An information security manager has identified the organization is not in compliance with new legislation that will soon be in effect. Which of the following is MOST important to consider when determining additional controls to be implemented?
C. Why? Because the risk appetite (B) tells you how much food you can stuff in your mouth at any given time...yet the COST of NC (C) tells you how big the meal is. If you don't know how big the meal is, you won't be able to know if you can tolerate it.
The key word in the question is legislation. Legislation is a broad law that sets a framework whereas regulations are detailed laws that explain how you must comply with the regulations. Therefore, the question is not asking about the cost of noncompliance. Easy to get caught up in the thought of implementation of new controls and cost if you didn't notice the keyword (legislation vs regulation).
C- The question is asking what to consider when determining additional controls to be 'Implemented'. At the implementation stage, u decide whether it's worth it or not. If the question was about 'staying compliant' or not then 'B' would have been appropriate.
Considering the cost of noncompliance seems the MOST important to consider when determining additional controls to address the noncompliance. For example, the cost of noncompliance could be high due to industry compliance regulations EVEN IF the organization has high levels of risk acceptance. This is how I see this I hope it helps the community.
If the cost of noncompliance is high and exceeds the organisation's risk tolerance then addressing noncompliance is essential so knowing risk appetite is the most important to consider.
B. The organization's risk appetite
While all the options mentioned are important considerations, the organization's risk appetite is crucial because it helps to strike a balance between compliance and the overall risk tolerance of the organization. The level of risk the organization is willing to accept should guide decisions about which controls to implement. Compliance is important, but it should align with the organization's risk management strategy. Implementing controls that are overly costly or restrictive without considering the organization's risk tolerance can lead to inefficiencies or disruptions that may not be acceptable to the organization
When determining additional controls to be implemented due to noncompliance with new legislation, the most important consideration is the organization's risk appetite. The risk appetite defines the level of risk that the organization is willing to accept in pursuit of its business objectives, and this will guide the decision-making process regarding which controls to implement. The information security strategy, information security policy, and cost of noncompliance are also important considerations, but they should be evaluated in the context of the organization's risk appetite.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
sham222
Highly Voted 1 year, 1 month agoAlexJacobson
7 months, 1 week agoxcjxcj
6 months ago0884a0d
Most Recent 1 month agoshootnot
3 months, 4 weeks agonuel_12
4 months, 3 weeks agoThavee
4 months, 4 weeks agoyottabyte
5 months, 2 weeks agooluchecpoint
7 months agoSHERLOCKAWS
8 months, 1 week agojcisco123
8 months, 1 week agoCISSPST
11 months, 1 week agoCISSPST
11 months, 1 week agooluchecpoint
12 months agoGoseu
1 year, 1 month ago[Removed]
1 year, 1 month agoRowlandmarc
1 year, 2 months agorichck102
1 year, 2 months agoSaisharan
1 year, 3 months agoAbhey
1 year, 4 months ago