Exam CISM topic 1 question 509 discussion

C. Report findings to senior management has a higher priority.

For those chatgpt lover, below is also from chatgpt: Penetration result should be report to senior management directly without information security manager assessment Reporting penetration test results directly to senior management without the assessment of the information security manager could be risky. The information security manager typically has a deep understanding of the organization's security posture, its vulnerabilities, and its risk tolerance. Their assessment is valuable in interpreting the penetration test results accurately and providing context to senior management. Excluding the information security manager from this process could lead to misunderstandings or misinterpretations of the results.

Reporting the findings of a test conducted by a 3rd party, accredited or not, to the senior management, without ascertaining them is hasty. Afterall, Pentesters have a tunnel vision; they are highly technical and do not take the business perspective into consideration. Reviewing the findings with business owners, or as in our case, evaluating the findings through risk assessment is important.

B. Ensure a risk assessment is performed to evaluate the findings. Most Voted

The information security manager to prioritize option B: Ensure a risk assessment is performed to evaluate the findings as their first course of action. A risk assessment is crucial to understand the impact and likelihood of the vulnerabilities identified during the penetration test. It helps in determining the potential risks and prioritizing them based on their severity and potential impact on the organization's security posture. Once the risk assessment is performed, the information security manager can then proceed with other actions such as reporting findings to senior management, requesting funding, and ensuring vulnerabilities are resolved within acceptable timeframes. However, without a proper understanding of the risks associated with the vulnerabilities, these actions may not be prioritized effectively.

C. Report findings to senior management. The first course of action for the information security manager after a penetration test conducted by an accredited third party should be to report the findings to senior management. This step is crucial because it provides transparency and ensures that the organization's leadership is aware of the security vulnerabilities and risks identified during the penetration test. Once senior management is informed, they can make informed decisions about how to proceed, which may include: Allocating funding (option A) to address the identified vulnerabilities. Initiating a risk assessment (option B) to evaluate the findings in more detail. Establishing priorities for resolving vulnerabilities (option D) within acceptable timeframes. However, it's essential to start by reporting the findings to senior management so that they can be involved in the decision-making process and provide the necessary support and resources for addressing security issues.

C. Report findings to senior management. Reporting the findings to senior management is essential because it ensures that the highest levels of the organization are aware of the security vulnerabilities and risks identified during the penetration test. This allows senior management to make informed decisions about allocating resources, prioritizing actions, and setting the overall direction for addressing the security issues identified. Once senior management is informed, subsequent actions such as requesting funding, conducting a risk assessment, and resolving vulnerabilities can be coordinated and prioritized based on their strategic importance to the organization.

I would say C . Nobody does or recommends a RA after a pen test. Pen test already has the details needed.

B. Ensure a risk assessment is performed to evaluate the findings.

If a pen test is done by a dependable accredited third party - why would you need to repeat a risk assessment - isint their study / analysis considered concrete?

B. Ensure a risk assessment is performed to evaluate the findings. We need to evaluate the findings to determine the criticality and countermeasures.

C. Report findings to senior management. Reporting the findings to senior management is the first step that should be taken after a penetration test. It is crucial to inform senior management about the results, including the identified vulnerabilities and potential risks to the organization's information security. This allows management to have a clear understanding of the current security posture and make informed decisions regarding risk mitigation and resource allocation.

The correct answer is (B) Ensure a risk assessment is performed to evaluate the findings. Cause without validating the results any actions that comes next would lead to some erroneous actions/results. Rationale: (A) it's not A cause funding should only be asked for once we know the results from the pentest are valid and need to be acted against based on the org risk appetite of the findings. (C) Reporting to management without validating the results is not a smart idea as it can call one's judgment into question. (D) The question is whether these need to be addressed in the first place and in what order. without doing a risk assessment step D is premature.

The information security manager's FIRST course of action after a penetration test should be to report the findings to senior management. This is because senior management needs to be aware of the risks that have been identified and the potential impact of those risks on the organization. From there, the information security manager can work with management to determine the appropriate course of action, which may include requesting funding, performing a risk assessment, or resolving vulnerabilities within acceptable timeframes.

B is correct

I think B is the correct answer.

I'm confused, we don't have faith in what the 3rd party reports from the pen test?