Isaca Updated CISM Exam Questions and Answers by zephyr

 An organization-wide social media policy is a document that defines the rules and guidelines for using social media platforms within the organization. It covers topics such as who can use social media, what they can post, how they should protect confidential information, and what are the consequences for violating the policy. An organization-wide social media policy helps to mitigate the risk of confidential information being disclosed by employees on social media by providing a clear and consistent framework for managing social media activities12.

References = 1: CISM Review Manual (Digital Version), page 271 2: CISM Review Manual (Print Version), page 271

The best first step is to evaluate and prioritize the risk to determine the appropriate treatment strategy before implementing mitigation.

“Once risks are identified, they should be evaluated and prioritized to determine the best response (mitigation, transfer, acceptance, or avoidance).”

— CISM Review Manual 15th Edition, Chapter 2: Risk Management, Section: Risk Treatment*

ISACA practice questions confirm the need for evaluation and prioritization before taking further action.

Risk transfer involves shifting the impact or financial consequences of a risk to a third party. Purchasing cybersecurity insurance is the most common example, where the organization pays a premium to a provider who assumes certain financial responsibilities in the event of a security incident.

Other options listed do not transfer risk:

A. Using third-party applications may introduce new risks, not transfer existing ones.

C. Moving ownership within the organization is reassignment, not transfer.

D. Off-site backups are a form of risk mitigation, not transfer.

“Risk transfer shifts the financial consequences of a risk to another entity, typically through insurance or contractual arrangements.”

— CISM Review Manual 15th Edition, Chapter 2: Risk Management, Section: Risk Treatment Options*

Example: “An organization may transfer the financial impact of a potential data breach through the purchase of cyber insurance.”