The BEST reason would be for us to get cost effective assistance who has skills we do not have within the organization. We still need internal key stakeholders who have the detailed knowledge of our organization but getting outside help can help us deliver a better product sooner. Even if we contract external people, they might be responsible for producing a result, but as the Information Security manager or director it is your responsibility to deliver the program. In this case getting outside help would not help with employee redundancy, they are there to help us in areas where we lack the skilled employees. They may, or may not, be able to deliver the program with their knowledge, we simply do not have enough information to see determine if this is a viable option. Even if they could, the questions said, "Best reason", which is the cost effective and knowledge we do not have internally.

When a risk is reduced to an acceptable level is determined by our organizational requirements. We would never base it on the requirements of our IT systems, Information Security or international standards. Those factors may guide us, but they would never be the determining factor.

The cost of the security control should not exceed the asset value. If the cost of a countermeasure is greater than the asset value, we would not implement. We always base our security controls on a cost-benefit analysis. We would use the ALE and the cost of an incident in the analysis, but we would not base the decision on just those. The cost of the security control not exceeding the benefit from the implementation doesn't even make sense.

The main focus of our security audits is to ensure our security controls operate as they should. We would want cost-effective controls, but that is not the purpose of the security audit. It is possible we would want to use the latest technology, but again not something the security audit would look at. Security reviews should look at all controls, not just preventative ones.

The business objectives of our organization are always the most important consideration, that is what everything else is there to enable. The security metrics, goals, performance monitoring, and training and awareness are all there to support the business objectives. Legal and regulatory requirement are important and often part policies and procedures, but they are still not the primary goal of our Information Security strategy.

Part of the risk mitigation report would be risk acceptance, either as an alternative to the mitigation or after the mitigation, we would consider accepting the residual risk. Risk assessments, evaluations and quantifications would be part of the risk analysis we did to make the risk mitigation report, but not part of the report itself.

It is always important to speak to senior management in a language they understand, we need to tie what we do back to the goals, the vision and mission of the business. We can also use cost/benefit analysis, ROI or other big picture terms they are used to. As Information Security managers/CISOs we need to be the translating link between Senior management and the technical staff. If we start talking about successful attacks, technical risks, or security best practices, that is not information they can relate to. We need to talk their language.

If we want to ensure no file sharing with unauthorized users, we would use MAC (Mandatory Access Control). Users without proper access would not be able to access the files, and other users with the proper access can't share them. File sharing with unauthorized users is possible with DAC (Discretionary access control), RBAC (Role-based access control), ABAC (Attribute-based access control).

The MOST secure way to send messages today based on the answer options would be using (PKI) Public Key Infrastructure. Hashing would not make it secure, that would just provide integrity checks. Password protected portable media would be secure, but nowhere near as secure as using PKI. Steganography is hiding a message in an image or audio file; it is mostly security through obscurity.

The MOST important thing in the success of our information security program is senior managements buy-in. The other answer options are secondary to senior management. We would need the awareness training, the achievable goals and objectives, and initial budget and staff, but they are less important. If we do not have the buy-in from senior management, we are less likely to succeed.