When a security standard conflicts with a business objective, the situation should be resolved by:
A . changing the security standard.
B . changing the business objective.
C . performing a risk analysis.
D . authorizing a risk acceptance.
Answer: C
Explanation:
Conflicts of this type should be based on a risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. It is highly improbable that a business objective could be changed to accommodate a security standard, while risk acceptance* is a process that derives from the risk analysis.
Latest CISM Dumps Valid Version with 1327 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund