When a security standard conflicts with a business objective, the situation should be resolved by:
A . changing the security standard.
B . changing the business objective.
C . performing a risk analysis.
D . authorizing a risk acceptance.
Answer: C
Explanation:
Conflicts of this type should be based on a risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. It is highly improbable that a business objective could be changed to accommodate a security standard, while risk acceptance* is a process that derives from the risk analysis.