Certified Information Security Manager (CISM) — Question 406

A penetration test of a new system has identified a number of critical vulnerabilities, jeopardizing the go-live date. The information security manager is asked by the system owner to approve an exception to allow the system to be implemented without fixing the vulnerabilities. Which of the following is the MOST appropriate course of action?

Answer options

• A. Implement a log monitoring process.
• B. Perform a risk assessment.
• C. Develop a set of compensating controls.
• D. Approve and document the exception.

Correct answer: B

Explanation

The most appropriate action is to perform a risk assessment to evaluate the potential impact of the vulnerabilities on the system's operation and security. This assessment will help inform whether the risks are acceptable or if further actions are necessary. Simply implementing log monitoring, developing compensating controls, or approving the exception without a thorough risk evaluation could lead to significant security issues.