CISM Certified Information Security Manager – Question1190

An information security manager has observed multiple exceptions for a number of different security controls. Which of the following should be the information security manager's FIRST course of action?

A.
Report the noncompliance to the board of directors.
B. Inform respective risk owners of the impact of exceptions
C. Design mitigating controls for the exceptions.
D. Prioritize the risk and implement treatment options.

Correct Answer: D