Explanation/Reference:
Explanation:
Risk Acceptance means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. Many companies will accept risk when the cost/benefit ratio indicates that the cost of the countermeasure outweighs the potential loss value.
Risk acceptance should be based on several factors. For example, is the potential loss lower than the countermeasure? Can the organization deal with the "pain" that will come with accepting this risk? This second consideration is not purely a cost decision, but may entail noncost issues surrounding the decision.
For example, if we accept this risk, we must add three more steps in our production process. Does that make sense for us? Or if we accept this risk, more security incidents may arise from it, and are we prepared to handle those?
Incorrect Answers:
A: Risk mitigation is to implement countermeasures to protect against the risk. This does not refer to the accepting of known risks because the cost benefit analysis shows that risk mitigation cost (countermeasures, controls, or safeguard) is more than the potential lost that could be incurred.
C: Risk avoidance is where a company removes the risk. For example, by disabling a service or removing an application deemed to be a risk. This does not refer to the accepting of known risks because the cost benefit analysis shows that risk mitigation cost (countermeasures, controls, or safeguard) is more than the potential lost that could be incurred.
D: Risk transference is where you assign the risk to someone else; for example, by purchasing insurance.
This would transfer the risk to the insurance company. This does not to the accepting of known risks because the cost benefit analysis shows that risk mitigation cost (countermeasures, controls, or safeguard) is more than the potential lost that could be incurred.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98

Confidentiality supports the principle of "least privilege" by providing that only authorized individuals, processes, or systems should have access to information on a need-toknow basis. The level of access that an authorized individual should have is at the level necessary for them to do their job. In recent years, much press has been dedicated to the privacy of information and the need to protect it from individuals, who may be able to commit crimes by viewing the information.
Identity theft is the act of assuming one's identity through knowledge of confidential information obtained from various sources.
An important measure to ensure confidentiality of information is data classification. This helps to determine who should have access to the information (public, internal use only, or confidential). Identification, authentication, and authorization through access controls are practices that support maintaining the confidentiality of information.
A sample control for protecting confidentiality is to encrypt information. Encryption of information limits the usability of the information in the event it is accessible to an unauthorized person.
For your exam you should know the information below:
Integrity Integrity is the principle that information should be protected from intentional, unauthorized, or accidental changes.
Information stored in files, databases, systems, and networks must be relied upon to accurately process transactions and provide accurate information for business decision making. Controls are put in place to ensure that information is modified through accepted practices.
Sample controls include management controls such as segregation of duties, approval checkpoints in the systems development life cycle, and implementation of testing practices that assist in providing information integrity. Well-formed transactions and security of the update programs provide consistent methods of applying changes to systems. Limiting update access to those individuals with a need to access limits the exposure to intentional and unintentional modification.
Availability Availability is the principle that ensures that information is available and accessible to users when needed.
The two primary areas affecting the availability of systems are:
1.Denial-of-Service attacks and
2.Loss of service due to a disaster, which could be man-made (e.g., poor capacity planning resulting in system crash, outdated hardware, and poor testing resulting in system crash after upgrade) or natural (e.g., earthquake, tornado, blackout, hurricane, fire, and flood).
In either case, the end user does not have access to information needed to conduct business. The
criticality of the system to the user and its importance to the survival of the organization will
determine how significant the impact of the extended downtime becomes. The lack of appropriate
security controls can increase the risk of viruses, destruction of data, external penetrations, or
denial-of-service (DOS) attacks. Such events can prevent the system from being used by normal
users.
CIA
The following answers are incorrect:
Integrity - Integrity is the principle that information should be protected from intentional,
unauthorized, or accidental changes.
Availability - Availability is the principle that ensures that information is available and accessible to
users when needed.
Accuracy - Accuracy is not a valid CIA attribute.
Following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 314
Official ISC2 guide to CISSP CBK 3rd Edition Page number 350

The most effective method of mitigating data theft from an active user workstation is to disable use of portable devices. Portable devices are the devices that can be easily connected to or disconnected from a workstation, such as USB drives, external hard drives, flash drives, or smartphones. Portable devices can pose a risk of data theft from an active user workstation, as they can be used to copy, transfer, or exfiltrate data from the workstation, either by malicious insiders or by unauthorized outsiders. By disabling use of portable devices, the data theft from an active user workstation can be prevented or reduced.
* A. Implement full-disk encryption is not the most effective method of mitigating data theft from an active user workstation, but rather a method of mitigating data theft from a lost or stolen user workstation. Full-disk encryption is the process of transforming or encoding the entire data on a disk or a device into an unreadable or unintelligible form, using a secret key or algorithm. Full-disk encryption can protect the data from unauthorized access or disclosure if the disk or the device is lost or stolen, but it does not protect the data from unauthorized copying or transferring if the disk or the device is active and unlocked.
* B. Enable multifactor authentication is not the most effective method of mitigating data theft from an active user workstation, but rather a method of mitigating unauthorized access or login to a user workstation. Multifactor authentication is the process of verifying the identity and the legitimacy of a user or a device by requiring two or more factors or methods of authentication, such as something the user knows (e.g., password, PIN, or security question), something the user has (e.g., token, card, or smartphone), or something the user is (e.g., fingerprint, face, or voice). Multifactor authentication can prevent or reduce unauthorized access or login to a user workstation, but it does not prevent or reduce data theft from an active user workstation, especially by malicious insiders who have legitimate access or login credentials.
* C. Deploy file integrity checkers is not the most effective method of mitigating data theft from an active user workstation, but rather a method of detecting data tampering or corruption on a user workstation.
File integrity checkers are the software tools or applications that monitor and verify the integrity or the authenticity of the files or the programs on a workstation, by using cryptographic techniques, such as hashing, digital signatures, or certificates. File integrity checkers can detect data tampering or corruption on a user workstation, but they cannot prevent or reduce data theft from an active user workstation, as they do not prevent or restrict data copying or transferring.
References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6, page 330; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 6, page 291

In computer science, hierarchical protection domains, often called protection rings, are a mechanism to protect data and functionality from faults (fault tolerance) and malicious behavior (computer security). This approach is diametrically opposite to that of capability-based security.
Computer operating systems provide different levels of access to resources. A protection ring is one of two or more hierarchical levels or layers of privilege within the architecture of a computer system. This is generally hardware-enforced by some CPU architectures that provide different CPU modes at the hardware or microcode level. Rings are arranged in a hierarchy from most privileged (most trusted, usually numbered zero) to least privileged (least trusted, usually with the highest ring number). On most operating systems, Ring 0 is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory.
Special gates between rings are provided to allow an outer ring to access an inner ring's resources in a predefined manner, as opposed to allowing arbitrary usage. Correctly gating access between rings can improve security by preventing programs from one ring or privilege level from misusing resources intended for programs in another. For example, spyware running as a user program in Ring 3 should be prevented from turning on a web camera without informing the user, since hardware access should be a Ring 1 function reserved for device drivers. Programs such as
web browsers running in higher numbered rings must request access to the network, a resource
restricted to a lower numbered ring.
Ring Architecture
All of the other answers are incorrect because they are detractors.
References:
OIG CBK Security Architecture and Models (page 311)
and
https://en.wikipedia.org/wiki/Ring_%28computer_security%29