Exam CISM topic 1 question 520 discussion

A, yall need to go study sec+ if you think D

D- The keyword here is 'significant financial liability' and having that in mind the best way to mitigate is to 'buy insurance'

You will have to perform audit logging anyway to reduce the premium on insurance. Insurance is a must as it contains huge financial penalty.

option D(Purchasing insurance) can help mitigate the financial impact of a data breach. This insurance typically covers costs associated with breach response, legal fees, and potentially some liability

When you answer these questions you have to keep in mind you are answering from the material that ISACA gives you: avoid, mitigate, transfer or accept. These terms may vary by framework, or even include another option (e.g., sharing), but the sentiment is the same: We can choose to avoid a thing, thereby bypassing the risk altogether; we can implement some controls to mitigate that thing, thereby lessening the impact of the risk; we can employ risk transfer to help limit damages, perhaps by employing insurance to limit loss exposure; or we can do none of those things, forge ahead and accept the consequences. This comes straight from ISACA https://www.isaca.org/resources/news-and-trends/newsletters/atisaca/2021/volume-6/not-all-risk-treatment-options-are-the-same With this in mind the best answer for the question is A

The question is a asking about a mitigation action not what controls to be used. the senario here is about what is the best (MITIGATION ACTION) - if that in future the organisation is breached. - transferring the risk is the best way - and it can be done by purchasing insurance.

All answers are not mitigation options, but maybe A is a step to mitigate, insurance is risk transfer not mitigation

Implementing audit logging on systems as the best way to mitigate the risk to the organization in this scenario. Audit logging allows for monitoring and tracking of all activities and access to sensitive personally identifiable information (PII). It provides a detailed record of who accessed the information, when, and what actions were taken. This helps in identifying any potential breaches or unauthorized access to the PII, allowing for prompt response and investigation. By implementing audit logging, the organization can enhance its security measures and proactively detect and prevent any breaches, reducing the financial liability associated with a potential data breach.

A. Implementing audit logging on systems - It helps in detection and investigation but does not prevent breaches from occurring. The breaches needs to be detected first, many company will like to avoid paying insurance. NOTE: None of these answer can mitigate. option D(Purchasing insurance) can help mitigate the financial impact of a data breach. This insurance typically covers costs associated with breach response, legal fees, and potentially some liability

There are a few questions like this, as everyone points out: D- Is transference not mitigation so logically it can't be the answer. However my issue is that it is the BEST way to lower the risk.

D https://reciprocity.com/resources/what-is-risk-mitigation/

C & D are about risk transfer. A is not a risk mitigation , it promotes accountability but it doesn’t reduce the risk . B is the only mitigation action .

A. Implementing audit logging on systems

The risk being identified here is the financial liability. The question is not asking for a control to prevent the risk but to mitigate the risk if and when it occurs. Since this is a financial risk an appropriate control would be Risk transfer, which in this case is Insurance.

The correct answer is (D) Purchasing insurance as this effectively transfer the cost to the insurer. Rationale: A. While Implementing audit logging on systems will help with IR, it does not address the financial liabilities that an organization may face in a breach. B. Including indemnification into customer contracts may solve some of the organization's liability by shifting some of that liability to the customers, but it doesn't protect them against all financial liabilities related to the incident like an insurance policy would. C. Contracting the process to a third party may outsource the responsibility, but not the accountability, and with that accountability comes the exposure to the liabilities. (i.e. still exposed to financial risk cause you can't outsource accountabiltiy)

Mitigation is only possible with D not with A

We are talking about risk mitigation no risk transfer. Correct answer A. Mitigate: The organization chooses to mitigate the risk. This takes the form of some action that serves to reduce the probability of a risk event or reduce the impact of a risk event. The actual steps taken may include business process changes, configuration changes, the enactment of a new control, or staff training. • Transfer:The practice of transferring risk is typically achieved through an insurance policy, although other forms are Gregory, Peter H.; Gregory, Peter H.. CISM Certified Information Security Manager Bundle (p. 186). McGraw Hill LLC. Kindle Edition.