I am split between B and C but going with C. Making sure changes are not implemented without authorization is the the primary purpose of the whole change management process and everyone involved. The question specifically asks what the PRIMARY objective of IT security is in the process and to me that is not necessarily about work authorization but making sure the behavior of the controls we have in place are not influenced by the change.
A good change management process includes a segregation between development, testing and operational. In the testing phase you check all requirements and security controls you want to have.
CISM Exam Prep Guide (2nd ed.), p159:
"For effective change management, it is important that the security team be apprised of every major change. It is recommended to include representation from the security team on the change control board. This will ensure that security aspects are considered for any change."
So C seems most correct to me here, although I'm also torn between B and C.
The PRIMARY objective of information security involvement in the change management process is to reduce the likelihood of control failure. By having information security involved in the change management process, it can ensure that changes are implemented in a controlled and secure manner, minimizing the risk of unexpected outcomes or failures that could result in security breaches or other negative impacts. This involves assessing the security impact of proposed changes, ensuring that proper security controls are in place, and verifying that the changes have been implemented as planned.
The primary objective of information security involvement in the change management process is to meet obligations for regulatory and legal compliance because the change management process must ensure that changes to the information systems are made in accordance with legal and regulatory requirements. This helps to maintain the confidentiality, integrity, and availability of sensitive information, and reduces the risk of data breaches, unauthorized access, and other security incidents. By ensuring that changes are made in a controlled and authorized manner, information security can help organizations to meet their obligations under various regulations, such as the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS).
This section is not available anymore. Please use the main Exam Page.CISM Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Dravidian
Highly Voted 2 years agoafb4b17
Most Recent 11 months agoAlexJacobson
1 year, 3 months agoromaso82
1 year, 4 months agoMarcovic00
1 year, 6 months agorichck102
1 year, 10 months agoit_expert_cism
2 years, 2 months agoSouvik124
2 years, 3 months agoBroesweelies
2 years, 3 months agoaokisan
2 years, 4 months agoZiggybooboo
2 years, 5 months ago