Exam CISM topic 1 question 438 discussion

A. Update the risk register The information security manager's next course of action should be to update the risk register. The risk register is a document that is used to identify, assess, and prioritize risks to the organization.

The CISM (Certified Information Security Manager) Review Manual, 27th Edition, supports this viewpoint by stating: "When a risk can't be mitigated directly, such as when a necessary patch can't be applied, compensating controls should be considered. The information security manager is responsible for developing a business case to implement these controls, which can provide an equivalent level of security."

the primary and immediate next action should indeed be to update the risk register (Option A) to document the acceptance of the risk by the business owner. This action ensures transparency and accountability for the decision made. Once the risk has been documented, the next step would be to develop a business case for compensating controls (Option B) to address the potential impact of the vulnerability with alternative measures.

The question asks for the NEXT course of action. Since the risk was accepted already, the security manager needs to update the risk register as a NEXT course of action. Again the risk was formerly accepted already. AFTER updating the risk register, the security manager is highly advised to develop a business case for compensating controls.

it's B. when a critical vulnerability is found and may affect other BUs on this shared server, compensating control is most required.

Perform A first before doing B.

A decision has been made, time to update the risk register.

A. Update the risk register first before taking any other action. After updating the risk register it will then make sense to proceed on to B. Develop a business case for compensating controls.

"When a risk can't be mitigated directly, such as when a necessary patch can't be applied, compensating controls should be considered. The information security manager is responsible for developing a business case to implement these controls, which can provide an equivalent level of security."

B. Develop a business case for compensating controls: This is the correct answer. When a risk is accepted due to operational requirements, the organization needs to identify and implement alternative controls that can mitigate the risk without negatively impacting the business process. Developing a business case that outlines the compensating controls, their effectiveness, and their cost will help make an informed decision.

A. Update the risk register

Since one of the business units has identified that their application will not function with the patch applied and has chosen to accept the risk, the information security manager should work with that business unit to identify and implement compensating controls that mitigate the risk posed by the vulnerability. The purpose of the compensating controls is to provide an alternative means of reducing the risk to an acceptable level while addressing the functional requirements of the business unit's application. Once the compensating controls have been identified and implemented, the information security manager should then update the risk register to reflect the acceptance of the risk and document the compensating controls that have been put in place. This ensures that the risk is appropriately tracked and managed, and the risk register accurately reflects the organization's risk landscape.

The Correct answer is (A) Update the risk register. This is so the decision that has been made by one of the owners can be documented and the rest of the businesses can transparency into what has occurred. From here on out (A) serves as the foundation for the rest of the answers. Rationale: (B) Developing a business case for compensating controls that should be done after the entry has been made in the risk register. Otherwise, the reason for the compensating controls will be lost to history. (C) Update the information security policy is not a scalable solution as policies shouldn't change and if every exception prompts a policy change... then the policy will collapse under its own weight. (D) Consult the incident management process , it's not an incident yet , so it doesn't apply.

The incident management process will help the information security manager determine the appropriate actions to take, including any necessary compensating controls or other measures to mitigate the risk. The risk register should also be updated to reflect the new risk profile resulting from the vulnerability, but this should not be the next course of action since addressing the vulnerability and its potential impact is more important in the short-term. Updating the information security policy may be necessary in the longer-term, but it is not the immediate next step.

I think B

after choice of accept risk, update register.