Certified Chief Information Security Officer (CCISO) — Question 117

A business unit within your organization intends to deploy a new technology in a manner that places it in violation of existing information security standards.
What immediate action should the information security manager take?

Answer options

• A. Enforce the existing security standards and do not allow the deployment of the new technology.
• B. If the risks associated with that technology are not already identified, perform a risk analysis to quantify the risk, and allow the business unit to proceed based on the identified risk level.
• C. Amend the standard to permit the deployment.
• D. Permit a 90-day window to see if an issue occurs and then amend the standard if there are no issues.

Correct answer: B

Explanation

The correct answer is B because performing a risk analysis allows the information security manager to assess the potential risks associated with the new technology and make an informed decision on whether to allow its deployment. Option A is too restrictive without evaluating risks, C would undermine the importance of existing standards, and D could lead to unmonitored risks during the 90-day window.