When a security standard conflicts with a business objective, the situation should be resolved by:
A.
changing the security standard.
B.
changing the business objective.
C.
performing a risk analysis.
D.
authorizing a risk acceptance.
Explanation:
Conflicts of this type should be based on a risk analysis of the costs and benefits of allowing or
disallowing an exception to the standard. It is highly improbable that a business objective could be
changed to accommodate a security standard, while risk acceptance* is a process that derives
from the risk analysis.