Exam CISM topic 1 question 543 discussion

Agreed. Inform affected stakeholders first incase implementing mitigating actions affects operation of their systems.

Answer is D: because when dealing with a critical business system, speed and containment are essential to minimize potential damage, even if the breach is not fully confirmed yet. This aligns with the CISM principle of taking swift, risk-based action to protect the organization while confirming and escalating appropriately afterward.

Before informing stakeholders or implementing mitigation actions, you should check whether there actually is a problem. To carry out this verification, you should inform the IT manager. IMO answer is C

A. Update the incident response plan. While it might be tempting to jump to implementing mitigating actions immediately (Option D), it is crucial to follow a structured and well-defined incident response process. Updating the incident response plan is a critical step because it ensures that the organization is well-prepared to handle the specific nature of the breach. This includes identifying the scope of the incident, assessing the impact, determining the appropriate response actions, and coordinating communication with stakeholders.

POTENTIAL, need to confirm it is a breach before rolling into remediation.

It is a 'potential' breach - not confirmed that it is actually a breach. Inform the stakeholder first. Immediate mitigation (D) is important but it should be carried out as part of a coordinated effort once stakeholders, including IT management and security teams, are informed and engaged. Ideally there should be an option to check and validate if the breach has actually happened or not.

As an information security manager, the best course of action when a potential business breach is discovered in a critical business system would be to implement mitigating actions immediately. Option D is the correct answer. Taking immediate action to contain and mitigate the breach can help prevent further damage or loss of data. This includes isolating affected systems, patching vulnerabilities, and conducting a thorough investigation. Once the situation is under control, it is also important to update the incident response plan (option A), inform affected stakeholders (option B), and inform IT management (option C). However, the first priority should be to take immediate action to limit the impact of the breach.

Option B

I misread and didn't realise at this stage it is only a potential issue. I think it's a shit question because: Why tell stakeholders when there isn't definitely an issue? Why begin mitigation efforts if there may not be an issue? You wouldn't do either.

I'm surprised to see that there is no confirmatory option and so I would go for D. The most important thing you can get started with now is containing any.

why would you tell the stakeholders? what are they going to do??? the BEST course of action for an information security manager when a potential business breach is discovered in a critical business system is to implement mitigating actions immediately, aligning with the Incident Management domain. Immediate action is necessary to protect critical systems, prevent escalation, and minimize the impact of the breach.

B. Is the correct answer. Think like a manager .

B. Inform affected stakeholders.

Option D

D. Implement mitigating actions immediately.

The best course of action is to take immediate and appropriate steps to contain and mitigate the damage and to preserve evidence for further investigation.