During a security assessment, an information security manager finds a number of security patches were not installed on a server hosting a critical business application.
The application owner did not approve the patch installation to avoid interrupting the application.
Which of the following should be the information security manager's FIRST course of action?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
In this scenario, the information security manager has identified that security patches have not been installed on a server hosting a critical business application, and the application owner did not approve the patch installation to avoid interrupting the application. The information security manager's first course of action should be to communicate the potential impact to the application owner, which is option B.
Option B is the most appropriate response because it allows the information security manager to inform the application owner of the security risks associated with not applying the patches, including the potential for the server to be compromised and the data on the server to be stolen or damaged. The information security manager can also explain the importance of maintaining the security of the server and the application and work with the application owner to find a way to apply the patches without interrupting the application's availability or performance.
After communicating the potential impact to the application owner, the information security manager can then work with IT management to determine mitigation options, which is option D. This may involve identifying alternative methods for patching the server or scheduling a time for patch installation that minimizes disruption to the application.
Option A, which is to escalate the risk to senior management, may be appropriate if the application owner refuses to address the security risks associated with not applying the patches or if the risks are significant enough to require senior management's attention. However, this should not be the information security manager's first course of action.
Option C, which is to report the risk to the information security steering committee, may also be appropriate, but it is not the information security manager's first course of action in this scenario. The steering committee may provide guidance or support in addressing the security risks associated with not applying the patches, but it should not be the first point of contact.