A recent audit has identified that security controls required by the organization's policies have not been implemented for a particular application.
What should the information security manager do NEXT to address this issue?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
When a recent audit identifies that security controls required by the organization's policies have not been implemented for a particular application, the information security manager should take the following steps:
Step 1: Assess the Severity of the Issue The information security manager needs to evaluate the severity of the issue by considering the potential risk and impact to the organization's assets, including data, systems, and operations. Based on the severity, the manager can determine the appropriate course of action.
Step 2: Identify the Cause of the Non-Compliance The information security manager should determine why the security controls have not been implemented for the application. This may involve discussing the issue with data owners or custodians to understand the underlying reasons for the exception.
Step 3: Develop a Remediation Plan Based on the severity and the cause of the non-compliance, the information security manager should develop a remediation plan to address the issue. This plan should include specific steps to implement the missing security controls and prevent similar issues from occurring in the future.
Step 4: Report to Senior Management The information security manager should report the issue to senior management and explain the severity of the issue, the cause of the non-compliance, and the remediation plan. This will ensure that the senior management is aware of the issue and can provide the necessary support and resources to address the problem.
Step 5: Implement Remediation Plan The information security manager should implement the remediation plan to address the issue, including implementing the missing security controls and monitoring the application for any further non-compliance.
Given the above, the most appropriate next step for the information security manager to address the issue of non-compliance would be to discuss the issue with data custodians (Option B) or data owners (Option D) to determine the cause of the exception. This step is crucial in identifying the underlying reasons for the non-compliance, which will help the manager develop an effective remediation plan. Option A (Deny access to the application until the issue is resolved) may not be necessary in all cases, and it may not address the root cause of the non-compliance. Option C (Report the issue to senior management and request funding to fix the issue) may be necessary, but it should not be the first step taken by the information security manager.