Which of the following BEST describes an information security manager’s role in a multidisciplinary team that will address a new regulatory requirement regarding operational risk?

A.
Ensure that all IT risks are identified

B.
Evaluate the impact of information security risks

C.
Demonstrate that IT mitigating controls are in place

D.
Suggest new IT controls to mitigate operational risk

Explanation:
The job of the information security officer on such a team is to assess the risks to the business operation. Choice A is incorrect because information security is not limited to IT issues. Choice C is incorrect because at the time a team is formed to assess risk, it is premature to assume that any demonstration of IT controls will mitigate business operations risk. Choice D is incorrect because it is premature at the time of the formation of the team to assume that any suggestion of new IT controls will mitigate business operational risk.