A security administrator wants to verify and improve the security of a business process which is
tied to proven company workflow. The security administrator was able to improve security by
applying controls that were defined by the newly released company security standard. Such
controls included code improvement, transport encryption, and interface restrictions. Which of the
following can the security administrator do to further increase security after having exhausted all
the technical controls dictated by the company’s security standard?
A.
Modify the company standard to account for higher security and meet with upper management
for approval to implement the new standard.
B.
Conduct a gap analysis and recommend appropriate non-technical mitigating controls, and
incorporate the new controls into the standard.
C.
Conduct a risk analysis on all current controls, and recommend appropriate mechanisms to
increase overall security.
D.
Modify the company policy to account for higher security, adapt the standard accordingly, and
implement new technical controls.