Which of the following is MOST appropriate for inclusion in an information security strategy?

A.
Business controls designated as key controls

B.
Security processes, methods, tools and techniques

C.
Firewall rule sets, network defaults and intrusion detection system (IDS) settings

D.
Budget estimates to acquire specific security tools

Explanation:

A set of security objectives, processes, methods, tools and techniques together constitute a
security strategy. Although IT and business governance are intertwined, business controls may not
be included in a security strategy. Budgets will generally not be included in an information security
strategy. Additionally, until information security strategy is formulated and implemented, specific
tools will not be identified and specific cost estimates will not be available. Firewall rule sets,
network defaults and intrusion detection system (IDS) settings are technical details subject to
periodic change, and are not appropriate content for a strategy document.