ExamTopics Logo
Mail Us[email protected]
Menu
Isaca Discussions
exam questions

Exam CISM All Questions

View all questions & answers for the CISM exam
Go to Exam

Exam CISM topic 1 question 43 discussion

Actual exam question from Isaca's CISM
Question #: 43
Topic #: 1
[All CISM Questions]

Regular vulnerability scanning on an organization's internal network has identified that many user workstations have unpatched versions of software. What is the
BEST way for the information security manager to help senior management understand the related risk?

  • A. Include the impact of the risk as part of regular metrics.
  • B. Send regular notifications directly to senior managers.
  • C. Recommend the security steering committee conduct a review.
  • D. Update the risk assessment at regular intervals.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by CarlLimps at Feb. 10, 2023, 10:04 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
dark_3k03r
Highly Voted 1 year, 3 months ago
Selected Answer: A
The correct Answer is A B - Sending an alert doesn't help anyone understand the impact C - Sending recommendation without showing impact doesn't help anyone to understand the impact D - Updating the risk assessments in intervals doesn't show the overall impact. Risk is all about the impact and probability. The only one that addresses this is A
upvoted 5 times
...
Viperhunter
Highly Voted 7 months, 3 weeks ago
Selected Answer: A
Including the impact of the risk as part of regular metrics allows senior management to receive ongoing, systematic information about the state of vulnerabilities in user workstations. By incorporating this information into regular metrics, senior management can better understand the potential consequences of unpatched software and make informed decisions about prioritizing and allocating resources to address the identified risk. While options like sending regular notifications directly to senior managers (option B), recommending the security steering committee conduct a review (option C), and updating the risk assessment at regular intervals (option D) may also be valuable actions, incorporating the impact into regular metrics provides a consistent and integrated approach to communicating the risk over time.
upvoted 5 times
...
richck102
Most Recent 1 year, 1 month ago
A. Include the impact of the risk as part of regular metrics.
upvoted 2 times
...
CarlLimps
1 year, 5 months ago
Selected Answer: A
A. Makes sense. Non sec folks typically don't have any idea what the impact of a vulnerability could be if exploited.
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel