An organization’s information security strategy should be based on:
A.
managing risk relative to business objectives.
B.
managing risk to a zero level and minimizing insurance premiums.
C.
avoiding occurrence of risks so that insurance is not required.
D.
transferring most risks to insurers and saving on control costs.
Explanation:
Organizations must manage risks to a level that is acceptable for their business model, goals and
objectives. A zero-level approach may be costly and not provide the effective benefit of additional
revenue to the organization. Long-term maintenance of this approach may not be cost effective.
Risks vary as business models, geography, and regulatory- and operational processes change.
Insurance covers only a small portion of risks and requires that the organization have certain
operational controls in place.