Section: INCIDENT MANAGEMENT AND RESPONSE

Explanation/Reference:
Explanation:
A security program enabling business activities would be most helpful to achieve alignment between information security and organization objectives. All of the other choices are part of the security program and would not individually and directly help as much as the security program.

Threat and vulnerability assessments are important PRIMARILY because they are the basis for setting control objectives. Control objectives are the desired outcomes or goals of implementing security controls in an information system. They are derived from the risk assessment process, which identifies and evaluates the threats and vulnerabilities that could affect the system's confidentiality, integrity and availability. By conducting threat and vulnerability assessments, an organization can determine the level of risk it faces and establish the appropriate control objectives to mitigate those risks.

Restricting the ability of a PC to allocate new drive letters ensures that universal serial bus (USB) drives or even CD-writers cannot be attached as they would not be recognized by the operating system. Disabling USB ports on all machines is not practical since mice and other peripherals depend on these connections. Awareness training and sanctions do not prevent copying of information nor do access controls.

Explanation
According to the CISM Review Manual, the most important metric to present to senior management when reporting on the performance of a risk mitigation initiative is the cost and associated risk reduction, as it demonstrates the value and effectiveness of the initiative in terms of reducing the likelihood and impact of the risk. The other metrics may be useful for comparison or analysis, but they do not directly measure the performance of the initiative.
References = CISM Review Manual, 27th Edition, Chapter 4, Section 4.3.2, page 2091.