Exam CISM topic 1 question 623 discussion

at first, evaluate.

C- then D, otherwise if you go D first management will ask the same question, what is the risk, go back and do C first.

By informing business management of the risk, the information security manager can initiate discussions and collaboration to assess the potential impact on business activities and make informed decisions on how to proceed. After informing business management, a more detailed risk assessment can be conducted, and appropriate actions such as documenting security exceptions or adjusting settings can be taken based on the outcomes of the risk assessment.

C. Perform a risk assessment. Performing a risk assessment is crucial to understand the potential risks and their impact on the business before making any decisions. This assessment will help in evaluating the specific risks associated with reducing security hardening settings and provide a basis for informed decision-making. After conducting a risk assessment, the information security manager can then proceed to the appropriate next steps, which may include documenting a security exception (Option A), informing business management of the risk (Option D), and potentially considering adjustments to security settings (Option B) if it is deemed necessary and justifiable based on the risk assessment findings.

When the information security manager becomes aware that security hardening settings may have adverse effects on future business activities, it is essential to communicate this information promptly to business management. By informing business management of the risk, they can assess the potential impact on business operations, evaluate the trade-offs between security and business needs, and make informed decisions about how to proceed.

D, From what I understand Security hardening settings were taken after risk assessment by ISM. So next step will be to Inform Business mgmt of risk . Not sure if I am correct though.

C. Perform a risk assessment.

By conducting a risk assessment, the information security manager can evaluate the potential risks associated with the security hardening settings and assess their potential impact on business activities. This assessment will help in identifying the likelihood and potential consequences of the risks and prioritize them accordingly. Once the risk assessment is completed, the information security manager can then inform business management of the identified risks and involve them in the decision-making process to determine the appropriate course of action, which may include documenting a security exception, adjusting the security hardening settings, or finding alternative solutions that mitigate the risks while considering business requirements.

From the ISACA CISM exam perspective, the MOST appropriate first step an information security manager should take upon learning that some security hardening settings may negatively impact future business activity is option C: Perform a risk assessment. Performing a risk assessment involves evaluating the potential impact and likelihood of risks associated with the security hardening settings. By conducting a risk assessment, the information security manager can gather the necessary information to make informed decisions about balancing security requirements with business needs. This step allows for a systematic analysis of the risks involved, considering factors such as the likelihood of occurrence, potential impact, and the organization's risk appetite.