Certified Information Security Manager (CISM) — Question 833

Which of the following provides the BEST evidence that a recently established information security program is effective?

Answer options

• A. The number of reported incidents has increased.
• B. Regular IT balanced scorecards are communicated.
• C. The number of tickets associated with IT incidents have stayed consistent.
• D. Senior management has reported fewer junk emails.

Correct answer: A

Explanation

An increase in the number of reported incidents suggests that employees are more aware of security issues and are actively reporting them, indicating an effective security program. In contrast, the other options either do not directly measure security effectiveness or imply stagnation or lack of awareness, which do not necessarily indicate program success.