CISM · Question #986
CISM Question #986: Real Exam Question with Answer & Explanation
The correct answer is D: Business processes supported by the application. Security controls exist to protect business value - they must be designed around the business processes the application supports. Understanding what the application does, who uses it, and what data it handles determines the appropriate risk profile and proportionate controls. Acc
Question
Which of the following should be the PRIMARY consideration for an information security manager when designing security controls for a newly acquired business application?
Options
- AAccess management for the business application
- BRegulatory requirements on the organization
- CThe IT security architecture framework
- DBusiness processes supported by the application
Explanation
Security controls exist to protect business value - they must be designed around the business processes the application supports. Understanding what the application does, who uses it, and what data it handles determines the appropriate risk profile and proportionate controls. Access management (A) is an important control type but is a downstream design decision, not a primary driver. Regulatory requirements (B) are a constraint that must be satisfied but don't define the full scope of controls needed for business risk. The IT security architecture framework (C) provides standards and guidance but is a tool, not a starting point. Designing controls without first understanding the supported business processes risks both over-engineering (hindering the business) and under-engineering (leaving critical processes unprotected).
Topics
Community Discussion
No community discussion yet for this question.