Exam CISM topic 1 question 18 discussion

some sites are saying its D which does not name sense to me it should be A

Answer should be A. Alot of people are saying D but Clcomplying with regulatory requirements is also important, but it should not be the primary focus. Regulatory requirements provide a minimum level of security that must be met, but they do not necessarily ensure that the system is adequately protected. The focus should be on managing risk, rather than simply complying with regulations. The primary focus of an information security manager during the development of a critical system storing highly confidential data should be to ensure that the amount of residual risk is acceptable. Residual risk is the level of risk that remains after security controls have been implemented. It is important to ensure that this residual risk is at an acceptable level, given the sensitivity of the data being stored.

At development stage regulatory requirements come first.

I was leaning towards D before, but will meeting regulatory requirements alone address the unique risks of storing highly confidential data? I bet not

It's D........information security managers can not decide whether residual risk is acceptable or not. it's senior management's call.

While all the options are important considerations, ensuring the amount of residual risk is acceptable is the primary concern. Residual risk is the level of risk that remains after security controls and measures have been implemented. In the context of a critical system storing highly confidential data, it is crucial to assess the effectiveness of security controls and ensure that the remaining risk is at an acceptable level. This involves considering the specific risks associated with the system, the sensitivity of the data, and the potential impact of security incidents. Complying with regulatory requirements (option D) is also important, but it is often addressed as part of the broader risk management process.

It's a tought one... :/ I would lean towards A, though because focusing solely on compliance might lead to a checkbox approach, where meeting the minimum requirements doesn't guarantee robust protection for highly sensitive data. Therefore, ensuring an acceptable level of residual risk is paramount because compliance doesn't cover all risks - regulations may not account for all potential threats or vulnerabilities specific to a particular system or data type.

Option D, "Complying with regulatory requirements," is a critical aspect of managing the security of a system that stores highly confidential data. However, it is considered a baseline requirement, not the primary focus. Compliance ensures that the system meets legal and regulatory standards, but it does not necessarily mean that the data is secure to the level the organization might require. The primary focus is on managing risk to an acceptable level (Option A), which encompasses compliance as one of its components.

Complying with regulatory requirements (option D) is also important, but it is not the primary focus during the development of the system. Compliance with regulations is typically addressed as part of the overall risk management process, which includes assessing and mitigating risks to ensure compliance.

If i comply with the regulatory requirements, there should be no worried about the residual risk

A. Ensuring the amount of residual risk is acceptable ISACA's Focus: ISACA's frameworks often stress the importance of identifying, assessing, and managing risks to ensure they are within the organization's risk tolerance. This entails implementing controls to mitigate risks to an acceptable level. Primary Focus: This aligns closely with ISACA's emphasis on risk management and governance, making it the most likely primary focus according to ISACA principles.

D . Once you are keeping the highly sensitive information , the criticality could not be decided by a company , may judged by higher level (eg., law ). Make less sense to a company whether they think the risk is acceptable or not.

reg compliance should be treated as any other.

The answer is D simply because when developing a system storing private and confidential data you will to be in compliance data and privacy laws and regulations..

the best choice of answer is B the primary reason of information security manager is to reduce the number of vulnerability to make sure the data is secure

A is correct!

residual risk comes after putting the right controls for a specific risk , since its "Developing" that means there is no applicability yet for residual risk. D is the most logical answer .