Certified Information Security Manager (CISM) — Question 518

During a security assessment, an information security manager finds a number of security patches were not installed on a server hosting a critical business application. The application owner did not approve the patch installation to avoid interrupting the application. Which of the following should be the information security manager's FIRST course of action?

Answer options

• A. Report the risk to the information security steering committee.
• B. Determine mitigation options with IT management.
• C. Communicate the potential impact to the application owner.
• D. Escalate the risk to senior management.

Correct answer: C

Explanation

The correct answer is C because the information security manager needs to ensure that the application owner understands the potential risks associated with not installing the patches. Options A, B, and D may be appropriate later, but first, it is essential to communicate directly with the application owner to address their concerns and the importance of patching.