Which of the following should an information security manager do FIRST to address the risk associated with a new third-party cloud application that will not meet organizational security requirements?
Which of the following should an information security manager do FIRST to address the risk associated with a new third-party cloud application that will not meet organizational security requirements?
The first action an information security manager should take to address the risk associated with a new third-party cloud application that does not meet organizational security requirements is to consult with the business owner. The business owner is responsible for the application and its functionality within the organization. Consulting with them allows the security manager to understand the business needs, evaluate the importance of the application, and consider any potential alternatives or mitigating measures. This initial consultation is crucial for making informed decisions about further actions, such as updating the risk register or including security requirements in the contract.
Talk to the business owner.
The FIRST step an information security manager should take to address the risk associated with a new third-party cloud application that will not meet organizational security requirements is to consult with the business owner.
C. Consult with the business owner.
In this question, the situation is considered to be a pre-contractual situation. You know that the new application will not meet your organization's security requirements, so the first thing to do is to specify the security requirements in the contract. Option D, "Specify security requirements in the contract," is the correct answer. This will clarify the requirements that the application provider needs to meet and the liability if they are not followed. It is then advisable to update the risk register, but this should not be the first thing done.
I disagree. Consult the business owner to make him aware of the impending risks.
As this is a new third-party cloud application, it implies that the contract has already been signed so Option D is not available the only other course of action is to talk to the business owner.
When reading the answer again, I think that the interpretation of the question is that the new third-party cloud application is not yet operational. I can imagine that the ISM then temporarily restrict this application. After that, contact the business owner.
Seems like C is the better answer. It states " new third-party cloud application that will not meet organizational security requirements". To me the statement does not allow for it to be an option to be placed in a contract. The other answers don't fit either.
Split between C and D, leaning more towards D, as it is asked what infosec manager do FIRST to ADDRESS the risk that WILL happen ("application will not meet security requirements" implying that it's still not implemented, but if it does it will not meet the requirements). That's why it seems that D is a better answer here, although I can easily be reading too much into the question and missing the obvious C.
Also, it can easily be C and D is then done after that. So first you talk to the business owner and say "hey, this thing isn't meeting our sec requirements" and only after that decide what next. If business owner say "yeah, you're right, let's do something about it" then infosec manager does D.
I agree with this interpretation
Option C
C. Consult with the business owner.
Consulting with the business owner is crucial because they are responsible for the application and its functionality within the organization. By engaging in a conversation with the business owner, the information security manager can gain a better understanding of the business needs, the purpose of the application, and any potential alternatives or mitigating measures that can be explored.
Given the context of addressing the risk associated with a new third-party cloud application that does not meet organizational security requirements, the BEST course of action would be to include security requirements in the contract (Option D) as the FIRST step. By including specific security requirements in the contract, the organization can ensure that the third-party vendor understands and agrees to adhere to the necessary security measures. This contractual obligation helps to protect the organization's interests and provides a basis for holding the vendor accountable for meeting the required security standards. Option D