A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an organization.
There is disagreement between the information security manager and the business department manager who will own the process regarding the results and the assigned risk.
Which of the following would be the BEST approach of the information security manager?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
Executive management must be supportive of the process and fully understand and agree with the results since risk management decisions can often have a large financial impact and require major changes.
Risk management means different things to different people, depending upon their role in the organization, so the input of executive management is important to the process.
In this scenario, there is a disagreement between the information security manager and the business department manager regarding the results of a risk assessment and business impact analysis (BIA) conducted for a proposed purchase and new process for the organization.
The best approach for the information security manager would be to seek resolution in a collaborative and constructive manner, by reviewing the assessment with executive management for final input (option C).
This approach is recommended because it involves engaging senior leadership in the decision-making process, ensuring that the concerns and viewpoints of both the information security manager and the business department manager are heard, and providing a neutral forum for discussion and resolution. The involvement of executive management also ensures that the decision is aligned with the organization's overall risk appetite and strategic objectives.
Accepting the business manager's decision on the risk to the corporation (option A) may compromise the organization's security posture and leave it vulnerable to potential threats and risks. Similarly, accepting the information security manager's decision on the risk to the corporation (option B) may not adequately consider the business impact and requirements.
Conducting a new risk assessment and BIA to resolve the disagreement (option D) may be time-consuming and costly, and may not address the underlying issue of conflicting viewpoints and interests.
Therefore, the best approach for the information security manager would be to seek executive management's input and guidance to resolve the disagreement and ensure that the organization's security and business objectives are appropriately balanced.