Major Weaknesses in IT Processing | Conveying Urgency to Management | Exam CISM

Conveying Urgency to Management

Prev Question Next Question

Question

An internal audit has identified major weaknesses over IT processing.

Which of the following should an information security manager use to BEST convey a sense of urgency to management?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

B.

Performing a risk assessment will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.

Metrics reports are normally contained within the methodology of the risk assessment to give it credibility and provide an ongoing tool.

The business impact analysis (BIA) covers continuity risks only.

Return on security investment cannot be determined until a plan is developed based on the BIA.

When an internal audit has identified major weaknesses over IT processing, it is crucial to convey a sense of urgency to management in order to ensure that appropriate measures are taken to address the identified weaknesses. In order to do so, the information security manager should use the most effective communication tool to convey the message to management.

Option A - Security metrics reports: Security metrics reports can provide a good overview of the current state of security measures in the organization. However, these reports may not provide a sense of urgency to management. They may not highlight the severity of the identified weaknesses and the potential impact of not addressing them.

Option B - Risk assessment reports: Risk assessment reports are designed to identify potential risks and their potential impact on the organization. They can help identify the likelihood and impact of security incidents, and can help management make informed decisions regarding security measures. However, they may not necessarily convey a sense of urgency to management regarding the identified weaknesses.

Option C - Business impact analysis (BIA): A Business Impact Analysis (BIA) is a process that identifies and evaluates the potential impact of a disruption to an organization's critical business functions. BIA can provide a sense of urgency to management by highlighting the potential impact of the identified weaknesses on the organization's critical business functions.

Option D - Return on security investment report: The Return on Security Investment (ROSI) report can help management understand the financial impact of security investments on the organization. While this report can provide important information regarding the effectiveness of security measures, it may not necessarily convey a sense of urgency to management regarding the identified weaknesses.

Based on the above analysis, the BEST option to convey a sense of urgency to management in this scenario is option C - Business impact analysis (BIA). BIA can highlight the potential impact of the identified weaknesses on the organization's critical business functions and help management understand the importance of addressing the identified weaknesses as soon as possible.