Which of the following BEST indicates a need to review an organization's information security policy?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
The BEST option that indicates the need to review an organization's information security policy is Option C: Increasing exceptions approved by management.
An information security policy is a crucial element of an organization's security framework that outlines the rules and guidelines for protecting the organization's information assets. It provides a baseline for security controls, defines roles and responsibilities, and communicates the organization's stance on information security to employees, partners, and customers.
The increasing number of exceptions approved by management indicates that the policy may not be adequately addressing the organization's security risks. Exceptions may be granted for a variety of reasons, such as business continuity, operational efficiency, or risk mitigation. However, if the number of exceptions granted is increasing, it could indicate that the policy is either too restrictive, impractical, or not addressing the organization's current security threats.
Option A: Completion of annual IT risk assessment is a regular exercise that helps organizations identify and prioritize their IT risks. While the results of the risk assessment may highlight areas that need improvement, it does not necessarily mean that the information security policy needs to be reviewed.
Option B: Increasing complexity of business transactions may require adjustments to the security controls and processes to ensure that the organization's information assets are adequately protected. However, it does not necessarily mean that the information security policy needs to be reviewed.
Option D: A high number of low-risk findings in the audit report may indicate that the organization's security controls are generally effective. However, it does not necessarily mean that the information security policy needs to be reviewed.
In conclusion, the increasing number of exceptions approved by management is the BEST indicator that the organization's information security policy needs to be reviewed. The review should assess whether the policy is still relevant, effective, and aligned with the organization's current security risks and business needs.