Certified Information Security Manager (CISM) — Question 62

Which of the following should an information security manager do FIRST to address the risk associated with a new third-party cloud application that will not meet organizational security requirements?

Answer options

• A. Restrict application network access temporarily.
• B. Update the risk register.
• C. Consult with the business owner.
• D. Include security requirements in the contract.

Correct answer: C

Explanation

The correct answer is C because consulting with the business owner is essential to understand the business implications and requirements of the new application. The other options, while important, are secondary steps that can be taken after assessing the business context and obtaining input from the business owner.