Certified Information Security Manager (CISM) — Question 105

Management has expressed concerns to the information security manager that shadow IT may be a risk to the organization. What is the FIRST step the information security manager should take?

Answer options

• A. Block the end user's ability to use shadow IT
• B. Update the security policy to address shadow IT
• C. Determine the value of shadow IT projects
• D. Determine the extent of shadow IT usage

Correct answer: D

Explanation

The correct answer is D, as determining the extent of shadow IT usage is essential for understanding the scope of the risk before taking any further actions. Blocking usage or updating policies without this knowledge could lead to ineffective measures. Similarly, assessing the value of shadow IT projects (option C) is premature without first understanding how widespread the usage is.