Exam CISM topic 1 question 132 discussion

Its always people people people, if the people choose to use weak passwords then its a risk, culture eats strategy for breakfast. If you use a technical control to force, then they will end up writing down the complex password on a sticky note and sticking it to the monitor. People should be trained to select a strong password and manage it appropriately.

A = because The organization tolerance for risk will determine their approach and mitigation strategies.

risk level is the driver to implement controls

From CISM Review Manual: "3.8.1 Managing Risk Through Controls Controls can be physical, technical or administrative. The choise of controls must be based on a number of considerations including ensuring their effectiveness, thei cost or potential restriction to business activities, and their optimal form of control."

A. The organization's risk tolerance. Risk tolerance is a critical factor in determining the appropriate controls for managing security risks, including those related to weak user passwords. The level of risk that an organization is willing to accept or tolerate will guide decisions about the strength and rigor of controls needed to mitigate the risk effectively. It involves assessing the potential impact of password-related vulnerabilities and aligning control measures accordingly. While other factors like the organization's culture, cost considerations, and direction from senior management are important, they should all be influenced by the organization's risk tolerance when making decisions about password security controls.

risk tolerance

B. Risk appetite will determine that action must be done, but what action would be will determine corporate culture.

A. The organization's risk tolerance. Risk tolerance is a critical factor in determining the appropriate controls for managing security risks, including those related to weak user passwords. The level of risk that an organization is willing to accept or tolerate will guide decisions about the strength and rigor of controls needed to mitigate the risk effectively. It involves assessing the potential impact of password-related vulnerabilities and aligning control measures accordingly. While other factors like the organization's culture, cost considerations, and direction from senior management are important, they should all be influenced by the organization's risk tolerance when making decisions about password security controls.

A : Access control has to primarily align with organization's risk tolerance. Organization culture may influence the choice of technology, but it cannot be at the expense of strategic risk tolerance.

A: The organization's risk tolerance.

A. The organization's risk tolerance

he PRIMARY driver for selecting and implementing appropriate controls to address the risk associated with weak user passwords should be A) The organization's risk tolerance. The organization's risk tolerance will help to determine the level of risk the organization is willing to accept and what controls are appropriate to manage the risk of weak user passwords. Factors such as the potential impact of a password breach, the likelihood of such a breach occurring, and the value of the assets protected by passwords will be considered in determining the appropriate controls.

The level of risk that an organization is willing to accept should guide the selection and implementation of controls to mitigate the risk of weak user passwords.

The PRIMARY driver for selecting and implementing appropriate controls to address the risk associated with weak user passwords should be the organization's risk tolerance. Risk tolerance is the level of risk that an organization is willing to accept or tolerate, and it guides the selection of controls that are appropriate for managing the identified risks.

Why organization's culture become a primary driver ? Culture is more important than risk tolerance?

A would be the answer me personally because the tolerance would dictate the apropropriate options available to the business before then looking at cost of mitigating controls. If no options available meet budget then the budget or risk tolerance needs to change either way...

It is A according to ISACA.