Exam CISM topic 1 question 195 discussion

You want to understand your risk before you implement anything. D before C.

C is jumping right to the solution already - therefore its wrong. You need to understand the risk first and than act on it.

C. This proactive approach involves establishing a standardized set of access control policies and procedures that will be applied consistently across both the parent company and the newly acquired company.

The correct answer is C. Implement consistent access control standards. By implementing consistent access control standards, the organization ensures that access rights are aligned and harmonized across both companies. This approach helps prevent conflicts and discrepancies in access permissions that could lead to information exposure. It also establishes a clear framework for managing access and ensures that access rights are granted based on defined roles, responsibilities, and business needs. Why its not D: Performing a risk assessment of access rights is valuable, but it should be coupled with the implementation of standardized access control practices to effectively mitigate the risk of exposure due to conflicting access rights.

verify the risk, them act on it.

Security manager is not sure whether the different access controls will cause a problem. We need to assess risk first to determine the problems and the fix it.

C. implement consistent access control standards.

The question is simple. How do we " BEST " address the concern. Risk assessment is what you do first to see where the problems are but to address them you will implement access controls. So C is the answer

Assess the risk first.

The question does not state what to do FIRST, but how to BEST address the concern. So, in this case some consistent approach regarding access rights should be taken.

at first, need to asset risk.

Would you not risk asses first?