Which of the following should an information security manager do FIRST upon learning of noncompliance with an impending information security regulatory change?
A.
Conduct a business impact and vulnerability analysis.
B.
Report the noncompliance to senior management.
C.
Assess the risk and cost of noncompliance.
D.
Implement the correct measures to become compliant.
C. Assess the risk and cost of noncompliance.
Before taking any action, it's essential to understand the potential consequences and implications of noncompliance. By assessing the risk and cost, you can make informed decisions about how to proceed. This assessment will help you determine the severity of the noncompliance, its potential impact on the organization, and whether immediate action is required. Once you have a clear understanding of the risk and cost, you can then proceed with the appropriate actions, which may include conducting a business impact and vulnerability analysis (A), reporting to senior management (B), and implementing corrective measures (D).
The first step that an information security manager should take upon learning of noncompliance with an impending information security regulatory change is to assess the risk and cost of noncompliance. This will help the manager to determine the urgency of the situation and the best course of action.
Once the risk and cost of noncompliance have been assessed, the manager can then report the noncompliance to senior management and develop a plan to become compliant. The manager may also need to conduct a business impact and vulnerability analysis to determine the impact of noncompliance on the organization.
Implementing the correct measures to become compliant should be the final step in the process. This will ensure that the organization is able to comply with the regulatory change and avoid any penalties.
Agree with others.
C. Assess the risk and cost of noncompliance.
The "correct" answer, D. Implement the correct measures to become compliant, bypasses the balance a security lead has with the business. The business must be part of the decision making. Assessing the cost of non compliance serves to inform the business before spending any time/money to implement.
Chapple's 2022 CISM Study Guide, p16 "Info security functions exist for only one purpose: to serve the business."
You have to assess first to see if the business is willing to take on the risk.
upvoted 3 times
...
This section is not available anymore. Please use the main Exam Page.CISM Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Pabl0T0rrez
Highly Voted 1 year agoDERCHEF2009
1 year agowello
Highly Voted 12 months agooluchecpoint
Most Recent 9 months, 1 week agoafc1019
10 months, 2 weeks agoJ1984
10 months, 3 weeks agorichck102
11 months, 1 week agoseal3840
1 year agochanke
1 year ago