CISM Certified Information Security Manager – Question0216

A legacy application does not comply with new regulatory requirements to encrypt sensitive data at rest, and remediating this issue would require significant investment. What should the information security manager do FIRST?

A.
Investigate alternative options to remediate the noncompliance.
B. Assess the business impact to the organization.
C. Present the noncompliance risk to senior management.
D. Determine the cost to remediate the noncompliance.

Correct Answer: B