Which of the following would BEST assist an information security manager in measuring the
existing level of development of security processes against their desired state?
A.
Security audit reports
B.
Balanced scorecard
C.
Capability maturity model (CMM)
D.
Systems and business security architecture
Explanation:
The capability maturity model (CMM) grades each defined area of security processes on a scale of
0 to 5 based on their maturity, and is commonly used by entities to measure their existing state
and then determine the desired one. Security audit reports offer a limited view of the current state
of security. Balanced scorecard is a document that enables management to measure the
implementation of their strategy and assists in its translation into action. Systems and business
security architecture explain the security architecture of an entity in terms of business strategy,
objectives, relationships, risks, constraints and enablers, and provides a business-driven and
business-focused view of security architecture.