Certified Information Security Manager (CISM) — Question 38

An information security team plans to increase password complexity requirements for a customer-facing site, but there are concerns it will negatively impact the user experience. Which of the following is the information security manager's BEST course of action?

Answer options

• A. Evaluate business compensating controls.
• B. Quantify the security risk to the business.
• C. Assess business impact against security risk.
• D. Conduct industry benchmarking.

Correct answer: C

Explanation

The best option is to assess the business impact against security risk because it allows the manager to weigh the user experience against security needs. Evaluating compensating controls, quantifying risks, and conducting benchmarking are important, but they do not directly address the balance between user experience and security requirements.