Certified Information Security Manager (CISM) — Question 751

An information security manager believes that information has been classified inappropriately, increasing the risk of a breach. Which of the following is the information security manager's BEST action?

Answer options

• A. Re-classify the data and increase the security level to meet business risk
• B. Complete a risk assessment and refer the results to the data owners
• C. Instruct the relevant system owners to reclassify the data
• D. Refer the issue to internal audit for a recommendation

Correct answer: B

Explanation

The best action is to complete a risk assessment and refer the results to the data owners because it provides a thorough understanding of the risks involved before any changes are made. Re-classifying the data without a proper assessment may overlook critical factors, while instructing system owners or referring to internal audit may not address the immediate need for a risk evaluation.