A security administrator wants to verify and improve the security of a business process which is tied to proven
company workflow. The security administrator was able to improve security by applying controls that were
defined by the newly released company security standard. Such controls included code improvement, transport
encryption, and interface restrictions. Which of
the following can the security administrator do to further increase security after having exhausted all the
technical controls dictated by the company’s security standard?

A.
Modify the company standard to account for higher security and meet with upper management for approval
to implement the new standard.

B.
Conduct a gap analysis and recommend appropriate non-technical mitigating controls, and incorporate the
new controls into the standard.

C.
Conduct a risk analysis on all current controls, and recommend appropriate mechanisms to increase overall
security.

D.
Modify the company policy to account for higher security, adapt the standard accordingly, and implement
new technical controls.