Which of the following should an information security manager do FIRST upon notification of a potential security risk associated with a third-party service provider?
D - While communication with the third-party provider is crucial, it’s not the initial step. Risk analysis should precede escalation. it’s essential to assess the risk. A risk analysis helps evaluate the impact, likelihood, and severity of the potential risk. It informs subsequent actions and decisions.
I'd say it's C. The keyword here being "potential" so the first thing you do is validate what happened and whether it even happened. After that you can decide what to do next.
Then again, if you are notified about the risk associated with third-party provider (i.e. discovered the risk of relying on their services), then risk analysis is indeed the first thing you should do (B).
Honestly, I'm not 100% sure what the question is asking... :/
This section is not available anymore. Please use the main Exam Page.CISM Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Booict
11 months, 3 weeks agoAlexJacobson
1 year, 5 months agoAlexJacobson
1 year, 5 months agorichck102
1 year, 7 months ago