Handling Security Standard Conflicts | CISM Exam Preparation
Question
When a security standard conflicts with a business objective, the situation should be resolved by:
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.C.
Conflicts of this type should be based on a risk analysis of the costs and benefits of allowing or disallowing an exception to the standard.
It is highly improbable that a business objective could be changed to accommodate a security standard, while risk acceptance* is a process that derives from the risk analysis.
When a security standard conflicts with a business objective, the situation should be resolved by performing a risk analysis.
Security standards are put in place to help protect an organization's assets, including data, systems, and people. However, in some cases, these security standards may conflict with the organization's business objectives. For example, a security standard may require strict access controls, which could hinder productivity by making it more difficult for employees to access the systems and data they need to do their jobs.
In such situations, the organization needs to determine the level of risk associated with the conflicting objectives. A risk analysis is a process of identifying, assessing, and prioritizing risks, which allows organizations to make informed decisions about how to manage them.
Through a risk analysis, the organization can identify the potential impact of not complying with the security standard and the potential impact of not meeting the business objective. By doing so, the organization can determine whether the risk is acceptable or not. If the risk is deemed acceptable, the organization can authorize a risk acceptance, which means they accept the risk and will not take any additional steps to manage it.
On the other hand, if the risk is deemed unacceptable, the organization may need to explore other options to resolve the conflict. This could involve changing the security standard, changing the business objective, or finding a compromise that allows both objectives to be met without compromising security.
Overall, the key to resolving conflicts between security standards and business objectives is to perform a risk analysis and make informed decisions based on the identified risks.