A successful information security management program should use which of the following to determine the amount of resources devoted to mitigating exposures? 

Answer options:

A. Risk analysis results
B. Audit report findings
C. Penetration test results
D. Amount of IT budget available

A

Risk analysis results are the most useful and complete source of information for determining the amount of resources to devote to mitigating exposures. Audit report findings may not address all risks and do not address annual loss frequency. Penetration test results provide only a limited view of exposures, while the IT budget is not tied to the exposures faced by the organization.