An information security manager is developing a business case for an investment in an information security control.
The FIRST step should be to:
Click on the arrows to vote for the correct answer
A. B. C. D.B.
When developing a business case for an investment in an information security control, the FIRST step should be to assess the potential impact to the organization (Answer B).
Assessing the potential impact to the organization is important because it helps to identify the risks and potential benefits of the investment, and it ensures that the investment aligns with the organization's overall business objectives. This step involves identifying the critical assets that the security control is designed to protect, the potential threats to those assets, and the likelihood and potential impact of those threats.
By conducting a thorough impact assessment, the information security manager can determine the level of investment required to mitigate the risks associated with the identified threats, as well as the potential benefits to the organization. This assessment will also help the manager to determine whether the investment is a viable option, and if so, the most appropriate security control to implement.
Researching vendor pricing (Answer A), demonstrating increased productivity of security staff (Answer C), and gaining audit buy-in for the security control (Answer D) are important steps in developing a business case, but they should only be considered after assessing the potential impact to the organization. These steps are part of the broader process of building a compelling business case that demonstrates the value of the investment to the organization.