An organization’s internal auditors have identified a new IT control deficiency in the organization’s identity and access management (IAM) system. It is most important for the risk practitioner to:
A. perform a follow-up risk assessment to quantify the risk impact
B. verify that applicable risk owners understand the risk
C. implement compensating controls to address the deficiency
D. recommend replacement of the deficient system
A. perform a follow-up risk assessment to quantify the risk impact
B. verify that applicable risk owners understand the risk
C. implement compensating controls to address the deficiency
D. recommend replacement of the deficient system