An information security manager must understand the relationship between information security
and business operations in order to:

A.
support organizational objectives.

B.
determine likely areas of noncompliance.

C.
assess the possible impacts of compromise.

D.
understand the threats to the business.

Explanation:

Security exists to provide a level of predictability for operations, support for the activities of the
organization and to ensure preservation of the organization. Business operations must be the
driver for security activities in order to set meaningful objectives, determine and manage the risks
to those activities, and provide a basis to measure the effectiveness of and provide guidance to
the security program. Regulatory compliance may or may not be an organizational requirement. If
compliance is a requirement, some level of compliance must be supported but compliance is only
one aspect. It is necessary to understand the business goals in order to assess potential impacts
and evaluate threats. These are some of the ways in which security supports organizational
objectives, but they are not the only ways.