Exam CISM topic 1 question 735 discussion

"despite recent efforts to rectify the situation". Going for C

A - helps identify the root cause of the continued policy violations. Option C is not going to address the non-compliance issue.

there is no controversy between A and the 'recent rectify efforts'

All employees' norms are not to violate company's policies, but if that ever happened, there must be some reasons behind. "recent efforts to rectify the situation" did not tell much about the severity of the situation. the sentence is kind of exaggerating. For the sake of peaceful world, before starting the war, ISM should review first.

"recent efforts to rectify the situation" suggests that A has already been done. If so, answer is C

"despite recent efforts to rectify the situation" --> C A is invalid because he/she (SM) already did it

C is correct. “Continued violations despite efforts to rectify”. That to me is time to escalate the issue. There’s only so long you can have people going against the policy put in place to protect the business before things need to be escalated both for your sake, and the business’.

A. Review the business unit's function against the policy: It's essential to first understand why the policy violations are occurring. Conduct a thorough review of the business unit's operations, processes, and specific challenges that may be causing the violations. Identify any gaps or conflicts between the policy and the business unit's needs or objectives.

The best course of action for the information security manager to address continued security policy violations in a business unit is to review the unit's business function against the policy requirements. There may be a valid gap between the policy and actual business needs that requires reconciliation. The goal should be to understand the root causes driving the violations. Revising the policy immediately to accommodate the unit undermines policy integrity and consistency. Reporting noncompliance and enforcing sanctions will not address the underlying issue. Reviewing the specific business processes and use cases against the policy provides insights on whether the violations stem from outdated policy requirements that need updating, lack of security control effectiveness, or a business need for risk acceptance. This enables the most appropriate rectification.

A. Review the business unit’s function against the policy

to escalate will only cause issues in the organisation and make security a target, by reviewing the business unit's function against the security policy you are working with them not against them and so a better chance of success

A. Review the business unit's function against the policy. By reviewing the business unit's function against the security policy, the information security manager can assess whether the policy is aligned with the specific needs and requirements of the business unit. This review helps identify any potential gaps or conflicts between the policy and the operational realities of the unit. It allows for a better understanding of why the policy violations are occurring and provides an opportunity to address any underlying issues.

A. Review the business unit's function against the policy. By reviewing the business unit's function against the security policy, the information security manager can assess whether the policy is aligned with the specific needs and requirements of the business unit. This review helps identify any potential gaps or conflicts between the policy and the operational realities of the unit. It allows for a better understanding of why the policy violations are occurring and provides an opportunity to address any underlying issues.

The BEST course of action for an information security manager concerned with continued security policy violations in a particular business unit despite recent efforts to rectify the situation is to review the business unit’s function against the policy.

C is the right one. We already try to do all we can do..,now it time for escalation.