An assessment of information security controls has identified ineffective controls. Which of the following should be the risk practitioner’s FIRST course of action?
A. Deploy a compensating control to address the identified deficiencies
B. Report the ineffective control for inclusion in the next audit report
C. Determine if the impact is outside the risk appetite
D. Request a formal acceptance of risk from senior management
A. Deploy a compensating control to address the identified deficiencies
B. Report the ineffective control for inclusion in the next audit report
C. Determine if the impact is outside the risk appetite
D. Request a formal acceptance of risk from senior management