A.Service levels for security vendors are defined according to business needs.

B.Security performance metrics are measured against business objectives.

C.Impact is measured according to business loss when assessing IT risk.

D.Security policies are reviewed whenever business objectives are changed.

A.Perform a gap analysis of the new requirements.

B.Treat the new requirements as an operational issue.

C.Implement the new requirements immediately.

D.Escalate the issue to senior management.

A.Requiring cross-functional information security training

B.Implementing user awareness campaigns for the entire company

C.Publishing an acceptable use policy

D.Establishing security policies based on industry standards

A.Historical security incidents

B.Current vulnerability metrics

C.Return on security investment

D.Completed business impact analyses (BIAs)

A.Assessing the current state of information security

B.Aligning with industry best practice frameworks

C.Aligning with the information security strategy

D.Assessing the availability of information security resources