A large company wants to address frequent outages on critical systems with a secure configurations program. The Chief Information Security Officer (CISO) has asked the analysts to conduct research and make recommendations for a cost-effective solution with the least amount of disruption to the business. Which of the following would be the BEST way to achieve these goals?

A. Adopt the CIS security controls as a framework, apply configurations to all assets, and then notify asset owners of the change.

B. Coordinate with asset owners to assess the impact of the CIS critical security controls, perform testing, and then implement across the enterprise.

C. Recommend multiple security controls depending on business unit needs, and then apply configurations according to the organization's risk tolerance.

D. Ask asset owners which configurations they would like, compile the responses, and then present all options to the CISO for approval to implement.