If a database administrator discovers that web traffic for a corporate address book is not encrypted, what is the most appropriate initial action?

The most appropriate initial action when a database administrator discovers unencrypted web traffic for a corporate address book is to notify the business owner and propose an addition to the risk register. This approach ensures that the relevant stakeholders are made aware of a potential security vulnerability that could expose sensitive information to threats like eavesdropping or data interception.

Updating the risk register is a critical step as it provides a formal mechanism for tracking risks and vulnerabilities within an organization. It allows for a documented assessment of the potential impact of the unencrypted traffic, helps prioritize remediation efforts, and keeps the ownership of the issue transparent. Engaging the business owner is important since they have the authority to allocate resources for addressing the risk and can also make an informed decision about the business implications of the risk.

This choice highlights the importance of strengthening communication and reporting channels within an organization regarding security issues, ensuring that risks are managed proactively rather than reactively. By proposing an update to the risk register, the administrator is taking the first step in a structured approach to risk management that involves assessing risk, gaining necessary approvals for changes, and eventually implementing appropriate controls.