A security manager has started a new job and has identified that a key application for a new client
does not have an accreditation status and is currently not meeting the compliance requirement for

the contract’s SOW. The security manager has competing priorities and wants to resolve this issue
quickly with a system determination and risk assessment. Which of the following approaches
presents the MOST risk to the security assessment?

A.
The security manager reviews the system description for the previous accreditation, but does
not review application change records.

B.
The security manager decides to use the previous SRTM without reviewing the system
description.

C.
The security manager hires an administrator from the previous contract to complete the
assessment.

D.
The security manager does not interview the vendor to determine if the system description is
accurate.