Which of the following is the BEST indication that an information security program is aligned with organizational objectives?
Which of the following is the BEST indication that an information security program is aligned with organizational objectives?
The best indication that an information security program is aligned with organizational objectives is when risk is managed to within organizational tolerances. This means the organization is taking into account its strategic goals and ensuring that the level of risk is acceptable within those parameters, directly reflecting the organization's priorities and objectives.
C. Risk is managed to within organizational tolerances.
While having information security processes in place throughout the system development life cycle (SDLC) (option D) is important for building security into the organization's systems and applications, it may not necessarily guarantee alignment with organizational objectives. However, managing risk to within organizational tolerances directly reflects the organization's strategic priorities and ensures that the information security program is contributing to the achievement of those objectives. Therefore, option C is the BEST indication of alignment with organizational objectives.
While senior management conducting regular reviews of information security policies (option A) is important for oversight and governance, it does not necessarily guarantee that security activities are aligned with organizational objectives in terms of risk management and strategic alignment.