Inherent Risk Assessment and Mitigation

D.

When the inherent risk of a business activity is higher than the acceptable risk level, the information security manager's first action should be to implement controls to mitigate the risk to an acceptable level. Therefore, the correct answer is B.

Here's a more detailed explanation of the options and why implementing controls to mitigate risk is the best first step:

A. Transfer risk to a third party to avoid cost of impact: Transferring risk to a third party, such as an insurance company, may be an option for some risks. However, this is not always feasible, and it may not be the best first step in this scenario. Additionally, it may not always be possible to transfer risk to a third party if the risk is too high or if the cost of the impact is too significant.

C. Recommend that management avoids the business activity: This option is also not ideal as it involves avoiding the business activity altogether. While this may reduce the risk associated with the activity, it may not be practical or feasible, especially if the activity is necessary for the business's operations.

D. Assess the gap between current and acceptable level of risk: Assessing the gap between the current and acceptable level of risk is an important step in understanding the magnitude of the risk and identifying potential control measures. However, it is not the first action that the information security manager should take.

Therefore, the best option is B. Implementing controls to mitigate the risk to an acceptable level. This involves identifying and implementing control measures to reduce the risk associated with the activity to an acceptable level. The information security manager may need to consider the cost-benefit of implementing these control measures and ensure that they are feasible and effective.