Information Security Manager: Handling Unacceptable Risk Levels
Question
An information security manager finds that a soon-to-be deployed online application will increase risk beyond acceptable levels, and necessary controls have not been included.
Which of the following is the BEST course of action for the information security manager?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.A.
The BEST course of action for the information security manager in this scenario is to choose option A: Present a business case for additional controls to senior management.
Explanation:
Option A is the best course of action because it involves addressing the root cause of the problem, which is the lack of necessary controls for the soon-to-be deployed online application. By presenting a business case to senior management, the information security manager can explain the risks associated with the application and why additional controls are necessary to mitigate those risks. This approach is likely to result in a more informed decision by senior management, who can then make an informed decision based on the information presented to them.
Option B is not the best course of action because it assumes that the IT department has the knowledge and expertise to identify and implement the necessary controls. However, the information security manager has already determined that the necessary controls have not been included, indicating that the IT department may not be fully equipped to handle the security risks associated with the application.
Option C is also not the best course of action because it assumes that compensating control products can fully mitigate the risks associated with the application. However, this may not be the case, and the information security manager has already determined that the risk level is beyond acceptable levels.
Option D is not the best course of action because it involves recommending a different application without addressing the root cause of the problem, which is the lack of necessary controls. Moreover, finding a different application may not be practical or feasible depending on various factors such as time and budget constraints.
In conclusion, presenting a business case to senior management for additional controls is the best course of action for the information security manager in this scenario, as it addresses the root cause of the problem and allows for an informed decision to be made.
