An IS auditor is reviewing an IT security risk management program. Measures of security risk
should:

A.
address all of the network risks.

B.
be tracked over time against the IT strategic plan.

C.
take into account the entire IT environment.

D.
result in the identification of vulnerability tolerances.

Explanation:
When assessing IT security risk, it is important to take into account the entire IT environment.
Measures of security risk should focus on those areas with the highest criticality so as to achieve
maximum risk reduction at the lowest possible cost. IT strategic plans are not granular enough to
provide appropriate measures. Objective metrics must be tracked over time against measurable
goals, thus the management of risk is enhanced by comparing today’s results against last week,
last month, last quarter. Risk measures will profile assets on a network to objectively measure
vulnerability risk. They do not identify tolerances.