CISM Certified Information Security Manager – Question1023

What should the information security manager do FIRST when end users express that new security controls are too restrictive?

A.
Conduct a business impact analysis (BIA)
B. Obtain process owner buy-in to remove the controls
C. Perform a risk assessment on modifying the control environment
D. Perform a cost-benefit analysis on modifying the control environment

Correct Answer: C