A risk practitioner has observed that risk owners have approved a high number of exceptions to the information security policy. Which of the following should be the risk practitioner’s GREATEST concern?
A. Aggregate risk approaching the tolerance threshold
B. Vulnerabilities are not being mitigated
C. Security policies are not being reviewed periodically
D. Risk owners are focusing more on efficiency
A. Aggregate risk approaching the tolerance threshold
B. Vulnerabilities are not being mitigated
C. Security policies are not being reviewed periodically
D. Risk owners are focusing more on efficiency