Which of the following is the BEST course of action for the information security manager when residual risk is above the acceptable level of risk?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
When residual risk is above the acceptable level of risk, the information security manager must take appropriate actions to reduce the risk to an acceptable level. The residual risk is the risk that remains after controls have been implemented. The acceptable level of risk is determined based on the organization's risk appetite and tolerance.
Out of the given options, the BEST course of action for the information security manager when residual risk is above the acceptable level of risk is to recommend additional controls (Option B). This option suggests taking action to mitigate the risk and bring it down to an acceptable level.
Performing a cost-benefit analysis (Option A) is an important step in evaluating the effectiveness of the controls that have been implemented, but it does not address the problem of residual risk being above the acceptable level.
Carrying out a risk assessment (Option C) is a good practice, but it does not directly address the issue of residual risk being above the acceptable level. Risk assessment helps in identifying potential risks and assessing the likelihood and impact of those risks.
Deferring to business management (Option D) is not the best course of action because the responsibility for managing and mitigating risk lies with the information security manager. The business management team may not have the necessary expertise or knowledge to evaluate the risk and recommend appropriate controls.
In conclusion, the information security manager should recommend additional controls to mitigate the risk and bring it down to an acceptable level when residual risk is above the acceptable level of risk.