If the final set of security controls does not eliminate all risk in a system, what could be done next?
A.
Continue to apply controls until there is zero risk.
B.
Ignore any remaining risk.
C.
If the residual risk is low enough,it can be accepted.
D.
Remove current controls since they are not completely effective.
A is the right Ans.