Selection of Controls for Meeting Business Objectives
Question
To determine the selection of controls required to meet business objectives, an information security manager should:
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.B.
Key controls primarily reduce risk and are most effective for the protection of information assets.
The other choices could be examples of possible key controls.
To determine the selection of controls required to meet business objectives, an information security manager should focus on key controls.
Explanation:
The process of selecting controls is an essential part of an organization's information security management system (ISMS). The ISMS must ensure that the selected controls effectively mitigate the risks associated with the organization's information assets, considering the organization's business objectives.
The selection of controls must be based on a risk assessment, where the organization identifies and analyzes the risks to its information assets. Based on this assessment, the organization should select controls that are appropriate to its risk profile and business objectives.
In this context, focusing on key controls is a recommended approach. Key controls are those that are critical to the organization's risk management strategy and are essential to achieving its business objectives. They are controls that have a high impact on the organization's ability to protect its information assets, and their failure can have significant consequences.
By prioritizing the key controls, an information security manager can ensure that the organization's most critical risks are mitigated effectively, while also ensuring that the controls selected align with the organization's business objectives. Additionally, the focus on key controls can help the organization make efficient use of its resources and avoid unnecessary complexity in its control environment.
Therefore, Option B is the most appropriate answer: "focus on key controls." The other options - prioritize the use of role-based access controls, restrict controls to only critical applications, and focus on automated controls - are not comprehensive enough and may not be sufficient to meet the organization's risk management needs.
