Question 370 of 500 from exam CISM: Certified Information Security Manage

A.

Individual business managers are in the best position to determine the value of information assets since they are most knowledgeable of the assets' impact on the business.

Business systems developers and information security managers are not as knowledgeable regarding the impact on the business.

Peer companies' industry averages do not necessarily provide detailed enough information nor are they as relevant to the unique aspects of the business.

The value of information assets refers to the importance of information in achieving business goals, including the cost of acquisition, storage, protection, and potential loss. Therefore, determining the value of information assets is a crucial component of information security management.

Individual business managers (Option A) may have a limited view of the value of information assets as they tend to focus on their specific business unit's objectives and may not consider the organization's overall objectives. They may also overlook the broader impact of a security breach on the organization's reputation, customer trust, and regulatory compliance.

Business systems analysts (Option B) may provide insights into the technical aspects of information systems and their functionality. Still, they may lack a holistic view of the organization's information assets and their business value.

Information security management (Option C) is responsible for developing and implementing policies, procedures, and controls to protect the organization's information assets. Information security management typically works closely with business units to assess the value of information assets and their associated risks. They consider various factors, such as the cost of data acquisition, maintenance, and protection, the potential impact of data loss, and the value of the data to the organization's business processes, strategic plans, and intellectual property.

Industry averages benchmarking (Option D) may provide some insights into the value of information assets in the industry. However, relying solely on industry averages benchmarking may overlook the specific value of information assets to the organization's business processes, strategic plans, and intellectual property.

In conclusion, the BEST approach to determine the value of information assets is through information security management, which considers the organization's overall objectives and works closely with business units to assess the value of information assets and associated risks.