Exam CISM topic 1 question 259 discussion

A. Evaluate compensating control options. Explanation: Compensating controls are security measures or countermeasures that are put in place to mitigate the risk of a vulnerability when the primary control measure may disrupt normal operations. In this case, if employees are experiencing disruptions due to the new security control, it's essential to assess whether there are alternative or compensating controls that can provide the necessary security without causing significant disruptions. The goal of this action is to balance security needs with operational requirements. It demonstrates a proactive approach to addressing security concerns while minimizing the impact on employees' ability to work.

The best course of action for the information security manager is to A. Evaluate compensating control options.

If the current control is too disruptive, you look for alternative controls

No point reporting to SM if you dont have a solution first (compensating control) Hence A.

D is the one most likely to be the best option

You evaluate compensating controls before taking it up to senior management, if they ask if there is any other solution, you can't show the back of your hands.

When you report the control risk to senior management, they will ask what is your option or suggestion. As an IS manager, it is your task to evaluate the option, then present to senior management.

the BEST way is A... if you do D what? you report it and that's it? nothing more?

Correct answer is D

Option D Same question is in CISM QAE

Concerns are raised by employees and not business unit management thus it would be appropriate to bring the conflict to senior management who are in a better position to assess the concerns vs risk and then decide the best course of action whether to enforce the control or evaluate for compensating control or something else.

Refer to the question 217 of the V10 CISM Manual under Domain 3 Answer is D

Senior management can then evaluate the significance of the concerns raised by employees in the context of the organization's overall security objectives, operational requirements, and risk appetite. They can consider the potential disruptions caused by the control and determine whether any adjustments or compensating measures are necessary.

A. Evaluate compensating control options.

The correct answer is (A): (A) This is the correct way to handle this as it helps the user and keeps the vulnerabiltiy at bay (B) Educating the user doesn't change the fact that it disrupts their work (C) If a control was implemented before, then you can tell it was unacceptable to accept the vulnerability (D) Management should already be aware of the risk, so this can't be it.

Why not A?

B is correct