An internal audit has identified major weaknesses over IT processing. Which of the following
should an information security manager use to BEST convey a sense of urgency to management?
A.
Security metrics reports
B.
Risk assessment reports
C.
Business impact analysis (BIA)
D.
Return on security investment report
Explanation:
Performing a risk assessment will allow the information security manager to prioritize the remedial
measures and provide a means to convey a sense of urgency to management. Metrics reports are
normally contained within the methodology of the risk assessment to give it credibility and provide
an ongoing tool. The business impact analysis (BIA) covers continuity risks only. Return on
security investment cannot be determined until a plan is developed based on the BIA.