Immediate Action for Violation of Information Security Standards |

C.

Resolving conflicts of this type should be based on a sound risk analysis of the costs and benefits of allowing or disallowing an exception to the standard.

A blanket decision should never be given without conducting such an analysis.

Enforcing existing standards is a good practice; however, standards need to be continuously examined in light of new technologies and the risks they present.

Standards should not be changed without an appropriate risk assessment.

As an information security manager, it is important to take appropriate action if a business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. The immediate action that should be taken depends on the specific circumstances and the severity of the violation.

Option A: Enforce the existing security standard. This option may be appropriate if the violation is minor and can be easily corrected without affecting the business unit's ability to use the new technology. For example, if the violation involves a configuration setting that can be changed without affecting the functionality of the technology, then enforcing the existing standard may be the best course of action.

Option B: Change the standard to permit the deployment. This option may be appropriate if the violation is significant, but the business unit has a compelling reason to use the new technology in a way that is not currently permitted by the existing standard. However, changing the standard should only be done after careful consideration of the risks and benefits, and only if the change does not compromise the overall security posture of the organization.

Option C: Perform a risk analysis to quantify the risk. This option is always a good idea, regardless of the severity of the violation. A risk analysis can help identify the potential impact of the violation and the likelihood of it occurring. This information can be used to determine the best course of action to mitigate the risk, which may involve enforcing the existing standard, changing the standard, or proposing the use of a better technology.

Option D: Perform research to propose the use of a better technology. This option may be appropriate if the new technology is inherently insecure or if there is a better technology available that can meet the business unit's needs without violating the existing standard. However, proposing a new technology should only be done after careful research and analysis to ensure that it is secure and meets the organization's needs.

In summary, the immediate action that an information security manager should take if a business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards depends on the specific circumstances and the severity of the violation. The options include enforcing the existing standard, changing the standard to permit the deployment, performing a risk analysis to quantify the risk, and performing research to propose the use of a better technology.