Exam CISM topic 1 question 183 discussion

B. Determine the classification level of the information The information security manager's first course of action should be to determine the classification level of the information that has been shared via the external cloud storage service. Understanding the sensitivity and classification of the information involved is crucial to assess the potential risk and impact of the policy violation. This assessment will guide subsequent steps and decisions, including whether to involve higher management, to block access to the service, or to seek a business justification from the employee. By prioritizing the identification of the information's classification level, the information security manager can ensure that the response is proportional to the level of risk posed by the unauthorized sharing.

B is the first choice of action

B..Determine the classification then you have to assess the risk then you can do policy assessment that may learn to blocking the website, user training or disciplinary actions.. You can't contain the incident since the security manager is part of the risk department and not the IT administration team in most cases.

If you block the cloud storage provider, then the user will seek for alternative cloud storage provider. Plus that cloud storage might be a services use by other customer sending information to the company. 1st need to determine the classification of the data then only decide if escalation or justification require.

First containment

Understand the data classification then take the appropriate action

stop sharing sensitive information

This is an incident first thing that needs to be done is contain it. That is always the first response to an incident. A

B. While blocking access to the cloud storage service (A) and seeking business justification from the employee (C) are important actions to consider, they should come after the initial assessment of the data's classification to ensure that the response is proportionate to the sensitivity of the information. Informing higher management of a security breach (D) may not be necessary at this stage if it is not yet clear whether a breach has occurred; the situation should be assessed first.

Page 71, Section: "Information Asset Classification and Protection" It states: "When a violation of policy is detected, it is important to first understand the business reason for the action before taking punitive measures. It may be that the employee was trying to meet a business need in the best way they knew how, or they may not have been aware of the policy."

B: He may be sharing public sharable Marketing documents; hence need to classify the information first before taking further actions.

B. Determine the classification level of the information

The question already stated the employee has violated the company policy, the first course of action is stop bleeding.

b. need to know how data is classified to know if it is important

The information security manager's first course of action should be B. Determine the classification level of the information. This is important as it will help understand the nature of the data that has been shared, and the level of risk associated with it. This information will be used to determine the extent of the damage and the appropriate course of action. Additionally, it will allow the security manager to identify any other data that may have been shared and take the necessary steps to prevent further data leakage. Once the security manager has determined the classification level of the information, they can then take appropriate action such as seeking business justification, blocking access to the cloud service, and informing higher management of a security breach if necessary.

it's clearly against the policy. So need to announce to higher position.