An information security manager has been made aware of a new data protection regulation that will soon go into effect. Which of the following is the BEST way to manage the risk of noncompliance?
A.
Perform a gap analysis.
B.
Consult with senior management on the best course of action.
C.
Implement a program of work to comply with the new legislation.
A gap analysis is a systematic process of evaluating the current state of an organization's data protection measures against the requirements of the new regulation. This allows the information security manager to identify areas where the organization may be noncompliant, assess the potential risk and impact of noncompliance, and develop a plan to address any gaps and achieve compliance.
Performing a gap analysis is the best way to manage the risk of noncompliance because it provides a comprehensive assessment of the organization's current state, helps identify areas of noncompliance and risk, and provides a roadmap for achieving compliance. This, in turn, can help reduce the risk of noncompliance, minimize the potential impact of noncompliance, and ensure that the organization is in compliance with the new regulation.
I dont think A is correct, because a gap analysis assesses your current state vs. the desired state. It shows what measures you need to implement for compliance.
A gap analysis does not show the impact of non-compliance and therefore provides little visibility on the risk.
Therefore, I choose option D - by understanding the cost of non-compliance, the information security manager can evaluate whether to further actions are needed (e.g., identifying needed controls via a gap analysis). It may be possible that the cost of non-compliance are very low - therefore non-compliance is also a possible option.
A should be the FIRST thing to do. However, senior manager must decide if eventually accept the risk of non-compliance.
If SM don't accept the risk, then ISM should implement a program of work to comply with the new legislation.
D isn't an ISM's task.
It's data protection regulation (i.e. privacy), and non-compliance with privacy requirements can lead to legal consequences. So to me, A and D do not apply here. It seems that the BEST (no FIRST) course of action would be to be compliant in the end (but first A needs to be done to figure out where's the company at and where it needs to be in regards to this regulation).
The question of whether company selects to be in compliance with a regulation or not is a complex one. If the company calculates that the risk of them being caught is low and that actual fines for non-compliance are lower than how much money they make in a non-compliant state, the senior management can easily choose to remain non-compliant and pay fines. So the answer B could easily be correct here.
It's a tough question...
data protection regulation applies to PII. what if there is no PII for that company.
There is need of Gap analysis i believe or some kind of assessment.
But implementing a legislation without understanding the cost of non-compliance would not be prudent. What if the management finds that the risk of noncompliance is within acceptable limits?
Performing a gap analysis is the BEST way to manage the risk of noncompliance when a new data protection regulation will soon go into effect.
upvoted 3 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Broesweelies
Highly Voted 1 year, 7 months agoCarlLimps
Highly Voted 1 year, 6 months agocangurer
1 year, 5 months agoJosef4CISM
Most Recent 1 month, 2 weeks agoSalilgen
5 months, 3 weeks agoxcjxcj
6 months, 2 weeks agoAlexJacobson
7 months, 1 week agoAlexJacobson
7 months, 1 week agoCks29
5 months, 3 weeks agooluchecpoint
11 months, 4 weeks agorichck102
1 year, 1 month agokaranvp
1 year, 2 months agoCISSPST
11 months, 2 weeks agowello
1 year, 2 months agobambs
1 year, 5 months ago