Addressing Conflicting Objectives in Information Security Management

D.

Conflicting objectives in information security management can compromise the effectiveness of the information security process when the security management is combined with other functions or is not managed properly. In this context, the answer is D - combined with the change management function.

Change management is the process of managing changes to an organization's information systems, applications, and infrastructure. It involves the evaluation, testing, approval, and implementation of changes. Information security management, on the other hand, is the process of protecting the organization's information assets from threats, vulnerabilities, and attacks.

When information security management is combined with the change management function, there can be conflicting objectives. For example, change management may prioritize the timely implementation of changes to support business objectives, while information security management may prioritize the protection of information assets, even if it means delaying or rejecting changes that may introduce security risks.

Moreover, change management may involve various stakeholders, including business owners, IT staff, and external vendors. These stakeholders may have different priorities, perspectives, and interests. Some may prioritize functionality over security, while others may prioritize security over functionality. These conflicting objectives can make it challenging to implement effective security controls that balance security and business needs.

Therefore, combining information security management with change management function can compromise the effectiveness of the information security process by introducing conflicting objectives, priorities, and interests that may undermine the security posture of the organization.

In contrast, options A, B, and C may not necessarily lead to conflicting objectives in information security management. Reporting to the network infrastructure manager (A) may align security objectives with infrastructure objectives, as long as the network manager recognizes the importance of information security. Being outside of information technology (B) may provide more independence and objectivity to information security management, as long as there is a clear mandate and support from top management. Partially staffed by external security consultants (C) may bring in specialized expertise and knowledge that can complement internal staff and enhance the effectiveness of information security management, as long as the consultants follow the organization's policies and procedures.