An organization’s information security strategy should be based on:
A . managing risk relative to business objectives.
B . managing risk to a zero level and minimizing insurance premiums.
C . avoiding occurrence of risks so that insurance is not required.
D . transferring most risks to insurers and saving on control costs.
Answer: A
Explanation:
Organizations must manage risks to a level that is acceptable for their business model, goals and objectives. A zero-level approach may be costly and not provide the effective benefit of additional revenue to the organization. Long-term maintenance of this approach may not be cost effective. Risks vary as business models, geography, and regulatory- and operational processes change. Insurance covers only a small portion of risks and requires that the organization have certain operational controls in place.