An information security manager reviewed the access control lists and observed that privileged
access was granted to an entire department. Which of the following should the information security
manager do FIRST?

A.
Review the procedures for granting access

B.
Establish procedures for granting emergency access

C.
Meet with data owners to understand business needs

D.
Redefine and implement proper access rights

Explanation:

An information security manager must understand the business needs that motivated the change
prior to taking any unilateral action. Following this, all other choices could be correct depending on
the priorities set by the business unit.