Certified Information Security Manager (CISM) — Question 728

An information security team has discovered that users are sharing a login account to an application with sensitive information, in violation of the access policy. Business management indicates that the practice creates operational efficiencies. What is the information security manager’s BEST course of action?

Answer options

• A. Present the risk to senior management.
• B. Modify the policy.
• C. Create an exception for the deviation.
• D. Enforce the policy.

Correct answer: A

Explanation

The best action is to present the risk to senior management because they need to understand the potential security implications of shared accounts. Modifying the policy or creating an exception could further undermine security protocols, and enforcing the policy without management's support may lead to resistance or non-compliance.