🔥 3-day streak
ISACA CISM — Certified Information Security Manager15 / 121
Question 15 of 121

A multinational retailer operates in several countries, each with different breach notification timelines and data protection obligations. The information security manager discovers that one jurisdiction requires notification within 72 hours, while a contractual clause with a major partner requires immediate notification of any incident, and a third country mandates notification only after confirmed harm to individuals. To address these conflicting legal, regulatory, and contractual requirements when developing the incident response and governance approach, what should the information security manager do FIRST?

Reviewed for accuracy · Report an issueNext question