Certified Information Security Manager (CISM) — Question 810

A CISO learns that a third-party service provider did not notify the organization of a data breach that affected the service provider's data center. Which of the following should the CISO do FIRST?

Answer options

• A. Determine the extent of the impact to the organization.
• B. Request an independent review of the provider's data center.
• C. Notify affected customers of the data breach.
• D. Recommend canceling the outsourcing contract.

Correct answer: A

Explanation

The correct first step is to assess the extent of the impact to the organization, as understanding the potential damage is crucial for determining the next actions. Requesting an independent review, notifying customers, or recommending contract cancellation should follow once the impact is clearly understood.