Certified Information Security Manager (CISM) — Question 1102

An information security team plans to strengthen authentication requirements for a customer-facing site, but there are concerns it will negatively impact the user experience. Which of the following is the information security manager's BEST course of action?

Answer options

• A. Refer to industry best practices.
• B. Quantify the security risk to the business.
• C. Provide security awareness training to customers.
• D. Assess business impact against security risk.

Correct answer: D

Explanation

The best approach is to assess the business impact against security risk, as it allows the manager to understand the trade-offs involved and make informed decisions. Referring to industry best practices or quantifying security risks alone does not directly address the user experience concerns. Providing security awareness training may enhance customer understanding but does not mitigate the immediate authentication issues.