CISA Certified Information Systems Auditor – Question1178

What should the information security manager do FISRT when end users express that new security controls are too restrictive?

A.
Perform a risk assessment on modifying the control environment.
B. Perform a cost-benefit analysis on modifying the control environment.
C. Conduct a business impact analysis (BIA).
D. Obtain process owner buy-in to remove the controls.

Correct Answer: A