Explanation
Risk analysis results are the most useful and complete source of information for determining the amount of resources to devote to mitigating exposures. Audit report findings may not address all risks and do not address annual loss frequency. Penetration test results provide only a limited view of exposures, while the IT budget is not tied to the exposures faced by the organization.

Explanation
Operational risk assessment, financial crime metrics and capacity management can complement the information security framework, but only business continuity management is a key component.

Explanation/Reference:
Explanation:
In developing an information security management program, the first step is to clarify the organization's purpose for creating the program. This is a business decision based more on judgment than on any specific quantitative measures. After clarifying the purpose, the other choices are assigned and acted upon.

Explanation
Assessing the problems and instituting rollback procedures as needed would be the best course of action.
Choices B and C would not identify where the problem was, and may in fact make the problem worse. Choice D is part of the assessment.