The answer should be C.
Choice A would have been correct if the question was 'How badly information security requirements are incorporated', choice B- not at all incorporated.
C is the answer, incident may not occur at all for a long time, but the denied number of changes in change control due to lack of security shows the volume of change requests coming in and getting denied.
The question is about how well IS requirements are incorporated, so, for that, denied changes due to insuficient security details. If we wanted to know how bad we are doing, the metric would be A
"A" would be ideal if we want to determine how lazy we are at integrating IS in change management. Waiting for a bad thing to happen shows we are weak, not wellness
C. Denied changes due to insufficient security details.
This metric focuses on changes that are denied or rejected specifically because they lack sufficient security details. It indicates that the change management process is actively assessing whether proposed changes adequately address information security requirements.
By tracking and monitoring the number of denied changes due to insufficient security details, an organization can gauge the effectiveness of its change management process in ensuring that information security requirements are properly incorporated. If a significant number of changes are being denied or rejected because their security details are insufficient, it suggests that the change management process is effectively considering and enforcing information security requirements. This metric encourages stakeholders to provide the necessary security details when proposing changes, reinforcing the importance of incorporating information security into the change management process.
C. Denied changes due to insufficient security details
This metric measures the number of changes that were denied or rejected specifically because they lacked sufficient security details. Monitoring denied changes due to insufficient security details provides a direct indication of the effectiveness of incorporating information security requirements into the change management process. It shows that changes without adequate security considerations are being rejected, indicating a proactive approach to information security.
When security requirements are not incorporated into change management processes, any vulnerabilities introduced during changes may go undetected leading to security incidents. Therefore 'security incidents due to unauthorized changes is the best metric in here.
That would measure "how bad", not "how well" as the question states. Therefore correct answer is C
upvoted 1 times
...
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
shootnot
4 months agoyottabyte
5 months, 3 weeks agoElDirec
6 months agoMarcelus1714
7 months agopgonza
4 months, 1 week agoAlexJacobson
7 months, 2 weeks agorichck102
10 months, 4 weeks agokoala_lay
11 months agooluchecpoint
11 months, 1 week agoCISSPST
11 months, 3 weeks agopgonza
4 months, 1 week ago