Exam CISM topic 1 question 933 discussion

The answer should be C. Choice A would have been correct if the question was 'How badly information security requirements are incorporated', choice B- not at all incorporated.

C is the answer, incident may not occur at all for a long time, but the denied number of changes in change control due to lack of security shows the volume of change requests coming in and getting denied.

The question is about how well IS requirements are incorporated, so, for that, denied changes due to insuficient security details. If we wanted to know how bad we are doing, the metric would be A

So the more changes you deny the better? or what is the metric? "A" makes more sense to me.

Agreed with CISSPST.

C. Denied changes due to insufficient security details

C. Denied changes due to insufficient security details. This metric focuses on changes that are denied or rejected specifically because they lack sufficient security details. It indicates that the change management process is actively assessing whether proposed changes adequately address information security requirements. By tracking and monitoring the number of denied changes due to insufficient security details, an organization can gauge the effectiveness of its change management process in ensuring that information security requirements are properly incorporated. If a significant number of changes are being denied or rejected because their security details are insufficient, it suggests that the change management process is effectively considering and enforcing information security requirements. This metric encourages stakeholders to provide the necessary security details when proposing changes, reinforcing the importance of incorporating information security into the change management process.

C. Denied changes due to insufficient security details This metric measures the number of changes that were denied or rejected specifically because they lacked sufficient security details. Monitoring denied changes due to insufficient security details provides a direct indication of the effectiveness of incorporating information security requirements into the change management process. It shows that changes without adequate security considerations are being rejected, indicating a proactive approach to information security.

When security requirements are not incorporated into change management processes, any vulnerabilities introduced during changes may go undetected leading to security incidents. Therefore 'security incidents due to unauthorized changes is the best metric in here.