CRISC Certified in Risk and Information Systems Control – Question487

An assessment of information security controls has identified ineffective controls. Which of the following should be the risk practitioner’s FIRST course of action?

A.
Deploy a compensating control to address the identified deficiencies
B. Report the ineffective control for inclusion in the next audit report
C. Determine if the impact is outside the risk appetite
D. Request a formal acceptance of risk from senior management

Correct Answer: A