CISM Question #278: Real Exam Question with Answer & Explanation

Question

An information security manager is developing a breach notification procedure for multiple geographic regions. After understanding where the organization's customers reside, which of the following should the information security manager do NEXT?

Options

• ADetermine notification timing and actions required by each region
• BStandardize notification timing and actions globally
• CDesignate a communications representative for each region
• DPerform a gap analysis of existing processes

Explanation

After identifying where customers reside, the logical next step is to determine the specific notification timing and actions required by each region (A), because breach notification laws vary significantly by jurisdiction - GDPR mandates 72-hour notification, US state laws differ by state, and other regions have their own requirements. Understanding what each region legally demands must happen before any process can be designed or standardized.

Why the distractors are wrong:

• B is premature and counterproductive - you cannot standardize globally until you first know what each region actually requires; standardizing before that risks non-compliance.
• C (designating communications representatives) is an implementation detail that comes after you've defined the process and its regional requirements.
• D (gap analysis) compares existing processes against a known standard - but you haven't yet established what the regional requirements are, so a gap analysis has nothing to measure against.

Memory tip: Think of it as a sequence - Know your customers → Know the rules that apply to them → Then build/compare/assign. The question already completed step 1 (identifying regions), so step 2 is learning the rules (A). Never skip to execution (C) or evaluation (D) before you know the requirements.

No community discussion yet for this question.