Certified Information Security Manager (CISM) — Question 121

An organization has implemented a new security control in response to a recently discovered vulnerability. Several employees have voiced concerns that the control disrupts their ability to work. Which of the following is the information security manager's BEST course of action?

Answer options

• A. Evaluate compensating control options.
• B. Educate users about the vulnerability.
• C. Accept the vulnerability.
• D. Report the control risk to senior management.

Correct answer: A

Explanation

The best course of action is to evaluate compensating control options, as this allows for addressing the concerns of employees while maintaining security. Educating users about the vulnerability, while important, does not resolve the disruption caused by the control. Accepting the vulnerability is not a viable option, and reporting the risk to senior management may not provide an immediate solution to the employees' issues.