Internal audit has reported a number of information security issues which are not in compliance with regulatory requirements. What should the information security manager do FIRST? 

Answer options:

A. Create a security exception
B. Perform a vulnerability assessment
C. Perform a gap analysis to determine needed resources
D. Assess the risk to business operations

C