Certified Information Security Manager (CISM) — Question 248

A legacy application does not comply with new regulatory requirements to encrypt sensitive data at rest, and remediating this issue would require significant investment. What should the information security manager do FIRST?

Answer options

• A. Assess the business impact to the organization.
• B. Present the noncompliance risk to senior management.
• C. Investigate alternative options to remediate the noncompliance.
• D. Determine the cost to remediate the noncompliance.

Correct answer: A

Explanation

The correct first step is to assess the business impact, as understanding how the noncompliance affects the organization is crucial for making informed decisions. Presenting the risk to senior management, investigating alternatives, or determining costs are important but should come after understanding the overall business implications.