Information Security Best Practices

B.

Information security should ensure that business objectives are met given available technical capabilities, resource constraints and compliance requirements.

It is not practical or feasible to eliminate all risks.

Regulatory requirements must be considered, but are inputs to the business considerations.

The board of directors does not define information security, but provides direction in support of the business goals and objectives.

The answer to the question is B. Information security should be a balance between technical and business requirements.

Explanation:

A. Focused on eliminating all risks: This is an unrealistic goal because it is impossible to eliminate all risks. Information security professionals should instead focus on reducing risk to an acceptable level.

B. A balance between technical and business requirements: This is the correct answer. Information security is not solely a technical issue, but it is also a business issue. It is important to strike a balance between technical and business requirements to ensure that information security measures are aligned with the overall business objectives and goals.

C. Driven by regulatory requirements: While regulatory requirements are an important factor in information security, they should not be the only driver. Information security should also be driven by the organization's overall risk management strategy and business goals.

D. Defined by the board of directors: While the board of directors plays an important role in setting overall strategy and direction for the organization, it should not be solely responsible for defining information security. Information security should be a collaborative effort between various stakeholders, including IT, legal, risk management, and business units.

In summary, information security should be a balance between technical and business requirements to ensure that security measures are aligned with the overall business objectives and goals.