An assessment of information security controls has identified ineffective controls.
Which of the following should be the risk practitioner's FIRST course of action?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
The risk practitioner's first course of action after identifying ineffective controls during an assessment of information security controls would be to determine if the impact is outside the organization's risk appetite. Therefore, the correct answer is option C.
Explanation: Option A - Deploy a compensating control to address the identified deficiencies: Deploying a compensating control could be a viable option to address identified deficiencies. However, it is not the first course of action. The risk practitioner should first evaluate the risk and determine whether the impact is within the organization's risk appetite before deciding to deploy compensating controls.
Option B - Report the ineffective control for inclusion in the next audit report: Reporting the ineffective control for inclusion in the next audit report is important but it is not the first course of action. The risk practitioner should first evaluate the risk and determine whether the impact is within the organization's risk appetite before deciding to report the issue in the audit report.
Option C - Determine if the impact is outside the risk appetite: The first course of action for the risk practitioner would be to determine if the impact of the identified ineffective controls is outside the organization's risk appetite. If the impact is outside the organization's risk appetite, senior management should be informed immediately, and appropriate actions should be taken to address the risk.
Option D - Request a formal acceptance of risk from senior management: Requesting a formal acceptance of risk from senior management is not the first course of action. The risk practitioner should first evaluate the risk and determine whether the impact is within the organization's risk appetite before deciding to request formal acceptance of the risk from senior management.
In conclusion, the first course of action for a risk practitioner after identifying ineffective controls is to evaluate the risk and determine whether the impact is within the organization's risk appetite. If the impact is outside the organization's risk appetite, senior management should be informed immediately, and appropriate actions should be taken to address the risk.