50 Exam Questions and Answers by osian

 Risk Tolerance in Decision-Making:

Organizations with high risk tolerance may accept certain vulnerabilities due to business priorities, such as meeting market deadlines or competitive pressures.

 Key Considerations:

This decision reflects a calculated trade-off between security and business objectives.

Risk acceptance is documented in a formal risk management process to ensure accountability.

 Why Not Other Options:

Lack of risk management process (A): Would indicate an unstructured approach, which is less likely in this context.

Believing vulnerabilities are not real (B): Unlikely for high-risk vulnerabilities.

Lacking tools for assessment (D): Does not explain why the release proceeds despite known vulnerabilities.

 EC-Council CISO Framework:

Decision-making must align with the organization's risk appetite, a principle central to the EC-Council CISO program.

 Explanation:

Version/source control ensures that all code changes are tracked, and previously remediated flaws do not reappear.

Without robust source control practices, outdated or insecure code can inadvertently be reintroduced.

 Why Other Options Are Less Likely:

A. Ineffective configuration management controls: This pertains to system configurations, not application code.

B. Lack of change management controls: Change management addresses overall process but does not specifically prevent code reintroduction.

D. High turnover in the development department: While turnover may contribute to the issue, the root cause is inadequate version/source control.

 EC-Council CISO Reference:

Effective development practices, including version control, are emphasized as critical to maintaining application security.

 Definition of a Stakeholder:

Stakeholders include anyone with an interest in the success or failure of a project or initiative, irrespective of their direct financial involvement or usage of the system.

 Why Other Options Are Incorrect:

B. Vested in success and tied to budget: Budget involvement is not a prerequisite for being a stakeholder.

C. That has budget authority: Stakeholders are not limited to those with financial control.

D. That will ultimately use the system: Users are stakeholders, but stakeholders are not limited to end-users.

 EC-Council CISO Reference:

EC-Council defines stakeholders broadly to include all parties affected by or invested in a project's outcome, emphasizing their influence and varied roles.