Certified Information Security Manager (CISM) — Question 1243

An information security manager has been informed of a new vulnerability in an online banking application, and a patch to resolve this issue is expected to be released in the next 72 hours. Which of the following should the information security manager do FIRST?

Answer options

• A. Implement mitigating controls.
• B. Perform a business impact analysis (BIA).
• C. Perform a risk assessment.
• D. Notify senior management.

Correct answer: C

Explanation

The first step is to perform a risk assessment to understand the potential impact of the vulnerability before any other actions are taken. Implementing mitigating controls and conducting a BIA or notifying senior management can follow, but without understanding the risks, those steps may not be effective.