Certified Information Security Manager (CISM) — Question 582

Which of the following should an information security manager do FIRST to address complaints that a newly implemented security control has slowed business operations?

Answer options

• A. Conduct user awareness training.
• B. Remove the control and identify alternatives.
• C. Discuss the issue with senior management for direction.
• D. Validate whether the control is operating as intended.

Correct answer: D

Explanation

The correct answer is D because validating whether the control is operating as intended is crucial to understanding its impact on business operations. If the control is functioning properly, further investigation may be needed rather than immediate removal or consultation. Options A, B, and C do not address the need to first ensure the control is effective before taking further steps.