Because of its importance to the business, an organization wants to quickly implement a technical solution which deviates from the company's policies.
An information security manager should:
Click on the arrows to vote for the correct answer
A. B. C. D.B.
Whenever the company's policies cannot be followed, a risk assessment should be conducted to clarify the risks.
It is then up to management to accept the risks or to mitigate them.
Management determines the level of risk they are willing to take.
Recommending revision of current policy should not be triggered by a single request.
When an organization wants to implement a technical solution that deviates from the company's policies, the information security manager should take appropriate action to ensure the security of the organization's data and assets. Here are the possible actions that the information security manager can take:
A. Conduct a risk assessment and allow or disallow based on the outcome: The information security manager can conduct a risk assessment to identify potential risks and evaluate the impact of the technical solution on the organization's security posture. The outcome of the risk assessment can help the information security manager to determine whether to allow or disallow the implementation of the technical solution. If the risk assessment shows that the implementation of the technical solution poses an acceptable level of risk to the organization, the information security manager can allow the implementation. Otherwise, the implementation should be disallowed or delayed until the risks can be mitigated.
B. Recommend a risk assessment and implementation only if the residual risks are accepted: The information security manager can recommend a risk assessment to evaluate the potential risks associated with the implementation of the technical solution. The information security manager can then recommend the implementation of the technical solution only if the residual risks are accepted by the organization. Residual risks are the risks that remain after implementing controls to mitigate the identified risks. The information security manager should ensure that the residual risks are within the organization's risk tolerance level.
C. Recommend against implementation because it violates the company's policies: The information security manager can recommend against the implementation of the technical solution if it violates the company's policies. The policies are designed to protect the organization's assets and data. Deviating from the policies can expose the organization to risks that may compromise the confidentiality, integrity, and availability of the organization's data and assets.
D. Recommend revision of current policy: If the technical solution is critical to the business, the information security manager can recommend the revision of the current policy to accommodate the implementation of the technical solution. The revised policy should consider the potential risks associated with the implementation of the technical solution and provide appropriate controls to mitigate those risks.
In summary, the information security manager should take appropriate action based on the organization's risk tolerance, policies, and business needs. The risk assessment is an essential tool to identify potential risks and evaluate the impact of the technical solution on the organization's security posture. The information security manager should ensure that the organization's policies are followed to protect the organization's assets and data. If the policies need to be revised, the information security manager can recommend appropriate changes to accommodate the implementation of the technical solution.