Because of its importance to the business, an organization wants to quickly implement a technical solution which deviates from the company`s policies. An information security manager should: 

Answer options:

A. conduct a risk assessment and allow or disallow based on the outcome.
B. recommend a risk assessment and implementation only if the residual risks are accepted.
C. recommend against implementation because it violates the company`s policies.
D. recommend revision of current policy.

B

Whenever the company`s policies cannot be followed, a risk assessment should be conducted to clarify the risks. It is then up to management to accept the risks or to mitigate them. Management determines the level of risk they are willing to take. Recommending revision of current policy should not be triggered by a single request.