Certified Information Security Manager (CISM) — Question 650

The information security manager has been notified of a new vulnerability that affects key data processing systems within the organization. Which of the following should be done FIRST?

Answer options

• A. Re-evaluate the risk.
• B. Ask the business owner for the new remediation plan.
• C. Inform senior management.
• D. Implement compensating controls.

Correct answer: A

Explanation

The first step in addressing a new vulnerability is to re-evaluate the risk associated with it. This assessment helps determine the potential impact and required response before informing management or implementing controls. The other options may come later but are not the initial priority after identifying a vulnerability.