Certified Information Security Manager (CISM) Exam: Information Security Manager's Response to Non-compliance Issues

Information Security Manager's Response to Non-compliance Issues

Prev Question Next Question

Question

Internal audit has reported a number of information security issues which are not in compliance with regulatory requirements.

What should the information security manager do FIRST?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

C.

When internal audit reports information security issues that are not in compliance with regulatory requirements, the information security manager should take the following steps:

  1. Identify the issues: The information security manager should review the audit report to identify the specific issues that are not in compliance with regulatory requirements.

  2. Evaluate the severity of the issues: The manager should determine the severity of each issue, based on the potential impact on the organization's information security and compliance with regulatory requirements.

  3. Prioritize the issues: The manager should prioritize the issues based on their severity and the potential impact on the organization.

  4. Determine the root causes: The manager should investigate the root causes of the identified issues to understand why they occurred and how they can be prevented in the future.

  5. Develop an action plan: The manager should develop an action plan to address each issue, based on the priority and severity. The plan should include the specific steps needed to remediate the issue, the resources required, and the timeline for completion.

  6. Communicate the plan: The manager should communicate the action plan to relevant stakeholders, including senior management, IT staff, and other employees who may be affected by the issues.

  7. Monitor progress: The manager should monitor progress towards remediation of the issues, ensuring that the action plan is followed and completed on time.

Given the above options, the first step the information security manager should take is to assess the risk to business operations (Option D). This involves evaluating the potential impact of the identified security issues on the organization's business operations and determining the likelihood of the issues occurring. Once the risks are identified, prioritized, and analyzed, the manager can develop an action plan to address the issues and allocate necessary resources to minimize the risks.

Prev Question Next Question