If the inherent risk of a business activity is higher than the acceptable risk level, the information security manager should FIRST:
Click on the arrows to vote for the correct answer
A. B. C. D.C.
When the inherent risk of a business activity exceeds the acceptable risk level, the information security manager must take action to reduce the risk to an acceptable level.
Option A, which involves implementing controls to mitigate the risk, is the correct course of action for the information security manager. This approach involves identifying and implementing controls that will reduce the risk to an acceptable level. The manager should assess the risks and prioritize the implementation of controls based on their effectiveness and feasibility.
Option B, which involves recommending that management avoids the business activity altogether, is not necessarily the best option. Avoidance may be a possible solution in some cases, but it is not always practical, feasible, or in line with the organization's objectives.
Option C, which involves assessing the gap between the current and acceptable level of risk, is a step that should be taken as part of the risk management process. However, it is not the first step that should be taken in this scenario.
Option D, which involves transferring the risk to a third party, is not always feasible or practical, and it does not necessarily reduce the risk to an acceptable level. Transferring risk to a third party should only be considered after all other options have been exhausted.
Therefore, the information security manager should first implement controls to mitigate the risk to an acceptable level when the inherent risk of a business activity is higher than the acceptable risk level.