Exam CISM topic 1 question 152 discussion

By updating the roles and responsibilities of the incident response team, the information security manager can clarify the expected actions and procedures that align with business objectives. This ensures that the team members understand their authorized actions and limitations during incident response, reducing the risk of unapproved actions that could impact business objectives.

C Looking at it from both sides, Senior management could be wrong and does not fully understand IRT's roles and responsiblity. Updating Roles and Responsiblities address both sides. Key word for me is "Concerned" , that is not a direct statement of actions taken, just worried of what might have happened. This can be do to senior managements lack of knowledge in regard to the IRTs role and responsiblities. This of course Clarifies things for the IRT if it is needed. I see training as more a subset as it is kind of expected to be trained for your roles and responsiblity if you are lacking in that area.

This is one of several questions where I dont agree with the "correct" answer. Will reference this in the ISACA study guide. I cant help but consider this theory vs reality. If that is the case I will have to follow the theory, but most of us know that Knowing your role does not always equate to knowing how to do your job. I selected B, Train the inceident responce team .....

B. Train the incident response team on escalation procedures. If senior management is concerned that the incident response team took unapproved actions during an incident response, this indicates a possible lack of understanding or adherence to established escalation procedures. The best way to address this issue is to ensure that all members of the incident response team are adequately trained on escalation procedures. This training would emphasize when and how to escalate incidents within the organizational structure, ensuring that actions taken align with business objectives and that senior management is involved in decision-making when appropriate. This approach addresses the root cause of the concern by reinforcing the importance of following established protocols during an incident, thereby mitigating the risk of taking unapproved actions that could jeopardize business objectives. Updating roles and responsibilities (Option A) might help clarify expectations, but these actions do not directly address the issue of the team taking unapproved actions due to possibly inadequate knowledge or adherence to escalation procedures.

CISM Review Manual edition 16. pg. 263. "Management support- For example, the inability to respond to an incident due to existing silos within the enterprise, untrained team members due to underfunding, insufficient budget allocation to allow for effective and efficient response, ........" I guess IRT know what their roles but often untrained.

If the team does not have clear their roles and responsabilities... then a training will be a bit useless, the trainings would be a failure. I guess is A.

Option B

Key word here in the question is unapproved. The incident team went outside the scope of their roles and responsibilities so training needs to be done. I would agree the answer would be A if the question did not involve "unapproved".

A. By reviewing and refining the roles and responsibilities, you can clarify the team's authorized actions, decision-making processes, and escalation procedures. This ensures that all team members understand their roles and the boundaries within which they should operate during an incident. It also helps prevent unauthorized actions that could potentially put business objectives at risk.

Update roles and responsibilities of the incident response team. as issue likely lies with the team's understanding of their roles and responsibilities. By updating the roles and responsibilities of the incident response team, the information security manager can clarify what actions are approved and align their activities with the organization's overall business objectives.

update roles and responsibilities.

B. Train the incident response team on escalation procedures.

The BEST way for the information security manager to respond to the situation where senior management is concerned about unapproved actions taken by the incident response team is to update roles and responsibilities of the incident response team. This will ensure that the team has a clear understanding of their responsibilities and authority, as well as the expectations and limitations of their actions. By doing so, the incident response team will be better equipped to perform their duties within the defined guidelines, policies, and procedures, thereby reducing the risk of putting business objectives at risk.

Because of unapproved actions --> need training on escalation process.

not clear if roles and responsabilities will change effectively, training might me the answer (B)

unapproved action should be escalated properly.

C is the appropriate answer in my opinion