Exam CISM topic 1 question 85 discussion

I believe the answer is A. The board of directors usually are only concerned with how much exposure they (the organization) have to whatever the security risk/threat.

Board of Directors are concerned with RISK Inherent RISK= Key Information Assets (Threats(D) and associated Vulnerability(A&B) on those Assets) That means answer C is the comprehensive report for directors at the top

i Belive A is the correct answer.

inherent risk is not what matters. what matters is the residual risk and level of exposure

Select Answer: C . The Board of directors can't understand the level of exposure unless there is an impact. So selecting A does not make any sense to the Board of Directors. they would be interested to know the inherent risk

A. The level of exposure This is because the level of exposure directly impacts the organization's risk profile and can influence strategic decisions. It provides the board with an understanding of the current risk landscape, how exposed the organization is to potential security threats, and the effectiveness of existing controls. Essentially, it encapsulates the potential impact on the organization's operations, finances, and reputation, which are all key concerns for the board. While vulnerability assessments, inherent risk levels, and threat assessments are valuable pieces of information for understanding and managing information security risks, the level of exposure translates these technical assessments into strategic insights, making it most relevant for high-level decision-makers like the Board of Directors.

If this is CISSP, I will vote for (A) the level of exposure which mostly discuss on the attack surface, error on code and technical weakness. But for CISM, I think (C) the level of inherent are more appropiate. Inherent risk refers to the level of risk that exists in an activity, process, or organization without considering any internal controls or risk mitigation efforts. This is something that board of director want to know, not technical issues.

While vulnerability assessments (B), the level of inherent risk (C), and threat assessments (D) are important aspects of information security management, they are typically more detailed and technical in nature. Communicating the level of exposure is a higher-level summary that conveys the current state of security and the urgency of addressing any vulnerabilities or risks that may exist. This information helps the board make informed decisions about security priorities and resource allocation.

Exposure= Residual Risk. This is always the senior learders top priority. Answer is A

Communicating the level of inherent risk provides the board of directors with a clear understanding of the baseline risk associated with the organization's information security posture. Inherent risk represents the level of risk before considering the impact of controls or mitigation measures. This information helps the board assess the overall risk landscape and make informed decisions about risk tolerance, resource allocation, and strategic direction. While exposure (Option A), vulnerability assessments (Option B), and threat assessments (Option D) are important components of risk management, communicating the level of inherent risk gives the board a foundation for understanding the potential impact and likelihood of security-related events before any mitigating actions are taken.

Board of directors The board is responsible for establishing the tone for risk appetite and risk management in the organization. To the extent that the board of directors establishes business and IT security, so, too, should the board consider risk and security in that strategy. ... so C

A. The level of exposure The level of exposure refers to the extent to which an organization is currently vulnerable to security threats and risks. It provides a real-world assessment of the organization's current security posture and potential vulnerabilities that could be exploited. This information is crucial for the board of directors as it helps them understand the immediate security challenges facing the organization. While vulnerability assessments (B), the level of inherent risk (C), and threat assessments (D) are important aspects of information security management, they are typically more detailed and technical in nature. Communicating the level of exposure is a higher-level summary that conveys the current state of security and the urgency of addressing any vulnerabilities or risks that may exist. This information helps the board make informed decisions about security priorities and resource allocation.

The MOST relevant information for an information security manager to communicate to the board of directors is: C. The level of inherent risk. Communicating the level of inherent risk is crucial for the board to understand the organization's overall risk profile related to information security. Inherent risk refers to the potential risk level an organization faces before any risk mitigation efforts are put in place. By providing this information, the board can gain insight into the critical areas of risk exposure and make informed decisions on allocating resources and implementing appropriate risk management strategies. It sets the foundation for discussions about vulnerability assessments, threat assessments, and other risk mitigation measures in the context of the organization's specific risk landscape.

When communicating with the board of directors, the most relevant information for an information security manager to convey is the level of exposure. Option A, "The level of exposure," is crucial for the board of directors to understand the organization's risk exposure to potential security incidents and breaches. The information security manager should provide an overview of the organization's current security posture, highlighting any vulnerabilities, threats, or weaknesses that could lead to detrimental impacts on the organization's operations, reputation, or financial standing. While options B, C, and D are important considerations, they are subsets of the overall level of exposure:

C. The level of inherent risk. The board of directors is responsible for overseeing the strategic direction and overall governance of the organization. They need to be aware of the organization's inherent risks, including those related to information security. By communicating the level of inherent risk, the information security manager provides the board with an understanding of the potential impact and likelihood of security incidents or breaches that could affect the organization's objectives and operations.

I believe management wants to know what the inherent risk of the business and if its an acceptable level. They would consider insurance to mitigate the risk or invest money to lower the risk.

The level of exposure, the board would not care about inherent risk, more likely to be concerned with residual risk. But that's not an option. Exposure is the same as residual.