An information security manager has observed multiple exceptions for a number of different security controls. Which of the following should be the information security manager's FIRST course of action?
A.
Prioritize the risk and implement treatment options
B.
Report the noncompliance to the board of directors
C.
Inform respective risk owners of the impact of exceptions
C
The information security manager's FIRST course of action should be to inform respective risk owners of the impact of exceptions. This is important because the risk owners are responsible for managing the risks associated with the security controls, and they need to be aware of any exceptions to their controls so that they can take appropriate action. Once the risk owners are informed, they can prioritize the risk and implement treatment options, design mitigating controls for the exceptions, and report the noncompliance to the board of directors as necessary. However, informing the risk owners should be the first step in addressing the issue.
Answer is C: effective risk management starts with communication and ownership so to ensure the right people understand the risks. in such way informed decisions can be taken.
Correct me if I'm wrong, but wouldn't the risk owner's already be aware of the risk before accepting and hence, an exception is in place? I would vote D
This step is critical as it directly addresses the issue. By prioritizing the risks, the manager can identify which exceptions pose the greatest threat to the organization and address them first. Notifying respective risk owners is an important step, but it's not the first action to take. The immediate concern should be to mitigate the risks.
C. Inform respective risk owners of the impact of exceptions
Before taking any further steps, it is important to notify the individuals or teams responsible for the risks associated with these exceptions. This helps ensure that all relevant stakeholders are aware of the issues and their potential impact on the organization's security posture. Once the risk owners are informed, you can then proceed to prioritize the risks (option A) and work with them to implement treatment options, and if necessary, design mitigating controls (option D). Reporting to the board of directors (option B) is typically done after the initial assessment and communication with the risk owners.
I don't like C for this but can't say it's not right. Part of the risk acceptance process would be to make sure the risk owner knows the impact of the exceptions. So why would you do this AGAIN? I think that D, design mitigating controls..., is the better answer, but not by much.
upvoted 2 times
...
This section is not available anymore. Please use the main Exam Page.CISM Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
giovi
Highly Voted 1 year, 8 months agoSHERLOCKAWS
Most Recent 1 month, 2 weeks agoyottabyte
7 months, 4 weeks agohaskelatchi
8 months, 3 weeks agojcisco123
10 months, 3 weeks agooluchecpoint
1 year, 2 months agoAgamennore
1 year, 2 months ago[Removed]
1 year, 4 months agochanke
1 year, 4 months agorichck102
1 year, 4 months agoSaisharan
1 year, 5 months agoCarlLimps
1 year, 9 months ago