Certified Information Security Manager (CISM) — Question 410

Which of the following is the BEST approach for governing noncompliance with security requirements?

Answer options

• A. Require users to acknowledge the acceptable use policy
• B. Base mandatory review and exception approvals on residual risk
• C. Require the steering committee to review exception requests
• D. Base mandatory review and exception approvals on inherent risk

Correct answer: B

Explanation

The correct answer, B, emphasizes the importance of evaluating the remaining risk after controls are applied, which ensures that decisions regarding exceptions are well-informed. Options A and C focus on user acknowledgment and committee reviews, respectively, which do not address the core issue of risk management. Option D incorrectly prioritizes inherent risk, which does not account for the effectiveness of existing controls.