An incident response team has established that an application has been breached. Which of the following should be done NEXT?
Correct Answer: C
Question 332
Labeling information according to its security classification:
Correct Answer: B
Question 333
An information security manager has recently been notified of potential security risks associated with a third-party service provider. What should be done NEXT to address this concern?
Correct Answer: A
Question 334
Which of the following is MOST critical to review when preparing to outsource a data repository to a cloud- based solution?
Correct Answer: C
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
Question 335
Which of the following parties should be responsible for determining access levels to an application that processes client information?
Correct Answer: D
Explanation The business client should be responsible for determining access levels to an application that processes client information, because the business client is the owner of the data and the primary stakeholder of the application. The business client has the best knowledge and understanding of the business requirements, objectives, and expectations of the application, and the sensitivity, value, and criticality of the data. The business client can also define the roles and responsibilities of the users and the access rights and privileges of the users based on the principle of least privilege and the principle of separation of duties. The business client can also monitor and review the access levels and the usage of the application, and ensure that the access levels are aligned with the organization's information security policies and standards. The information security team, the identity and access management team, and the business unit management are all involved in the process of determining access levels to an application that processes client information, but they are not the primary responsible party. The information security team provides guidance, support, and oversight to the business client on the information security best practices, controls, and standards for the application, and ensures that the access levels are consistent with the organization's information security strategy and governance. The identity and access management team implements, maintains, and audits the access levels and the access control mechanisms for the application, and ensures that the access levels are compliant with the organization's identity and access management policies and procedures. The business unit management approves, authorizes, and sponsors the access levels and the access requests for the application, and ensures that the access levels are aligned with the business unit's goals and strategies. References = ISACA, CISM Review Manual, 16th Edition, 2020, pages 125-126, 129-130, 133-134, 137-138. ISACA, CISM Review Questions, Answers & Explanations Database, 12th Edition, 2020, question ID 1037.
