A legacy application does not comply with new regulatory requirements to encrypt sensitive data at rest, and remediating this issue would require significant investment. What should the information security manager do FIRST?
A.
Assess the business impact to the organization.
B.
Present the noncompliance risk to senior management.
C.
Investigate alternative options to remediate the noncompliance.
D.
Determine the cost to remediate the noncompliance.
The action plan for non-compliance would follow the below order:
A. Assess the business impact to the organization.
C. Investigate alternative options to remediate the noncompliance.
D. Determine the cost to remediate the noncompliance.
B. Present the noncompliance risk to senior management.
Before taking any action, it's essential to understand the potential impact of the noncompliance on the organization. Assessing the business impact involves considering the regulatory consequences, potential legal risks, reputational damage, and any other factors that could affect the organization. This assessment provides a foundation for informed decision-making and helps prioritize actions based on the level of risk and impact.
While presenting the noncompliance risk to senior management (option B), investigating alternative options (option C), and determining the cost to remediate (option D) are important steps, understanding the business impact helps in framing the issue within the broader context of organizational priorities and risk tolerance.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
CISSPST
Highly Voted 6 months, 2 weeks agoViperhunter
Most Recent 3 months, 3 weeks agorichck102
10 months, 1 week agoAntonivs
1 year, 1 month agoBroesweelies
1 year, 2 months ago