Certified Chief Information Security Officer (CCISO) — Question 164

A Chief Information Security Officer received a list of high, medium, and low impact audit findings.
Which of the following represents the BEST course of action?

Answer options

• A. If the findings do not impact regulatory compliance, remediate only the high and medium risk findings.
• B. If the findings do not impact regulatory compliance, review current security controls.
• C. If the findings impact regulatory compliance, try to apply remediation that will address the most findings for the least cost.
• D. if the findings impact regulatory compliance, remediate the high findings as quickly as possible.

Correct answer: D

Explanation

The correct answer is D because when regulatory compliance is at stake, prioritizing the remediation of high-impact findings ensures that the organization addresses the most critical risks that could lead to compliance violations. Options A and B do not prioritize high findings in the context of compliance, while option C focuses on cost rather than urgency, which may not effectively mitigate risks.