In the event that a password policy cannot be implemented for a legacy application, which of the following is the BEST course of action? 

Answer options:

A. Update the application security policy.
B. Implement compensating control.
C. Submit a waiver for the legacy application.
D. Perform an application security assessment.

B