A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase
and new process for an organization. There is disagreement between the information security manager and the
business department manager who will own the process regarding the results and the assigned risk. Which of
the following would be the BEST approach of the information security manager?

A.
Acceptance of the business manager’s decision on the risk to the corporation

B.
Acceptance of the information security manager’s decision on the risk to the corporation

C.
Review of the assessment with executive management for final input

D.
A new risk assessment and BIA are needed to resolve the disagreement

Explanation:

Executive management must be supportive of the process and fully understand and agree with the results since risk management decisions can often have a large financial impact and require major changes. Risk management means different things to different people, depending upon their role in the organization, so the input of executive management is important to the process.