Certified Information Security Manager (CISM) — Question 400

An information security manager has observed multiple exceptions for a number of different security controls. Which of the following should be the information security manager's FIRST course of action?

Answer options

• A. Prioritize the risk and implement treatment options
• B. Report the noncompliance to the board of directors
• C. Inform respective risk owners of the impact of exceptions
• D. Design mitigating controls tor the exceptions

Correct answer: C

Explanation

The correct answer is C because informing the respective risk owners allows them to understand the implications of the exceptions and take necessary actions. Prioritizing risks and implementing treatment options (A) and designing mitigating controls (D) may come later, while reporting to the board (B) is premature without first addressing the issues with the risk owners.