Certified Information Security Manager (CISM) — Question 303

Of the following, who should the security manager consult FIRST when determining the severity level of a security incident involving a third-party vendor?

Answer options

• A. Risk manager
• B. Business partners
• C. IT process owners
• D. Business process owners

Correct answer: D

Explanation

The correct answer is D, as business process owners have the most direct knowledge of how the incident impacts their operations and can provide critical insights into the severity. The other options, while relevant, do not have the immediate operational context that business process owners possess regarding the third-party vendor incident.