An information security manager learns that a departmental system is out of compliance with the information security policy’s password strength requirements. Which of the following should be the information security manager’s FIRST course of action?
A. Submit the issue to the steering committee for escalation
B. Conduct an impact analysis to quantify the associated risk
C. Isolate the non-compliant system from the rest of the network
D. Request risk acceptance from senior management
A. Submit the issue to the steering committee for escalation
B. Conduct an impact analysis to quantify the associated risk
C. Isolate the non-compliant system from the rest of the network
D. Request risk acceptance from senior management