Following a recent acquisition, an information security manager has been requested to address the outstanding risk reported early in the acquisition process.
Which of the following would be the manager's BEST course of action?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
When an organization acquires another company, it inherits the risks associated with the acquired organization. Therefore, it is essential to identify and address those risks as part of the due diligence process. In this scenario, the information security manager has been requested to address the outstanding risk reported early in the acquisition process. The best course of action for the manager depends on the nature and severity of the outstanding risk.
A. Add the outstanding risk to the acquiring organization's risk registry: This option is a good starting point as it will ensure that the risk is documented, and the organization can track it as part of its overall risk management strategy. However, simply adding the risk to the registry may not be sufficient if the risk is severe or could have a significant impact on the organization's operations.
B. Re-assess the outstanding risk of the acquired company: This option involves reviewing the risk assessment performed during the acquisition process and determining whether the risk is still relevant and requires further action. This course of action is appropriate if the risk has not been adequately addressed in the past or if there have been changes in the organization's environment that could impact the risk's likelihood or impact.
C. Re-evaluate the risk treatment plan for the outstanding risk: If the risk has already been identified and assessed, this option involves reviewing the organization's existing risk treatment plan and determining whether it is still valid or requires modification. This option is appropriate if the organization has already taken steps to address the risk and wants to ensure that the risk treatment plan remains effective.
D. Perform a vulnerability assessment of the acquired company's infrastructure: This option involves conducting a thorough review of the acquired company's infrastructure to identify any vulnerabilities or weaknesses that could be exploited by an attacker. This option is appropriate if the risk is related to the acquired company's infrastructure or if there is a concern that the acquired company's infrastructure could pose a risk to the acquiring organization.
In conclusion, the best course of action for the information security manager will depend on the nature and severity of the outstanding risk. However, a combination of options B and C would be the best approach to ensure that the risk is adequately addressed and the organization's risk treatment plan is effective.