The board of directors is not happy with the effectiveness and performance of IT investments in your organization. As a security professional, you are engaging in the improvement initiative to address both business and security requirements in IT investments. Which of the following is the most effective management practice?
A. Conducting cost/benefit analysis
B. Establishing enterprise architecture
C. Developing a comprehensive information security policy
D. Evaluating the trustworthiness of ICT services, products, and suppliers
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Establishing enterprise architecture.
Enterprise architecture is a management practice at the level of business processes that allocates business and security requirements to information system components through engaging business and technical people and facilitating communication.
It is not because IT investments lacking cost/benefit analysis that the board is unhappy. The reason why the board is not happy with the IT investments may be:
- the estimated/expected benefits of cost/benefit analysis are not realized (an execution or performance issue), or
- the cost/benefit analysis itself is not accurate or reliable (effectiveness issue).
You joined the improvement initiative to address both the business and security requirements, so conducting cost/benefit analysis is not the most effective management practice.
Policies direct projects of IT investments, but they are not managing projects.
Supply chain risk management is important but it does not directly address the business and security requirements.