Certified Information Security Manager (CISM) — Question 143

A newly appointed information security manager of a retailer with multiple stores discovers an HVAC (heating, ventilation, and air conditioning) vendor has remote access to the stores to enable real-time monitoring and equipment diagnostics. Which of the following should be the information security manager's FIRST course of action?

Answer options

• A. Disconnect the real-time access.
• B. Conduct a penetration test of the vendor.
• C. Review the vendor contract.
• D. Review the vendor's technical security controls.

Correct answer: C

Explanation

The first step should be to review the vendor contract to understand the terms and conditions regarding remote access and security obligations. Disconnecting access or conducting tests without this understanding could lead to unnecessary disruptions or oversight of contractual compliance. Additionally, reviewing technical controls is important but comes after understanding the contractual framework.