Certified Information Security Manager (CISM) — Question 521

An organization is close to going live with the implementation of a cloud-based application. Independent penetration test results have been received that show a high-rated vulnerability. Which of the following would be the BEST way to proceed?

Answer options

• A. Postpone the implementation until the vulnerability has been fixed.
• B. Commission further penetration tests to validate initial test results.
• C. Assess whether the vulnerability is within the organization's risk tolerance levels.
• D. Implement the application and request the cloud service provider to fix the vulnerability.

Correct answer: C

Explanation

The correct answer, C, is suitable because it allows the organization to weigh the severity of the vulnerability against its risk management strategy. Option A is not feasible since it may delay operations unnecessarily, while B could lead to additional costs without addressing the core issue. Option D would also be irresponsible as it places reliance on the provider without assessing the risk first.