A newly-appointed risk management director for the IT department at Company XYZ, a major
pharmaceutical manufacturer, needs to conduct a risk analysis regarding a new system which the
developers plan to bring on-line in three weeks. The director begins by reviewing the thorough and
well-written report from the independent contractor who performed a security assessment of the
system. The report details what seem to be a manageable volume of infrequently exploited
security vulnerabilities. The director decides to implement continuous monitoring and other
security controls to mitigate the impact of the vulnerabilities. Which of the following should the
director require from the developers before agreeing to deploy the system?
A.
An incident response plan which guarantees response by tier two support within 15 minutes of
an incident.
B.
A definitive plan of action and milestones which lays out resolutions to all vulnerabilities within
six months.
C.
Business insurance to transfer all risk from the company shareholders to the insurance
company.
D.
A prudent plan of action which details how to decommission the system within 90 days of
becoming operational.