Exam CISM topic 1 question 847 discussion

A. To identify software security weaknesses

Answer is B: To identify noncompliance in the early design stage. According to CISM Domain 3: Information Security Program Development and Management: Task 3.5: "Integrate information security requirements into organizational processes (e.g., change control, mergers and acquisitions, development projects)." This means the information security manager must: # Ensure that security policies and standards are considered early in the SDLC # Help prevent security noncompliance before it becomes costly to fix # Act as a governance checkpoint, not necessarily a deep technical reviewer Why the other options don’t match CISM approach: A. Identify software security weaknesses: This is hands-on technical work, not the manager’s role. It’s the domain of security testers or AppSec engineers. C. Assess and approve the security application architecture: According to CISM the IS manager reviews and advises but doesn't directly own or approve architecture. D. Enhance awareness for secure software design: Yes this is supporting role but not the core objective during project involvement.

I go for A. I dont think its C because C talks about the security architecture. What about other aspects like testing, coding etc? Moreover, the security manager acts as a consultant and usually has no competence in formally approving matters. In such cases, better align with the steering committee.

It's C. A is done by engineers, not by the manager and C is higher level than D, so I believe is C. Manager = high level

Security function there to assess/approve

C. To assess and approve the security application architecture The PRIMARY role of an information security manager in a software development project is typically to assess and approve the security application architecture. This involves ensuring that the design and architecture of the software include appropriate security measures and that it complies with security best practices and organizational security policies. While the other options (A, B, and D) are important responsibilities of an information security manager in the context of software development, assessing and approving the security architecture is a fundamental step to establish a strong foundation for secure software development.

C. To assess and approve the security application architecture

The PRIMARY role of an information security manager in a software development project is D. To enhance awareness for secure software design. The information security manager plays a crucial role in promoting and ensuring secure software development practices throughout the software development lifecycle. Their primary responsibility is to raise awareness and educate the development team on secure software design principles, best practices, and industry standards.

C. To assess and approve the security application architecture