A business owner accepts delayed remediation for a production system. What must the report include? If the primary audience is legal/privacy stakeholder, which content choice is most appropriate?
Risk acceptance must be accountable, time-bound, and visible. The report should be tuned to legal/privacy stakeholder while preserving factual accuracy.
Why this answer
Option C is correct because when a business owner accepts delayed remediation for a production system, the report must formally document the risk acceptance. This includes the risk owner, the reason for accepting the risk, any compensating controls in place, a review date to reassess the risk, and an expiry date for the acceptance. For a legal/privacy stakeholder, this documentation provides an auditable trail that demonstrates due diligence and compliance with regulatory requirements, such as GDPR or HIPAA.
Exam trap
Cisco often tests the misconception that a risk acceptance report can simply note the decision without detailing the compensating controls or expiry, leading candidates to choose an incomplete answer that omits critical audit trail elements.
How to eliminate wrong answers
Option A is wrong because omitting the accepted risk from the report would violate audit and compliance standards; legal/privacy stakeholders require full disclosure of all risks to assess liability and regulatory exposure. Option B is wrong because including only the analyst's personal opinion is subjective and lacks the objective, verifiable data needed for legal and privacy review; such opinions are not defensible in an audit or legal proceeding.