Management has expressed concerns to the information security manager that shadow IT may be a risk to the organization. What is the FIRST step the information security manager should take?
The first step is to determine the extent of shadow IT usage (A). CISM emphasizes understanding the current state before implementing controls or policy changes. Without knowing where and how shadow IT exists, actions such as blocking usage (C) or updating policy (B) may disrupt business operations unnecessarily. Evaluating value (D) is secondary. Identifying scope enables informed risk assessment and proportionate response.
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit