An information security manager has observed multiple exceptions for a number of different security controls. Which of the following should be the information security manager’s FIRST course of action?
A. Design mitigating controls for the exceptions.
B. Prioritize the risk and implement treatment options.
C. Inform respective risk owners of the impact of exceptions.
D. Report the noncompliance to the board of directors.
A. Design mitigating controls for the exceptions.
B. Prioritize the risk and implement treatment options.
C. Inform respective risk owners of the impact of exceptions.
D. Report the noncompliance to the board of directors.