Demonstrating Operational Readiness

B.

The most effective demonstration of operational readiness to address information security risk issues is option B - Procedures have been established for assessing and mitigating information security risks.

Here's why:

Option A, which is executive management announcing an information security risk initiative, shows the intent to address information security risks, but it doesn't necessarily mean that the organization is ready or equipped to manage and mitigate those risks.

Option C, which is IT management communicating the need for information security risk management to the business, is important, but again, it doesn't demonstrate operational readiness or actual implementation of risk management practices.

Option D, which is a policy stating enterprise commitment and readiness to address information security risk, is important but on its own is not enough. The policy needs to be accompanied by actual procedures and processes to manage and mitigate risks.

On the other hand, option B demonstrates that the organization has established specific procedures for assessing and mitigating information security risks. This shows that the organization has gone beyond just stating its intent to address risks and has actually taken concrete steps to ensure operational readiness to manage and mitigate information security risks.

In summary, while all the options are important for information security risk management, having established procedures for assessing and mitigating information security risks is the most effective demonstration of operational readiness.