Exam CISM topic 1 question 940 discussion

Critical Monitoring process - Compliance Risk - such as SOX - its a financial institute

D- is a guaranteed consequence. All other choices are possible consequences.

Temporary is the key word in the question. If C stated Inability to determine impact I would lean twards D. But since the wording in C aligns with the key wording in the question the best answer for me is C.

Based on experience, the GREATEST concern when modifying operational risk related controls would be the impact on compliance risk (which might or not include the concern for short-term impact). Financial institutions are usually under strict compliance requirements and is a major issue to consider. In such environments change management process is quite strict. Sorry just thought to share my 2 cents of wisdom for those interested.

B. Impact on the risk culture....As a security manager, this would be the greatest concern for me because this could set a tone in the organizational culture where risk is not properly evaluated and key stakeholders are ignored in the process. This would be a huge concern for because it sets an unhealthy tone in the culture of organization which could lead to significant challenges for Information Security in the future.

i still vote ....B. Impact on the risk culture

C. Inability to determine short-term impact. The temporary deactivation of a critical monitoring process due to the acceptance of an operational risk poses a significant concern for the information security manager. In this case, the information security manager may be unable to determine the immediate impact of the situation. Monitoring processes play a crucial role in identifying and responding to security incidents, vulnerabilities, or abnormal activities in a timely manner. By temporarily deactivating a critical monitoring process, the organization may lose visibility into potential security threats, breaches, or risks. This lack of visibility can hinder the ability to detect and respond to security incidents promptly, potentially leading to prolonged security breaches or increased damages.

D. Impact on compliance risk

This is a matter of exception to policy/compliance, not culture. Policy exceptions need to be supported by details of impact and risk, both usually calculated annually, not short-term. The unavailability of info on the short-term impact is the greatest challenge in this case.

Should be C