Greatest Concern for Information Security Manager

C.

As an information security manager, it is of great concern when a new information security policy is not being followed across all departments. This means that the organization is not effectively managing its information security risks, which can result in data breaches, financial losses, reputational damage, and legal consequences.

Out of the four options provided, the option that should be of the GREATEST concern to the information security manager is option B - "Business unit management has not emphasized the importance of the new policy."

This is because, in order for an information security policy to be effective, it must be communicated effectively to all employees, and this communication must come from the top down. If business unit management has not emphasized the importance of the new policy, it is unlikely that employees will take the policy seriously or feel compelled to follow it.

The other options listed are also important factors to consider, but they are not as critical as option B. Option A suggests that different communication methods may be required for each business unit, which is a valid consideration, but it is not as important as ensuring that the policy is being emphasized by business unit management. Option C suggests that the controls in the policy may be viewed as prohibitive to business operations, which is also important to address, but it is not as critical as ensuring that the policy is being followed. Option D suggests that the wording of the policy may not be tailored to the audience, which is important for effective communication, but it is not as critical as ensuring that the policy is being emphasized by business unit management.

In summary, an information security manager should be most concerned if business unit management has not emphasized the importance of the new information security policy, as this can significantly impact the effectiveness of the policy and increase the organization's risk of security incidents.