Exam CISM topic 1 question 917 discussion

Answer D is correct: By monitoring the threat landscape, the security manager is able to assess the applicability of threats. If he sees a threat as applicable, may assess whether there is any vulnerability that results in a risk. Referring to a best practice framework can help, but its likely that many controls from the best practice framework are not needed, since there is no applicable use case.

C- Framework provides guidelines on appropriate controls. If threat landscape changes, there are several other steps before adjusting controls.

monitoring threat.

Best answer here is D. Its always scary seeing training involved in a question. At that point you have to dive into the meat of the question to address every word in the question.

oh man, don't you just LOVE all those random chatgpt/bard/copilot answers being plastered all over the discussion sections... This sht it killing the site value!... Anyway, I think it's D. You're monitoring what's going on in the wild lands and based on that you figure out the risks and adjust controls where necessary (maintaining an "appropriate security controls environment").

An industry security framework such as NIST-CSF would help maintaining an 'appropriate' security controls environment. All other answers are addressed in a security framework.

D. Monitoring of the threat landscape.....continuous monitoring is essential.

Continuous Monitoring - You don't have to align with industry frameworks - you can create your own using different frameworks.

Why not B?

All of the options listed - periodic employee security training, budgetary support for security, alignment to an industry security framework, and monitoring of the threat landscape - can contribute to maintaining an appropriate security control environment. However, if we have to choose the option that best enables an organization to maintain an appropriate security control environment, it would likely be: C. Alignment to an industry security framework. Alignment to an industry security framework provides a structured and comprehensive approach to establishing and maintaining security controls. Industry security frameworks, such as ISO 27001, NIST Cybersecurity Framework, or CIS Controls, offer guidelines, best practices, and standards that organizations can follow to establish effective security controls.

A. Periodic employee security training

A. Periodic employee security training

C. Alignment to an industry security framework Alignment to an industry security framework provides a structured and comprehensive approach to security controls. It helps organizations establish a strong foundation for security by following best practices and standards specific to their industry. This approach ensures that the organization is addressing known security risks and vulnerabilities effectively.