Certified Information Security Manager (CISM) — Question 776

An information security manager finds that a soon-to-be deployed online application will increase risk beyond acceptable levels, and necessary controls have not been included. Which of the following is the BEST course of action for the information security manager?

Answer options

• A. Recommend a different application.
• B. Instruct IT to deploy controls based on urgent business needs.
• C. Solicit bids for compensating control products.
• D. Present a business case for additional controls to senior management.

Correct answer: D

Explanation

The best action is to present a business case for additional controls to senior management, as this approach seeks to address the identified risks through proper justification and resource allocation. Simply recommending a different application or instructing IT to implement controls may not adequately mitigate the risks, and soliciting bids for compensating controls does not directly address the immediate concerns.