Exam CISM topic 1 question 48 discussion

4-eyes principle for instance...

a Compensating Control: is a mechanism that is put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement at the present time. changing password requirements and resulting in negatively impacting user experience means it is impractical, so the needed is to evaluate compensating controls.

A. The IS team have decided to increase the PSW complexity to mitigate the risk , it means the risk has been identified and the impact to business has been highlighted already . So if the technical mitigation action is not good enough , we have to find its alternative solution such as SSO ....

I think the business impact has already been done which is negatively affecting customers experience. The next step is to identify a compensating control

C but it could also be a ISACA is weird sometimes. on the business end they might look at compensating controls that could make it less impactful on the customer..

The information security manager's BEST course of action is C. Assess business impact against security risk. This approach balances the security risk associated with weak passwords against the potential negative impact on the user experience caused by increased password complexity requirements. By carefully evaluating these factors, the information security manager can make an informed decision that prioritizes both security and usability.

Assessing the business impact against security risk involves weighing the potential security benefits of increased password complexity against the potential negative impact on the user experience. This approach considers both security and usability factors, helping the information security team make informed decisions that strike a balance between security requirements and user satisfaction. While options like evaluating business compensating controls (option A), quantifying the security risk to the business (option B), and conducting industry benchmarking (option D) are valuable activities, assessing business impact against security risk specifically addresses the trade-off between security and user experience, allowing for a more balanced decision-making process.

The thing ISM conduct the assessment then suggest the appropriate solution. ISM SHOULD NOT FOLLOW WHAT USERS LIKES BLINDLY.

C. Assess business impact against security risk. While the other options (A, B, and D) are also important considerations, assessing the business impact against security risk allows the organization to make a well-rounded decision that considers both security and usability concerns, which is crucial for achieving effective and balanced security measures.

Answer is C. The reason I think, it is mention " there are concerns it will negatively impact the user experience". Hence we need to think from business or operational or customer experience perspective.

C is the CISM answer, you are a manager for the exam. A is absolutely a great idea but its not the business answer. get out of the technical analyst mindset for this exam to pass.

"plans to increase.." would require impact analysis

"A" - Compensating control i.e. MFA, SSO, etc

C. Assess business impact against security risk.

C is the answer. It's the same as saying take a "risk based approach".

C, clearly :)

C. You should always look at the impact to the business when determining what to do next.