Exam CISM topic 1 question 9 discussion

An information security manager should assess the consequences of noncompliance against the cost of remediation first when a legacy application is not compliant with a regulatory requirement but the business unit does not have the budget for remediation. This allows the manager to fully understand the potential risks and consequences of noncompliance, and to make an informed decision about the best course of action. By comparing the cost of remediation with the potential consequences of noncompliance, the manager can determine the level of risk that the organization is willing to accept and make a case for funding or alternative measures to address the compliance issue. This information can also be used to prioritize future remediation efforts based on the level of risk and the urgency of the issue. In any case, it is important for the information security manager to keep senior management informed about the noncompliance issue and to work with them to develop a plan to address the issue and ensure compliance with relevant regulations.

Think in terms of a large corporation. You don't bother busy people until you have the information they need to make an informed decision. Assess the consequences of noncompliance and the cost to remediate. Then provide that information to senior management to make a decision. Based on your assessment, they may decide to prioritize this mitigation over other risks and redistribute budget resources or they may decide to accept the risk.

D is correct. Keyword is 'first'. you need to perform an assessment/analysis first before taking to any other department or upper management.

It's important to conduct a thorough assessment to understand the potential risks and consequences of noncompliance with the regulatory requirement. This assessment should include evaluating the impact on the organization's reputation, potential legal consequences, and any other risks associated with noncompliance. Comparing this against the cost of remediation will help inform decision-making and guide the organization in determining the most appropriate course of action. Developing a business case (option A) and advising senior management to accept the risk (option B) may come later in the process, once a comprehensive understanding of the situation has been established.

Answer is D. Assessment should always be the first step. you need to have concrete details before you report to legal.

I don't get why it wouldn't be C - inform legal. The question says its non-compliant to a regulation, or in other words - against the law.

It appears to me that for budget for remediation to be mentioned, risk analysis has already been done. Remediation is a risk control i.e. risk mitigation. By this stage, consequences should already have been understood. The next step should be for management to either accept the risk of fine the budget. Finding the budget has already been done, so accepting the risk is the next logical step.

Correct Answer is D. Assess the consequences of noncompliance against the cost of remediation. Try not to over analyze these questions. They are pretty straight forward for the most part. When you over-analyze you get yourself confused and end up picking the wrong answer.

the answer is D Yes, the security manager needs to get other stakeholders informed, but what is he to tell them? assessing the risk of non-compliance versus cost of remediation gets him intelligent data to give both the legal team and the management guidance in their decision-making

this is a debateable one for sure. Security manager should definitely assess risk/consequence of the non-compliance (either qualitative or quantitative) vs cost of remediation and usually present to board for decision. However it may seem to be a due diligence and good practice to let the legal/contracts team know first that a non-compliance exists which is being worked on.

impact analysis

D. Assess the consequences of noncompliance against the cost of remediation.

The correct answer is (C) as the question is about the FIRST thing to do. Quickly notify, as it is not time consuming, and then assess the risk (D)

The correct answer is (A) Develop a business case for funding remediation efforts. The primary reason for this is that you need to look at the keywords "business unit" and "does not have the budget". This is not to say the company doesn't have the budget. It is stating that a part of the company doesn't have the money. So the business unit needs to create the logic and buy-in to get that funding and that is exactly what a business case is designed to do. Rationale: (B) Accepting non-compliance is not an acceptable answer as the fines will get bigger as a repeat offender until the survivability of the company is at risk. If that doesn't do it, reputational damage will. If worst comes to worst criminal charges are always a possibility and no one ever wants to go to jail. So option B is a terrible idea. (C) Lawyers aren't going to give you the budget and if an audit is doing its thing they'll spot this issue on their own. Don't complicate things, just build the business case to fix it. (D) Look at option B as to why this is never going to be an acceptable option.

the answer has to be C. Notify legal and internal audit of the noncompliant legacy application. after this the risks can be considered and business cases put together. what is the correct answer, this site is useless for CISM!

choice A is correct, assess the impact of a noncompliane and cost for remediation are part of a business case to juntify financial funds for remediation

Assessment