Outstanding Risk Management in Acquisitions

C.

The BEST course of action for the information security manager in this scenario would be to re-assess the outstanding risk of the acquired company (Option C).

Explanation: When a company is acquired, it is common to perform a risk assessment to identify potential risks associated with the acquisition. The risk assessment may identify some outstanding risks that were not addressed during the acquisition process. In this scenario, the information security manager has been requested to address these outstanding risks.

Option A, performing a vulnerability assessment of the acquired company's infrastructure, is a valid course of action. However, this option is not the BEST course of action in this scenario because it only addresses a specific aspect of the overall risk picture. It does not take into account other potential risks or the impact of the outstanding risk on the overall security posture of the acquiring organization.

Option B, re-evaluating the risk treatment plan for the outstanding risk, is also a valid course of action. However, before re-evaluating the treatment plan, it is important to re-assess the risk itself to determine if any changes have occurred that would impact the treatment plan.

Option D, adding the outstanding risk to the acquiring organization's risk registry, is not the BEST course of action in this scenario because it only documents the risk without taking any action to mitigate or manage it.

Therefore, the BEST course of action would be to re-assess the outstanding risk of the acquired company (Option C). This will allow the information security manager to determine if the risk has changed, if any new risks have emerged, and what actions should be taken to mitigate or manage the risk. Based on the re-assessment, the information security manager can then re-evaluate the risk treatment plan and take appropriate actions to address the outstanding risk.