A newly-appointed risk management director for the IT department at Company XYZ, a major pharmaceutical manufacturer, needs to conduct a risk analysis regarding a new system which the developers plan to bring on-line in three weeks. The director begins by reviewing the thorough and well-written report from the independent contractor who performed a security assessment of the system. The report details what seems to be a manageable volume of infrequently exploited security vulnerabilities.
The likelihood of a malicious attacker exploiting one of the vulnerabilities is low; however, the director still has some reservations about approving the system because of which of the following?
A . The resulting impact of even one attack being realized might cripple the company financially.
B . Government health care regulations for the pharmaceutical industry prevent the director from approving a system with vulnerabilities.
C . The director is new and is being rushed to approve a project before an adequate assessment has been performed.
D . The director should be uncomfortable accepting any security vulnerabilities and should find time to correct them before the system is deployed.
Answer: A