A successful information security management program should use which of the following to
determine the amount of resources devoted to mitigating exposures?

A.
Risk analysis results

B.
Audit report findings

C.
Penetration test results

D.
Amount of IT budget available

Explanation:

Risk analysis results are the most useful and complete source of information for determining the
amount of resources to devote to mitigating exposures. Audit report findings may not address all
risks and do not address annual loss frequency. Penetration test results provide only a limited
view of exposures, while the IT budget is not tied to the exposures faced by the organization.