Exam CISM All QuestionsBrowse all questions from this exam
Question 9

Which of the following should an information security manager do FIRST when a legacy application is not compliant with a regulatory requirement, but the business unit does not have the budget for remediation?

    Correct Answer: D

    When an information security manager faces a situation where a legacy application is non-compliant with a regulatory requirement and the business unit lacks the budget for remediation, the first step should be to assess the consequences of noncompliance against the cost of remediation. This assessment provides a clear understanding of the potential risks and consequences associated with noncompliance, as well as the financial implications of addressing the issue. By doing so, the manager can gather the necessary information to make informed decisions and prioritize actions effectively. This comprehensive evaluation is crucial before developing a business case, notifying legal, or advising senior management, as it forms the basis for any subsequent steps in addressing the compliance issue.

Discussion
ccKaneOption: D

An information security manager should assess the consequences of noncompliance against the cost of remediation first when a legacy application is not compliant with a regulatory requirement but the business unit does not have the budget for remediation. This allows the manager to fully understand the potential risks and consequences of noncompliance, and to make an informed decision about the best course of action. By comparing the cost of remediation with the potential consequences of noncompliance, the manager can determine the level of risk that the organization is willing to accept and make a case for funding or alternative measures to address the compliance issue. This information can also be used to prioritize future remediation efforts based on the level of risk and the urgency of the issue. In any case, it is important for the information security manager to keep senior management informed about the noncompliance issue and to work with them to develop a plan to address the issue and ensure compliance with relevant regulations.

badmoonrisingOption: D

Think in terms of a large corporation. You don't bother busy people until you have the information they need to make an informed decision. Assess the consequences of noncompliance and the cost to remediate. Then provide that information to senior management to make a decision. Based on your assessment, they may decide to prioritize this mitigation over other risks and redistribute budget resources or they may decide to accept the risk.

richck102Option: D

D. Assess the consequences of noncompliance against the cost of remediation.

dmna007Option: C

the answer has to be C. Notify legal and internal audit of the noncompliant legacy application. after this the risks can be considered and business cases put together. what is the correct answer, this site is useless for CISM!

CarlLimps

I like C as well. You can and will do ALL of these other activities, but C should be done FIRST.

dark_3k03r

If the internal audit team is doing their job, then they will find this on their own (periodic audit or after a major change). There is no need for you to tell them. Instead, you should focus on getting the budget to fix the problem by telling the business you need the money for your section of the business (i.e. business unit) using a business case.

dark_3k03r

As for the comment about the site ... memorizing the answers shouldn't be your goal. Your goal should be to find your weak spots and go study for them. This site simply gives you realistic-looking questions to help you identify those gaps. Having the right answers is just a bonus. The best part of this site is just checking the back-and-forth discussions. That is where the true nuggets are.

mwalulaOption: D

Answer is D. Assessment should always be the first step. you need to have concrete details before you report to legal.

aji234Option: D

the answer is D Yes, the security manager needs to get other stakeholders informed, but what is he to tell them? assessing the risk of non-compliance versus cost of remediation gets him intelligent data to give both the legal team and the management guidance in their decision-making

peeluOption: D

impact analysis

dark_3k03rOption: A

The correct answer is (A) Develop a business case for funding remediation efforts. The primary reason for this is that you need to look at the keywords "business unit" and "does not have the budget". This is not to say the company doesn't have the budget. It is stating that a part of the company doesn't have the money. So the business unit needs to create the logic and buy-in to get that funding and that is exactly what a business case is designed to do. Rationale: (B) Accepting non-compliance is not an acceptable answer as the fines will get bigger as a repeat offender until the survivability of the company is at risk. If that doesn't do it, reputational damage will. If worst comes to worst criminal charges are always a possibility and no one ever wants to go to jail. So option B is a terrible idea. (C) Lawyers aren't going to give you the budget and if an audit is doing its thing they'll spot this issue on their own. Don't complicate things, just build the business case to fix it. (D) Look at option B as to why this is never going to be an acceptable option.

higojeOption: A

choice A is correct, assess the impact of a noncompliane and cost for remediation are part of a business case to juntify financial funds for remediation

GrantolioOption: C

I don't get why it wouldn't be C - inform legal. The question says its non-compliant to a regulation, or in other words - against the law.

strong1

I think the clue in this question is: he business unit does not have the budget for remediation? Hence D, is the correct answer, i suggest.

Cisco900Option: B

It appears to me that for budget for remediation to be mentioned, risk analysis has already been done. Remediation is a risk control i.e. risk mitigation. By this stage, consequences should already have been understood. The next step should be for management to either accept the risk of fine the budget. Finding the budget has already been done, so accepting the risk is the next logical step.

ViperhunterOption: D

It's important to conduct a thorough assessment to understand the potential risks and consequences of noncompliance with the regulatory requirement. This assessment should include evaluating the impact on the organization's reputation, potential legal consequences, and any other risks associated with noncompliance. Comparing this against the cost of remediation will help inform decision-making and guide the organization in determining the most appropriate course of action. Developing a business case (option A) and advising senior management to accept the risk (option B) may come later in the process, once a comprehensive understanding of the situation has been established.

rkingOption: D

D is correct. Keyword is 'first'. you need to perform an assessment/analysis first before taking to any other department or upper management.

SoleandheelOption: D

Correct Answer is D. Assess the consequences of noncompliance against the cost of remediation. Try not to over analyze these questions. They are pretty straight forward for the most part. When you over-analyze you get yourself confused and end up picking the wrong answer.

sbbrnOption: C

this is a debateable one for sure. Security manager should definitely assess risk/consequence of the non-compliance (either qualitative or quantitative) vs cost of remediation and usually present to board for decision. However it may seem to be a due diligence and good practice to let the legal/contracts team know first that a non-compliance exists which is being worked on.

Monkey2173Option: C

The correct answer is (C) as the question is about the FIRST thing to do. Quickly notify, as it is not time consuming, and then assess the risk (D)

PrasannacpwOption: D

Assessment