A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards.
What immediate action should an information security manager take?
A . Enforce the existing security standard
B . Change the standard to permit the deployment
C . Perform a risk analysis to quantify the risk
D . Perform research to propose use of a better technology
Answer: C
Explanation:
Resolving conflicts of this type should be based on a sound risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. A blanket decision should never be given without conducting such an analysis. Enforcing existing standards is a good practice; however, standards need to be continuously examined in light of new technologies and the risks they present. Standards should not be changed without an appropriate risk assessment.
Leave a Reply