Certified Information Security Manager (CISM) — Question 227

Which of the following should be the PRIMARY driver for selecting and implementing appropriate controls to address the risk associated with weak user passwords?

Answer options

• A. The organization's risk tolerance
• B. The organization's culture
• C. The cost of risk mitigation controls
• D. Direction from senior management

Correct answer: A

Explanation

The correct answer is A, as an organization's risk tolerance directly influences how they prioritize and implement security controls. While culture, cost, and management direction are important, they should align with the organization's risk appetite to effectively address vulnerabilities like weak passwords.