Certified Information Security Manager (CISM) — Question 431

An information security manager is concerned with continued security policy violations in a particular business unit despite recent efforts to rectify the situation. What is the BEST course of action?

Answer options

• A. Review the business unit’s function against the policy
• B. Revise the policy to accommodate the business unit
• C. Report the business unit for policy noncompliance
• D. Enforce sanctions on the business unit

Correct answer: A

Explanation

The correct answer is A because reviewing the business unit’s function against the policy can help identify specific areas of noncompliance and address the root cause of violations. Revising the policy (B) could undermine security standards, while reporting (C) and enforcing sanctions (D) may not resolve the underlying issues, potentially leading to further violations.