The PRIMARY goal in developing an information security strategy is to:
Click on the arrows to vote for the correct answer
A. B. C. D.D.
The business objectives of the organization supersede all other factors.
Establishing metrics and measuring performance, meeting legal and regulatory requirements, and educating business process owners are all subordinate to this overall goal.
The PRIMARY goal of developing an information security strategy is to support the business objectives of the organization (Option D).
An information security strategy is a comprehensive plan that outlines the steps that an organization takes to protect its information assets. It includes policies, procedures, guidelines, and technical measures that are designed to ensure the confidentiality, integrity, and availability of information.
In developing an information security strategy, it is important to align the strategy with the business objectives of the organization. The purpose of information security is to support the business, not to hinder it. The information security strategy should be developed with the understanding that information security risks are just one aspect of the overall business risk profile, and that the goal is to balance the need for security with the need for business agility.
Establishing security metrics and performance monitoring (Option A) is an important part of an information security strategy, but it is not the primary goal. Metrics and monitoring are tools that can be used to measure the effectiveness of the information security program, but they do not provide direction on how to develop the program.
Educating business process owners regarding their duties (Option B) is also important, but it is not the primary goal. Education is a critical component of any information security program, but it is a means to an end, not an end in itself.
Ensuring that legal and regulatory requirements are met (Option C) is another important aspect of an information security strategy, but it is not the primary goal. Compliance with legal and regulatory requirements is necessary, but it is not sufficient to ensure the security of an organization's information assets. Compliance should be seen as a baseline, not a goal.