A Chief Information Security Officer received a list of high, medium, and low impact audit findings. Which of the following represents the BEST course of action?
A.
If the findings do not impact regulatory compliance, remediate only the high and medium risk findings.
B.
If the findings do not impact regulatory compliance, review current security controls.
C.
If the findings impact regulatory compliance, try to apply remediation that will address the most findings for the least cost.
D.
if the findings impact regulatory compliance, remediate the high findings as quickly as possible.
As a Chief Information Security Officer (CISO), the best course of action is to prioritize risk remediation based on compliance, impact, and cost-effectiveness. If the audit findings impact regulatory compliance, the organization must address them to avoid legal, financial, and reputational consequences.
A risk-based approach means:
- Prioritizing remediation to meet compliance requirements.
- Optimizing resources by implementing solutions that address multiple findings at once.
- Ensuring cost-effective security improvements that align with business objectives.
By applying remediation strategies that cover multiple findings efficiently, the CISO ensures regulatory compliance, risk reduction, and resource optimization.
This aligns with NIST Risk Management Framework (RMF) and ISO 27001 Annex A.12 (Security Operations), which emphasize cost-effective risk mitigation while ensuring compliance.
upvoted 1 times
...
This section is not available anymore. Please use the main Exam Page.712-50 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
ME79
1 month, 4 weeks ago