Reviewing which of the following would BEST ensure that security controls are effective?
A.
Risk assessment policies
B.
Return on security investment
C.
Security metrics
D.
User access rights
Explanation:
Reviewing security metrics provides senior management a snapshot view and trends of an
organization’s security posture. Choice A is incorrect because reviewing risk assessment policies
would not ensure that the controls are actually working. Choice B is incorrect because reviewing
returns on security investments provides business justifications in implementing controls, but does
not measure effectiveness of the control itself. Choice D is incorrect because reviewing user
access rights is a joint responsibility of the data custodian and the data owner, and does not
measure control effectiveness.