Exam CISM topic 1 question 84 discussion

I also think it's C

The InfoSec Manager's organization might not been of banking sector. What he/she is informed can be taken as Vulnerability(Zero Day). Without Risk Assessment, the InfoSec Manager cannot make sure the impact on the company/organization, he/she responsible on. What if all the systems are not connected to the internet ?

Since it is a financial institution measures are necessary to mitigate any potential impact. I don't think there is enough time to do anything else than first take immediate steps to reduce the effect.

A I'm afraid I have to disagree with C because the most immediate step is to take mitigating measures before conducting an impact access.

I selected A, because: Doing a proper BIA or a risk assessment can take longer than 72 hours. You will need to find the right people to align with business on the potential impact and discuss with IT for compensating controls. This can be time consuming and before you are done, the patch will be released already. Why not doing cost effective mitigating controls first and wait for the patch.

C is correct answer - risk assessment leads to understanding how much risk is associated with the vulnerability and whether it warrants mitigation, acceptance, transference or avoidance. Then next steps would be decided.

C. Perform a risk assessment. After the risk assessment, the information security manager will have the necessary information to determine if immediate mitigating controls are needed to temporarily protect against the vulnerability until the patch is released, whether a business impact analysis (BIA) should be conducted to understand the broader implications of the vulnerability, or if the situation warrants immediate notification of senior management due to its potential impact on the organization.

I guess first you need to evaluate the risks that this new vulnerability is genrating... then you implement controls, but only later to get clear that you have to implmement them because the risk level demands it...

Interesting how most of the people "enter panic mode" and go for mitigation instead of taking a step back to figure out what is the actual risk. How can you possibly mitigate it properly (let alone cost-effectively) if you don't know how big is the actual risk and haven't done BIA? Also, keep in mind that the question doesn't specify whether infosec manager is working for the company/bank whose application is being vulnerable.

Take that back : Here's a breakdown of the steps to take: Implement temporary compensating controls: Prioritize immediate actions to reduce the risk of exploitation while the patch is not yet available. Conduct a BIA: Assess the potential impact of the vulnerability on critical business processes and data assets. Conduct a risk assessment: Evaluate the likelihood and severity of the risk posed by the vulnerability. Develop a mitigation plan: Based on the BIA and risk assessment, develop a plan to address the vulnerability in the long term. Deploy the patch: Once the patch is available, deploy it to all affected systems. Verify patch installation: Validate that the patch has been successfully installed on all systems. Monitor for ongoing threats: Continuously monitor for new vulnerabilities and threats that could exploit the patched system.

he order of business impact analysis (BIA) and risk assessment depends on the specific organization and its risk management framework. However, there is a general consensus that BIA should be conducted first.

i think answer A is correct. We can add IPS rule while waiting for a patch.

on-line banking application, This is high risk and is a high likelihood to get attacked and has a vulnerability, risk assessment done. BIA takes time. Need to implement compensating controls.

sure only a. just need to straddle the 72h. no need for management info or risk assessment. first things first: close the gap. there risk wasn't identified before, so go to the exit point of the situation

Performing a risk assessment is crucial to understand the potential impact and likelihood of the vulnerability being exploited during the 72-hour window before the patch is available. This assessment will help the manager make informed decisions about whether to implement mitigating controls (A), notify senior management (D), and prioritize actions based on the level of risk associated with the vulnerability. A risk assessment will consider factors such as the criticality of the system, the sensitivity of the data, the existing security controls, and the potential consequences of the vulnerability being exploited. It will help determine if immediate mitigating controls are necessary or if other actions should be taken to reduce the risk while waiting for the patch.

If you choose Option A and I guess I will ask: how do you know the value of the threat and if the mitigating control measures cost is not more than the value or impact of the threat without RA? What gave you the assurance that you can’t transfer or ignore the threat of not significant with RA?

The best response is C. Indeed, unless the online baking application is critical and the risk linked to the vulnerability is unacceptable, there is no need for any mitigating control.