Senior management has decided to accept a significant risk within a security remediation plan.
Which of the following is the information security manager's BEST course of action?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
When senior management has decided to accept a significant risk within a security remediation plan, the information security manager should take the following course of action:
B. Update the risk register with the risk acceptance.
Explanation:
Risk acceptance is a valid risk management option. The security manager should document the risk acceptance in the risk register, which should contain details about the risk and the decision to accept it. The risk register should be updated to reflect the decision of senior management to accept the risk. Updating the risk register is important as it helps to ensure that the risk is managed effectively, and the organization can review and reassess it in the future if necessary.
Option A - Remediate the risk and document the rationale - is not the best option because senior management has already decided to accept the risk, and therefore, remediation is not required. However, documenting the rationale is a good practice for future reference.
Option C - Communicate the remediation plan to the board of directors - is not necessary because the senior management has already accepted the risk. Communicating the remediation plan is only necessary when there is a plan to remediate the risk.
Option D - Report the risk acceptance to regulatory agencies - is not required unless the risk acceptance breaches a regulation or law.