Changes have been proposed to a large organization's enterprise resource planning (ERP) system that would violate existing security standards. Which of the following should be done FIRST to address this conflict?
By calculating the business impact levels, the organization can assess the potential consequences and risks associated with the proposed changes. This includes considering the impact on data integrity, confidentiality, availability, compliance, and overall business operations.
Once the business impact levels have been determined, the organization can then make informed decisions regarding the acceptance, mitigation, or modification of the proposed changes in order to align with the existing security standards and minimize any adverse effects.
Why nobody chooses A? A cost benefit analysis includes the cost involved of policy violation (and not only the financial costs of the change). BUSINESS IMPACT = COST.
A cost benefit analysis also includes the benefits of compliance.
By comparing the cost and benefit, the security manager will be able to make informed decision making.
I'm split between B and C, primarily since the question states that "changes will violate existing standards" implying that validation of current standards (C) already happened (since they know existing standards will be violated).
So I'm inclined to go with B, but I'm really not sure here. I feel the question is too vague and a bit unfair.
I was initially inclined towards B, impact calculation. However, noticing that the responses were evenly divided between B and C, I consulted Chat GPT. I found its explanation compelling.
Existing standards must be validated periodically or during important changes in business & operational environments. If the existing standards are valid & relevant, then the changes should be rejected or further evaluated for impact etc. If the standards are not valid, they should be updated.
On a side note:
As a regular visitor of this forum, I notice that sometimes the exam topics responses are incorrect. Sometimes the 'most voted' response is also incorrect. Having used ChatGPT the past couple of days, I have found that it can make mistakes too. When in doubt, consult multiple sources. I always try to verify with ISACA material, and of course give it priority over the others, even if I am not always convinced.
While ChatGPT might sound correct it most often picks the wrong answers. Now since the last update I am able to use ChatGPT pro, insert the CISM class book as a reference material and the bot will answer the questions strictly on the CISM material. Depending on how it goes I will update questions with conflicting answers.
C: Validate current standards as the first step to address the conflict. It is crucial to ensure that the existing security standards are up to date and aligned with the organization's requirements. This involves reviewing the current standards, policies, and procedures to assess their effectiveness and identify any gaps or areas of improvement. By validating the current standards, the organization can determine if the proposed changes to the ERP system are in compliance with the existing security standards or if adjustments need to be made. This step will help in identifying potential conflicts and mitigating risks before proceeding with any further actions.
The correct answer is C. Verify current standards.
The first step is to verify that the existing standards are correct. If the standards are found to be outdated, inadequate, or have coverage issues, they may need to be updated. However, it is important to first reconfirm the existing standards and accurately understand the current status.
The FIRST step to address the conflict between the proposed changes to the ERP system and the existing security standards would be to validate the current standards. This involves reviewing the security standards to ensure they are up to date, aligned with industry best practices, and relevant to the organization's current operating environment. By validating the existing security standards, the organization can assess whether they are still applicable and effective, and determine whether any updates or modifications are necessary to address the proposed changes to the ERP system. Once the security standards have been validated, the organization can then assess the proposed changes and determine whether they are acceptable or whether additional security controls are needed to maintain the integrity, confidentiality, and availability of the system and its data.
Before addressing the conflict between the proposed changes to the ERP system and the existing security standards, it is important to validate the current standards. This includes confirming that the standards are still relevant, accurate, and aligned with the organization's current risk posture and security requirements. Once the standards have been validated, a cost-benefit analysis and business impact assessment can be performed to help determine the best course of action for addressing the conflict, whether it be implementing updated standards, adjusting the proposed changes, or finding a compromise that meets both the security and business needs.
upvoted 3 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
wello
Highly Voted 1 year agoJosef4CISM
Most Recent 3 days agoyottabyte
3 months, 3 weeks agoAlexJacobson
5 months, 2 weeks agoSalilgen
4 months, 1 week agoCISSPST
9 months, 2 weeks agoPOWNED
6 months, 2 weeks agokoala_lay
10 months agooluchecpoint
10 months, 1 week agoGoseu
12 months agorichck102
1 year agoTsubasa1234
1 year, 3 months agoSouvik124
1 year, 4 months agoBroesweelies
1 year, 5 months ago