CISM Certified Information Security Manager – Question0305

A risk management approach to information protection is:

A.
managing risks to an acceptable level, commensurate with goals and objectives.
B. accepting the security posture provided by commercial security products.
C. implementing a training program to educate individuals on information protection and risks.
D. managing risk tools to ensure that they assess all information protection vulnerabilities.

Correct Answer: A

Explanation:

Explanation:
Risk management is identifying all risks within an organization, establishing an acceptable level of risk and effectively managing risks which may include mitigation or transfer. Accepting the security- posture provided by commercial security products is an approach that would be limited to technology components and may not address all business operations of the organization. Education is a part of the overall risk management process. Tools may be limited to technology and would not address non-technology risks.