Certified Information Security Manager (CISM) — Question 359

While classifying information assets, an information security manager notices that several production databases do not have owners assigned to them. What the information security manager address this situation?

Answer options

• A. Assign the highest classification level to those databases.
• B. Assign responsibility to the database administrator (DBA).
• C. Prepare a report of the databases for senior management.
• D. Review the databases for sensitive content.

Correct answer: C

Explanation

Preparing a report for senior management is crucial to ensure visibility and accountability for the unowned databases, which aligns with governance practices. Assigning the highest classification level may not address the ownership issue, while assigning responsibility to the DBA does not involve management oversight. Reviewing the databases for sensitive content is important but does not resolve the lack of ownership.