An information security manager should:

Because of its importance to the business, an organization wants to quickly implement a technical
solution which deviates from the company’s policies. An information security manager should:

Because of its importance to the business, an organization wants to quickly implement a technical
solution which deviates from the company’s policies. An information security manager should:

A.
conduct a risk assessment and allow or disallow based on the outcome.

B.
recommend a risk assessment and implementation only if the residual risks are accepted.

C.
recommend against implementation because it violates the company’s policies.

D.
recommend revision of current policy.

Explanation:

Whenever the company’s policies cannot be followed, a risk assessment should be conducted to
clarify the risks. It is then up to management to accept the risks or to mitigate them. Management
determines the level of risk they are willing to take. Recommending revision of current policy
should not be triggered by a single request.



Leave a Reply 0

Your email address will not be published. Required fields are marked *