Risk and Control Selection Lab
Key Takeaways
- Scenario questions usually ask for the control that best reduces the stated risk, not the most expensive or technical option.
- Administrative, technical, and physical controls often work together as layered safeguards.
- Risk responses include mitigate, avoid, transfer, and accept, but acceptance requires appropriate authority.
- Control choice should account for asset value, likelihood, impact, business need, and residual risk.
- The ISC2 CC outline effective October 1, 2025 weights the five domains 26, 10, 22, 24, and 18 percent; integrated review should cross all domains.
Risk and Control Selection Lab
Integrated CC questions often give you a business problem first and a security term second. Read the asset, threat, vulnerability, impact, and constraint before choosing a control. The current ISC2 CC outline is effective October 1, 2025, with a new outline effective September 1, 2026. The current exam is computer adaptive testing, allows 2 hours, includes 100 to 125 items, and uses a 700 out of 1000 passing grade. Do not translate that score into a percentage.
Domain weights are 26 percent, 10 percent, 22 percent, 24 percent, and 18 percent, so review should combine security principles, business continuity, access control, network security, and security operations.
Lab Scenario
A small healthcare billing company stores customer invoices, payment details, and support tickets. Staff work from an office and remotely. The company has limited budget, no dedicated security team, and a recent audit found shared administrator passwords, missing backup restore tests, exposed remote desktop access, and no formal approval for accepting risk. Management asks for "the fastest way to be secure."
The best exam answer will not be "buy one tool." The practical answer is to reduce the highest risks with controls that match the environment. Shared administrator passwords create accountability and privilege risks. Exposed remote desktop creates network attack exposure. Untested backups create recovery uncertainty. Informal risk acceptance creates governance risk because no authorized person has approved residual risk.
Decision Table
| Finding | Primary risk | Best first control | Control type | Why it fits |
|---|---|---|---|---|
| Shared administrator password | No accountability, broad misuse | Unique admin accounts with least privilege and MFA | Technical and administrative | Ties actions to individuals and reduces credential abuse |
| Internet-exposed RDP | Remote brute force or compromise | Block direct exposure; require VPN or managed remote access | Technical | Removes unnecessary external attack surface |
| Backups never restored | Recovery failure during ransomware or outage | Schedule restore tests and document results | Administrative and technical | Proves availability control works |
| No risk owner | Unauthorized risk acceptance | Define risk acceptance authority | Administrative | Ensures residual risk is a business decision |
| Visitor access to billing area | Unauthorized viewing or tampering | Badges, escort rules, and locked rooms | Physical and administrative | Protects sensitive workspaces |
Risk Response Drill
Use four response verbs carefully. Mitigate means apply a control to reduce likelihood or impact. Avoid means stop the risky activity. Transfer means shift some financial or operational impact, commonly through insurance or contract terms, while still keeping some responsibility. Accept means live with residual risk after an authorized decision. A support technician should not accept enterprise risk alone just because a fix is inconvenient.
For the billing company, leaving RDP open because "nothing bad happened yet" is not responsible acceptance. Blocking RDP from the internet and using VPN with MFA is mitigation. Stopping remote administration entirely could be avoidance, but may not support operations. Cyber insurance may transfer some financial impact, but it does not replace backups, access control, or incident response.
Multi-Domain Reasoning
Many PBQ-style prompts ask you to drag, match, or choose controls for a mixed environment. Build a short chain:
| Step | Question | Example answer |
|---|---|---|
| 1 | What asset matters? | Billing records and payment data |
| 2 | What can go wrong? | Unauthorized access, ransomware, outage |
| 3 | Which CIA goal is most affected? | Confidentiality and availability |
| 4 | What control directly reduces that risk? | MFA, least privilege, tested backups |
| 5 | What remains? | Residual risk approved by management |
If two answers look reasonable, prefer the one that is specific to the scenario. "Encrypt everything" may help confidentiality, but it does not fix shared administrator accounts or prove backups restore. "Create a policy" may be necessary, but a policy alone does not block exposed RDP. The strongest CC answer usually pairs governance with an implementable control and keeps business operations in view.
A manager asks a help desk technician to formally accept the risk of leaving internet-exposed RDP enabled for convenience. What is the best response?
Which control most directly addresses the risk created by shared administrator passwords?
A company buys cyber insurance but does not test backups or remove unnecessary exposed services. Which risk response is insurance most closely associated with?