Exam CISM topic 1 question 122 discussion

D. The corresponding controls are viewed as prohibitive to business operations. When an organization's new information security policy is not being followed across all departments, the greatest concern for an information security manager should be that the controls outlined in the policy are viewed as prohibitive to business operations. This indicates a significant disconnect between the security measures and practical business functions, suggesting that the security controls may be overly restrictive, poorly designed, or not well integrated with current business processes. This is a critical concern because if security controls hinder business operations, it leads to a higher likelihood of non-compliance as departments might bypass or ignore these controls to meet business objectives. Such behavior can expose the organization to risks and vulnerabilities that the policy intends to mitigate.

Remember that when creating this policy in the first place the ISM should put alignment with business needs at the top of their agenda. For him to be told that it isn't aligning or supporting the needs of the business would be of great concern.

D. This is the greatest concern because if employees perceive the security controls as overly burdensome and detrimental to their ability to perform their jobs efficiently, they may be less likely to follow the policy. Balancing security with operational efficiency is essential to ensure that security policies are both effective and practical.

D seems the right answer as a manager , I'll be more worried if D is the case and thats is the question what will be more concerning

D: Seems to be the answer and my reason is because most of the time the business unit do not lay emphasis on the security policy because they look at security policy as burdesome and interfere to their business flow.

D. Agree with Broesweelies

A. Business unit management has not emphasized the importance of the new policy. Explanation: Among the options provided, the greatest concern for the information security manager should be that business unit management has not emphasized the importance of the new policy. It is crucial for management to demonstrate support and commitment to the information security policy for it to be effectively implemented and followed throughout the organization.

D. The corresponding controls are viewed as prohibitive to business operations.

A. Business unit management has not emphasized the importance of the new policy. If the new information security policy is not being followed across all departments, it suggests that there is a lack of support from business unit management in enforcing the policy.

Business unit management has not emphasized the importance of the new policy should be of greatest concern to the information security manager when discovering that the organization's new information security policy is not being followed across all departments.

If the new information security policy is not being followed across all departments, it may indicate that the corresponding controls are viewed as burdensome or restrictive to business operations. This means that the users and employees do not see the value in following the policy and controls, and therefore they do not adhere to them. This can create significant security risks, as the organization's sensitive data and systems may be left unprotected.

B was my answer. This question was kind of hard for me to follow. In case anyone else may be struggling with this one.