Exam CISM topic 1 question 528 discussion

Answer is D, the policy will provide the guidance that's needs to be followed which should include adherence to standards such as PCI DSS.

D is basically a gap analysis, so I feel it's the most correct place to start.

The information security manager FIRST review corporate policies regarding credit card information. This step is crucial as it sets the foundation for security processes within the organization. By understanding and adhering to the corporate policies, the information security manager can ensure that the handling of credit card data aligns with the organization's guidelines and compliance requirements. This step provides a framework for implementing appropriate security measures and helps address any potential gaps or issues in the existing policies. Once this foundation is established, the information security manager can then proceed to the other options mentioned, such as ensuring systems are segmented, reviewing industry best practices, and ensuring alignment with encryption standards.

B. Review industry best practices for handling secure payments.

D. Review corporate policies regarding credit card information. This is the first step because it's essential to understand the organization's existing policies and compliance requirements related to credit card data handling. Once you have a clear understanding of the internal policies, you can then proceed to align with industry encryption standards (option C), review industry best practices (option B), and ensure that systems are segmented (option A). However, the foundation for secure credit card data handling is established by adhering to your organization's policies and compliance mandate

Why not A? CC Data must be segmented as a first measure of protection Policies and standards come on top of that

Selected Answer: B

D. review corporate policies regarding credit card information.

B. review industry best practices for handling secure payments.