An organization's information security program has been in place for two years. During a recent audit, several findings indicated that security controls are not consistently applied across business units. The CISO has been asked to improve the program. Which of the following should the CISO do FIRST?
Trap 1: Automate security compliance monitoring across all business units.
Automation is a tool, but without understanding the current state, it may not address inconsistencies.
Trap 2: Update the information security policy to mandate compliance.
A policy update alone does not ensure consistent application; enforcement and monitoring are needed.
Trap 3: Implement additional security controls across all business units.
Implementing controls without a risk assessment may not address the actual risks and could be inefficient.
- A
Automate security compliance monitoring across all business units.
Why wrong: Automation is a tool, but without understanding the current state, it may not address inconsistencies.
- B
Update the information security policy to mandate compliance.
Why wrong: A policy update alone does not ensure consistent application; enforcement and monitoring are needed.
- C
Conduct a risk assessment to identify gaps and prioritize remediation.
A risk assessment provides the basis for prioritizing controls and ensuring consistent application based on risk.
- D
Implement additional security controls across all business units.
Why wrong: Implementing controls without a risk assessment may not address the actual risks and could be inefficient.