Which of the following is the BEST course of action for the information security manager when residual risk is above the acceptable level of risk?
A. Perform cost-benefit analysis
B. Recommend additional controls
C. Carry out risk assessment
D. Defer to business management