Which of the following is the BEST approach for improving information security management processes?
A.
Conduct periodic security audits.
B.
Perform periodic penetration testing.
C.
Define and monitor security metrics.
D.
Survey business units for feedback.
Explanation:
Defining and monitoring security metrics is a good approach to analyze the performance of the security management process since it determines the baseline and evaluates the performance against the baseline to identify an opportunity for improvement. This is a systematic and structured approach to process improvement.
Audits will identify deficiencies in established controls; however, they are not effective in evaluating the overall performance for improvement. Penetration testing will only uncover technical vulnerabilities, and cannot provide a holistic picture of information security management, feedback is subjective and not necessarily reflective of true performance.