Certified Information Security Manager (CISM) — Question 198

Which of the following should an information security manager do FIRST upon learning that some security hardening settings may negatively impact future business activity?

Answer options

• A. Document a security exception.
• B. Reduce security hardening settings.
• C. Perform a risk assessment.
• D. Inform business management of the risk.

Correct answer: C

Explanation

The correct answer is C, as performing a risk assessment is crucial to understand the implications of the security hardening settings on business activities. Documenting an exception or reducing settings without a proper assessment could lead to increased vulnerabilities or compliance issues. Informing management is also important, but it should come after assessing the risks to provide informed guidance.