Certified Information Security Manager (CISM) — Question 82

Which of the following should an information security manager do FIRST when a legacy application is not compliant with a regulatory requirement, but the business unit does not have the budget for remediation?

Answer options

• A. Develop a business case for funding remediation efforts.
• B. Advise senior management to accept the risk of noncompliance.
• C. Notify legal and internal audit of the noncompliant legacy application.
• D. Assess the consequences of noncompliance against the cost of remediation.

Correct answer: D

Explanation

The correct answer is D because assessing the consequences of noncompliance against the cost of remediation allows for an informed decision on how to proceed. Option A, while important, should come after understanding the implications. Option B does not address the need for immediate action or assessment, and Option C, while necessary, does not prioritize evaluating the risk versus cost.