A business unit intends to deploy a new technology in a manner that places it in violation of
existing information security standards. What immediate action should an information security
manager take?
A.
Enforce the existing security standard
B.
Change the standard to permit the deployment
C.
Perform a risk analysis to quantify the risk
D.
Perform research to propose use of a better technology
Explanation:
Resolving conflicts of this type should be based on a sound risk analysis of the costs and benefits
of allowing or disallowing an exception to the standard. A blanket decision should never be given
without conducting such an analysis. Enforcing existing standards is a good practice; however,
standards need to be continuously examined in light of new technologies and the risks they
present. Standards should not be changed without an appropriate risk assessment.