Certified Information Security Manager (CISM) — Question 253

When establishing metrics for an information security program, the BEST approach is to identify indicators that:

Answer options

• A. support major information security initiatives.
• B. reflect the corporate risk culture.
• C. reduce information security program spending.
• D. demonstrate the effectiveness of the security program.

Correct answer: D

Explanation

The best approach to establishing metrics is to demonstrate the effectiveness of the security program, as this directly assesses its impact and success. While supporting initiatives (A), reflecting risk culture (B), and reducing spending (C) are important considerations, they do not directly measure the security program's effectiveness.