When justifying costs related to controls, the BEST information to present to business control owners would be the return on IT security-related investments (option A).
Here's why:
Return on IT security-related investments refers to the measurable benefits or gains that the organization will receive from investing in information security controls. It provides a clear picture of the value of the investment and helps the business control owners to assess the effectiveness and efficiency of the controls. By presenting this information, the business control owners can understand how the controls can benefit the organization and how the investment aligns with the business objectives.
On the other hand, the previous year's budget and actuals (option B) may not be the best information to present because it does not necessarily reflect the effectiveness of the controls or the benefits that the organization can receive from investing in them. It only shows how much money was spent in the previous year, and may not provide enough justification for future investments.
Similarly, industry benchmarks and standards (option C) may not be the best information to present because they are only general guidelines and may not be specific to the organization's needs. The business control owners may require more detailed information about the benefits of specific controls in their organization, which may not be covered by industry benchmarks and standards.
Loss event frequency and magnitude (option D) may not be the best information to present because it only shows the potential negative consequences of not having the controls in place. It does not provide a positive rationale for investing in controls, and may not be the most effective way to convince business control owners to invest in controls.
A. Return on IT security-related investments
Providing a clear demonstration of the return on investment (ROI) for security-related controls helps business control owners understand the value and benefits these investments bring to the organization. This information shows how the controls contribute to risk reduction, cost savings, and protection against potential losses. It directly ties the control costs to their impact on the organization's overall financial health and stability.
A. Return on IT security-related investments.
The best information to present to business control owners when justifying costs related to controls is the "Return on IT security-related investments." This information demonstrates the tangible value that the proposed controls can bring to the organization. It showcases how the investment in controls can lead to reduced risks, minimized potential losses, improved operational efficiency, and overall better protection of assets and data.
While the other options (previous year's budget and actuals, industry benchmarks and standards, loss event frequency and magnitude) are relevant in various aspects of budgeting and risk management, demonstrating the return on investment specifically addresses the concerns of control owners by showing the positive impact of the controls on the organization's outcomes.
Going with "A"; this option shows the negative and positive sides of controls cost. Risk owners can know the benefit of controls to the organization in minimizing risks in comparison to the impact. Option "D" shows the negative side of the issue.
Revenue generation is the job of the business.
Risk mitigation is to protect what the business has. it is not an investment that can generate revenue or profit. This is basically loss avoidance (which in itself could be considered as revenue generation, but it is not).
The question did not specify that it was limited to IT. You are looking to show management what the loss/impact would be compared to the cost of the control. D seems the best answer.
Answer A makes better sense then again this is ISACA CRISC.
upvoted 4 times
...
This section is not available anymore. Please use the main Exam Page.CRISC Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
6ada4e1
10 months, 3 weeks agoSuperMax
1 year, 1 month agoSuperMax
1 year, 1 month agoeblue
1 year, 3 months agoStaanlee
1 year, 3 months agomraiyan
1 year, 6 months agojseeker
1 year, 8 months agoKoulyo
1 year, 8 months agoCbtL
1 year, 8 months agojohn_boogieman
1 year, 10 months agoAnnyp
2 years, 1 month agofora
2 years, 9 months agoRaj1510
2 years, 11 months agoJosh93
3 years, 8 months agoIcs2Pass
3 years, 9 months agoSbills
3 years, 10 months agoRooks
4 years, 3 months ago