CISM Exam: Next Course of Action for Accepting Identified Risk

Information Security Manager's Next Course of Action

Prev Question Next Question

Question

A risk was identified during a risk assessment.

The business process owner has chosen to accept the risk because the cost of remediation is greater than the projected cost of a worst-case scenario.

What should be the information security manager's NEXT course of action?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

D.

In this scenario, the business process owner has chosen to accept the identified risk because the cost of remediation is greater than the projected cost of a worst-case scenario. As a result, the information security manager's next course of action should be to document the decision and the reasoning behind it.

Option A - Determine a lower-cost approach to remediation: While this may be a valid course of action in some situations, it is not appropriate in this case because the business process owner has already determined that the cost of remediation is too high.

Option B - Document and schedule a date to revisit the issue: This is a reasonable course of action because it allows the organization to keep track of the identified risk and monitor it for any changes or new developments. However, it does not address the fact that the business process owner has already accepted the risk.

Option C - Shut down the business application: This is not an appropriate course of action because it is a drastic measure that should only be taken if there is an immediate threat to the organization. In this case, the business process owner has already determined that the risk is acceptable.

Option D - Document and escalate to senior management: This is the most appropriate course of action. By documenting the decision and the reasoning behind it, the information security manager can ensure that senior management is aware of the risk and the decision to accept it. This allows senior management to make an informed decision about whether or not they agree with the business process owner's decision to accept the risk. Additionally, this documentation can serve as evidence of due diligence in the event of an incident or audit.