Which of the following BEST contributes to the development of a security governance framework that supports the maturity model concept?

A.
Continuous analysis, monitoring and feedback

B.
Continuous monitoring of the return on security investment (ROSI)

C.
Continuous risk reduction

D.
Key risk indicator (KRI) setup to security management processes

Explanation:
To improve the governance framework and achieve a higher level of maturity, an organization needs to conduct continuous analysis, monitoring and feedback compared to the current state of maturity. Return on security investment (ROSI) may show the performance result of the security- related activities; however, the result is interpreted in terms of money and extends to multiple facets of security initiatives. Thus, it may not be an adequate option. Continuous risk reduction would demonstrate the effectiveness of the security governance framework, but does not indicate a higher level of maturity. Key risk indicator (KRI) setup is a tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.