Certified Information Security Manager (CISM) — Question 33

A penetration test was conducted by an accredited third party. Which of the following should be the information security manager's FIRST course of action?

Answer options

• A. Request funding needed to resolve the top vulnerabilities.
• B. Ensure a risk assessment is performed to evaluate the findings.
• C. Report findings to senior management.
• D. Ensure vulnerabilities found are resolved within acceptable timeframes.

Correct answer: B

Explanation

The correct answer is B because performing a risk assessment is essential to understand the implications of the findings and prioritize remediation efforts. Options A, C, and D all follow after evaluating the risks associated with the vulnerabilities, making them less immediate actions.