Certified Information Security Manager (CISM) — Question 1159

A high-risk issue is discovered during an information security risk assessment of a legacy application. The business is unwilling to allocate the resources to remediate the issue. Which of the following would be the information security manager’s BEST course of action?

Answer options

• A. Document risk acceptance from the business.
• B. Recommend discontinuing the use of the legacy application.
• C. Design alternative compensating controls to reduce the risk.
• D. Present the worst-case scenario related to the risk.

Correct answer: C

Explanation

The best action for the information security manager is to design alternative compensating controls to reduce the risk, as it provides a way to manage the risk without requiring additional resources from the business. Documenting risk acceptance (A) does not address the risk, recommending discontinuation (B) may not be feasible, and presenting worst-case scenarios (D) may not encourage action without a proactive solution.