Exam CISM topic 1 question 692 discussion

not all exceptions need committee-level review. Instead, decisions should be risk-based and handled at the appropriate level.

C. Require the steering committee to review exception requests The best approach for governing noncompliance with security requirements is to require the steering committee to review exception requests. The steering committee typically consists of senior executives who have the authority to set strategic direction and allocate resources for risk management initiatives. By involving the steering committee in the review of exception requests, the organization ensures that decisions regarding noncompliance are made at a high level of governance, taking into account strategic objectives, risk tolerance, and potential impacts on the organization. While options A, B, and D may also play a role in governing noncompliance, involving the steering committee provides the highest level of oversight and ensures alignment with organizational priorities.

B. Base mandatory review and exception approvals on residual risk. Residual risk is the risk that remains after security controls have been implemented. It takes into account the effectiveness of existing controls and provides a more accurate representation of the actual risk an organization faces.

B. Base mandatory review and exception approvals on residual risk

Simply requiring users to acknowledge the acceptable use policy (option A) may help establish awareness of security requirements, but it does not directly address noncompliance or the associated risks. Requiring the steering committee to review exception requests (option C) may introduce delays in the decision-making process, which could impact operational efficiency. Basing mandatory review and exception approvals on inherent risk (option D) does not take into account the effectiveness of implemented controls or the actual level of risk present in the organization. By considering residual risk, the organization can prioritize its efforts, allocate resources effectively, and focus on addressing noncompliance with security requirements in a manner that aligns with its risk management strategy.

B. Base mandatory review and exception approvals on residual risk. When it comes to noncompliance with security requirements, it is important to assess the associated risks and determine the appropriate course of action. By basing mandatory review and exception approvals on residual risk, organizations can make informed decisions regarding non-compliance.

Why not C?

The BEST approach for governing noncompliance with security requirements is to base mandatory review and exception approvals on residual risk.