Information Security Strategy Objectives | CISM Exam Preparation

Information Security Strategy Objectives

Prev Question Next Question

Question

The MOST useful way to describe the objectives in the information security strategy is through:

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

A.

Security strategy will typically cover a wide variety of issues, processes, technologies and outcomes that can best be described by a set of characteristics and attributes that are desired.

Control objectives are developed after strategy and policy development.

Mapping IT systems to key business processes does not address strategy issues.

Calculation of annual loss expectations would not describe the objectives in the information security strategy.

The MOST useful way to describe the objectives in the information security strategy is through attributes and characteristics of the desired state. Option A is the correct answer.

Attributes and characteristics of the desired state refer to the end goal that an organization wants to achieve in terms of information security. This approach allows an organization to clearly define what they want to achieve, what they are currently lacking, and how to achieve their goals.

By describing the desired state in terms of attributes and characteristics, an organization can identify the specific security objectives that they want to accomplish. These objectives could include items such as ensuring confidentiality, maintaining data integrity, and ensuring availability of information systems.

This approach also allows for the development of specific measures to achieve the desired state. For example, an organization may need to implement a security awareness training program for employees or implement encryption technologies to maintain data confidentiality.

Overall control objectives of the security program (Option B) are useful in identifying the key security controls required to protect an organization's assets. However, these objectives may not provide a clear picture of what the organization is trying to achieve in terms of information security.

Mapping IT systems to key business processes (Option C) is useful for identifying the relationship between IT systems and the organization's business operations. However, this approach may not provide a comprehensive understanding of the organization's security objectives.

Calculation of annual loss expectations (Option D) is useful for identifying potential financial losses due to security breaches. However, this approach does not provide a clear understanding of the organization's security objectives and may not be useful for developing a comprehensive information security strategy.

Therefore, describing the objectives in the information security strategy through attributes and characteristics of the desired state is the most useful way as it allows for the development of specific measures to achieve the desired state.