Which of the following is the BEST approach for improving information security management
processes?

A.
Conduct periodic security audits.

B.
Perform periodic penetration testing.

C.
Define and monitor security metrics.

D.
Survey business units for feedback.

Explanation:

Defining and monitoring security metrics is a good approach to analyze the performance of the
security management process since it determines the baseline and evaluates the performance
against the baseline to identify an opportunity for improvement. This is a systematic and structured

approach to process improvement. Audits will identify deficiencies in established controls;
however, they are not effective in evaluating the overall performance for improvement. Penetration
testing will only uncover technical vulnerabilities, and cannot provide a holistic picture of
information security management, feedback is subjective and not necessarily reflective of true
performance.