Certified Information Security Manager (CISM) — Question 391

Regular vulnerability scanning on an organization's internal network has identified that many user workstations have unpatched versions of software. What is the
BEST way for the information security manager to help senior management understand the related risk?

Answer options

• A. Include the impact of the risk as part of regular metrics.
• B. Send regular notifications directly to senior managers.
• C. Recommend the security steering committee conduct a review.
• D. Update the risk assessment at regular intervals.

Correct answer: A

Explanation

Including the impact of the risk in regular metrics allows senior management to see the significance of unpatched software in a quantifiable manner, aiding in decision-making. Sending notifications may not convey the full context or importance, while recommending a review could delay understanding. Updating the risk assessment is useful, but without metrics, it may not effectively highlight the immediate risks to senior management.