When implementing security controls, an information security manager must PRIMARILY focus on:
Click on the arrows to vote for the correct answer
A. B. C. D.A.
Security controls must be compatible with business needs.
It is not feasible to eliminate all vulnerabilities.
Usage by similar organizations does not guarantee that controls are adequate.
Certification by a third party is important, but not a primary concern.
When implementing security controls, the primary focus of an information security manager should be to minimize operational impacts.
Security controls are put in place to protect an organization's assets, such as its data, systems, and intellectual property. However, security controls can also have unintended consequences on an organization's operations. For example, security controls that require additional steps or authentication procedures may slow down business processes and affect productivity. Therefore, it's important for an information security manager to balance security needs with operational requirements.
Eliminating all vulnerabilities may seem like a desirable goal, but it's often impractical or impossible to achieve. Security vulnerabilities can come from a wide variety of sources, including hardware, software, and human factors. It's important to prioritize vulnerabilities based on their severity and the potential impact they could have on the organization. An information security manager should focus on implementing controls that address the most critical vulnerabilities while acknowledging that some level of risk may remain.
Usage by similar organizations is not a primary consideration when implementing security controls. While it can be helpful to learn from the experiences of others, each organization has unique security requirements based on factors such as its industry, size, and risk appetite. Security controls should be tailored to an organization's specific needs and not simply copied from others.
Certification from a third party can provide assurance that an organization's security controls meet certain standards or compliance requirements. However, certification should not be the primary focus when implementing security controls. Certification can be a valuable tool for demonstrating to stakeholders that an organization takes security seriously, but it should not be the sole motivation for implementing security controls.
In summary, an information security manager must primarily focus on minimizing operational impacts when implementing security controls, while also prioritizing vulnerabilities, tailoring controls to the organization's specific needs, and considering certification as a helpful tool but not the primary goal.