The best approach for the information security manager in this situation would be to review the risk assessment with executive management for final input.
Senior management is accountable for ensuring that information is categorized and that specific protective measures are taken. As the highest level of management within an organization, senior management holds the ultimate responsibility for information security and the protection of organizational assets. This includes establishing policies and procedures for information classification and ensuring that appropriate protective measures are implemented.
The challenge/response mechanism is an authentication method that effectively prevents authentication replay attacks.
Monitoring abnormal server communication from inside the organization to external parties can serve the purpose of recording the trace of advanced persistent threats (APTs).
Effective IT-related risk management activities are most effective when they are integrated within business processes.