Exam CISM topic 1 question 120 discussion

"Vulnerability management is the process of systematically and continuously finding weaknesses in an entity's security procedures, systems or networks and taking corrective action. The ultimate goal of vulnerability management is to keep risk at or below the organization's risk tolerance level." - CISM Review Manual, 15th Edition, 2019, page 286.

Vuln is a weakness. To efflectively manage weakness, you need proactive controls. Although vuln is an important factor to reduce risks, there are also multiple other ways to ensure risks are within acceptble level, you can simply avoid or even transfer the risk, which does not relevant to vuln mangement.

D cannot be right, since risk is a function of a threat and a vulnerability. The question is talking about a vulnerability management program. Vulnerabilities can be effectively managed by quickly identifying vulnerabilities, having reliable sources of patches, having a thorough test and patch process. All these measures can be summarized as proactively managing controls - therefore option C is right.

D. Risks are managed within acceptable limits. An effective vulnerability management program is primarily aimed at identifying, classifying, remediating, and mitigating vulnerabilities to maintain risk at acceptable levels. While reporting security incidents in a timely manner (A), accurately identifying threats (B), and managing controls proactively (C) are important components of a comprehensive security program, the best indicator of an effective vulnerability management program specifically is that risks are consistently managed within acceptable limits (D). This implies that vulnerabilities are being handled in a way that minimizes the potential for exploitation and keeps the security posture of the organization within its risk tolerance threshold.

D. We could not patch all systems even we would like to actively manage them , especially for legacy system we could do nothing to avoid compatibility problem with applications installed .

Look at proactive controls as patch management. That would be the best answer in this situation, going with C

C. Controls are managed proactively. While all the options are important aspects of a comprehensive security program, proactively managing controls is at the core of effective vulnerability management.

Going with D. The ultimate goal is to reduce risk to an acceptable levels. Hence, effective management of vulnerabilities (implementation of controls) would be greatly indicative of risk reduction to acceptable levels. Option C is just a tool for this objective.

Relates to weaknesses to be discovered

Relates to weaknesses to be discovered. So B

Option D, "Risks are managed within acceptable limits," is a general statement that applies to overall risk management, including vulnerability management. While managing risks within acceptable limits is an important objective of any security program, it does not specifically indicate the effectiveness of a vulnerability management program. An effective vulnerability management program focuses specifically on identifying, prioritizing, and mitigating vulnerabilities in systems, applications, and networks. It involves activities such as vulnerability scanning, patch management, and vulnerability remediation. By actively managing vulnerabilities, organizations can reduce the likelihood of exploitation and potential impact from security incidents. So the answer would be Option C

D. Risks are managed within acceptable limits. or C. Controls are managed proactively.