When considering the value of assets, which of the following would give the information security
manager the MOST objective basis for measurement of value delivery in information security
governance?
A.
Number of controls
B.
Cost of achieving control objectives
C.
Effectiveness of controls
D.
Test results of controls
Explanation:
Comparison of cost of achievement of control objectives and corresponding value of assets sought
to be protected would provide a sound basis for the information security manager to measure
value delivery. Number of controls has no correlation with the value of assets unless the
effectiveness of the controls and their cost are also evaluated. Effectiveness of controls has no
correlation with the value of assets unless their costs are also evaluated. Test results of controls
have no correlation with the value of assets unless the effectiveness of the controls and their cost
are also evaluated.