Before final acceptance of residual risk, what is the BEST way for an information security manager to address risk factors determined to be lower than acceptable risk levels? 

Answer options:

A. Evaluate whether an excessive level of control is being applied.
B. Ask senior management to increase the acceptable risk levels.
C. Implement more stringent countermeasures.
D. Ask senior management to lower the acceptable risk levels.

A