Scenario: You’re the new CISO at a mid-sized medical tech company. Your team just discovered that a server holding non-critical marketing data is sitting on an old OS that can’t be patched. A high-end firewall protects it, and the data isn't worth much, but a breach would still be an "incident." Your team presents four different ways to handle this.

Which of the following represents the "Risk Assignment" (or Transfer) strategy?

A. Pulling the server off the network and deleting the data since the marketing campaign is over.

B. Buying a specialized cyber-insurance policy that covers data breaches for that specific segment of the network.

C. Setting up an Intrusion Prevention System (IPS) in front of the server to block known exploits.

D. Documenting that the risk is low enough to just monitor the logs and deal with a breach if it happens.

The Winner: B

The "Real Talk" Explanation

In the CISSP world, Risk Assignment (Transfer) is the "not my problem" (financially speaking) move. You aren't making the risk go away; you’re just making sure someone else pays the bill if things go sideways.

Here’s the breakdown of why B is the answer and how the others try to trick you:

1. Why B is "Assignment."

When you see Insurance or Outsourcing (Service Level Agreements), think Assignment. You are shifting the financial impact to a third party. The risk still exists—the server could still get hacked—but the impact is mitigated by the insurance payout.

2. The Distractors (The other "Risk" words)

• Option A is Risk Avoidance: This is the most effective but most painful move. You literally "stop doing" the thing that causes the risk. No server, no risk. Simple, but usually kills business productivity.
• Option C is Risk Mitigation (Reduction): This is where we spend most of our time. You’re putting in "controls" (the IPS) to lower the likelihood or impact of a hack. You're making the risk smaller, but it’s still there.
• Option D is Risk Acceptance: This is the "managerial" choice. You’ve looked at the cost of a fix versus the value of the data and decided it’s not worth the money to fix. You acknowledge the risk exists and move on.

The Secret Sauce: Residual Risk

One thing the CISSP loves to hammer is Residual Risk. No matter how many firewalls you buy (Mitigation), you will always have a little bit of risk left over.

Key Exam Tip: Management is the only group that can "Accept" risk. As a security pro, your job is to give them the facts so they can sign the paper. If you accept the risk yourself without telling anyone, and it blows up, that’s on you!