When management changes the enterprise business strategy, which of the following processes should be used to evaluate the existing information security controls as well as to select new information security controls?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
When management changes the enterprise business strategy, it is essential to evaluate the existing information security controls and identify if new information security controls need to be implemented to align with the updated business strategy. This evaluation and selection process should be done through the risk management process.
Risk management is a process of identifying, assessing, and controlling risks that could affect an organization's assets, operations, or reputation. The risk management process consists of several steps, including risk identification, risk assessment, risk response planning, and risk monitoring and review.
In the context of evaluating and selecting new information security controls, the risk management process should follow these steps:
Risk Identification: Identify potential risks that could arise due to the changes in the enterprise business strategy. This could include changes in the types of data processed or stored, changes in the threat landscape, changes in the regulatory environment, etc.
Risk Assessment: Assess the likelihood and impact of the identified risks. This will help determine the level of risk and the potential consequences to the organization.
Risk Response Planning: Develop a plan to mitigate or control the identified risks. This could involve implementing new information security controls or modifying existing controls to align with the updated business strategy.
Risk Monitoring and Review: Continuously monitor the effectiveness of the new information security controls and review them periodically to ensure that they remain aligned with the business strategy.
Change management, access control management, and configuration management are also important processes in information security management, but they do not directly address the evaluation and selection of new information security controls in response to changes in the enterprise business strategy.
Therefore, the correct answer to the question is A. Risk management.