Introducing the business case and the feasibility study
A business case is a justification for a proposed project. The business case is prepared to justify the effort and investment in a proposed project. It captures the reasoning for initiating a project or task. Generally, the business case is the precursor to the start of the project.
The business case is a key element in decision-making for any project. The proposed returns on investments (ROIs), along with any other expected benefits, are the most important consideration for decision-making in any new project.
The first step of developing a business case is to define the need and justification of the problem.
Feasibility analysis
A feasibility study is an analysis that takes various factors into account, including economic, technical, and legal factors, to ascertain the likelihood of completing the project successfully.
The feasibility study should consider how the project will impact the organization in terms of risks, costs, and benefits. It helps to assess whether a solution is practical and achievable within the established budgets and schedule requirements.
Key aspects from the CISM exam perspective
The following are some of the key aspects from the CISM exam perspective:
Table 1.7 – Key aspects from the CISM exam perspective
Questions
- What should a business case primarily include?
A. An appropriate justification.
B. Results of a gap analysis.
C. Legal requirements.
D. Expected annual loss.
Answer: A. An appropriate justification.
Explanation: The objective of a business case is to justify the implementation of a new project. Its justification can be either the results of a gap analysis, legal requirements, the expected annual loss, or any other reason.
- What is the first step of developing a business case?
A. To determine the budget.
B. To determine the vendor.
C. To define the need.
D. To determine the cost-efficiency.
Answer: C. To define the need.
Explanation: Without defining the need for the new project, the other options of the business case cannot be evaluated and determined. The first step of developing a business case is to define the need and the justification of the project.
- For implementing a new project, support from senior management can be obtained by which of the following?
A. Conducting a risk assessment.
B. Explaining regulatory requirements.
C. Developing a business case.
D. Selecting the latest technology.
Answer: C. Developing a business case.
Explanation: The business case contains the need and justification for the project. It will be the most important document to gain support from senior management. The other options will not be as effective as the business case.
- What are the main criteria for selecting a security technology?
A. The technology can mitigate the risk.
B. The technology is widely accepted in industry.
C. It is the latest available technology.
D. The technology provides benefits in comparison to its costs.
Answer: D. The technology provides benefits in comparison to its costs.
Explanation: The technology should provide benefits by mitigating risks and at the same time should be cost-efficient. The technology should be effective as well as efficient. If the technology is not cost-effective, then it will not be meaningful, even if it mitigates the risk.
- Which of the following is the lowest concern for information security managers?
A. Technical requirements.
B. Regulatory requirements.
C. Privacy requirements.
D. Business requirements.
Answer: A. Technical requirements.
Explanation: Business requirements are the most important aspect for an information security manager, followed by privacy and other regulatory requirements. The other options (regulatory requirements, business requirements, and privacy requirements) are more important for a security manager as compared to technical requirements.
- What is the most effective report while proposing the implementation of a new security solution?
A. A vendor evaluation report.
B. A risk analysis report.
C. A business case.
D. A budget utilization report.
Answer: C. A business case.
Explanation: A business case contains the need and justification of the proposed project. It helps to illustrate the costs and benefits of the project. The other options can be considered as part of the information required in the business case.
- What is the biggest challenge in preparing the business case for obtaining approval from senior management for new security projects?
A. To make the senior management understand the technical aspects of security.
B. To demonstrate values and benefits.
C. To present various risk scenarios.
D. To provide comparative data of the industry.
Answer: B. To demonstrate values and benefits.
Explanation: It is very important and challenging to include the values and benefits in a business case in such a way as to convince the senior management. Technical aspects are generally not covered in a business case. Risk scenarios and comparative data is used to demonstrate values and benefits.
- What is the best way to obtain support from senior management for information security initiatives?
A. Develop and present a business case.
B. Present various risk scenarios.
C. Demonstrate the financial benefit of the project.
D. Align the security initiative to the organization's goals.
Answer: A. Develop and present a business case.
Explanation: All the options are important, but a significant aspect is developing and presenting a business case to demonstrate that the security initiative is aligned to the organization's goal and provides value to the organization. A business case includes all of the other options.
- Which of the following is the first step for the development of a business case?
A. To conduct an industry survey.
B. To work out the ROI.
C. To evaluate cost-effective alternatives.
D. To define the issues to be addressed.
Answer: D. To define the issues to be addressed.
Explanation: The first step for the development of a business case is to understand the issues that need to be addressed. Without clear requirements being defined, the other options may not add value.
- What is a business case primarily based on?
A. Various risk scenarios.
B. The predicted ROI.
C. Organizational objectives.
D. The feasibility and value proposition.
Answer: D. The feasibility and value proposition.
Explanation: The most important basis for developing a business case is the feasibility and value proposition. It helps to determine whether a project should be implemented. The feasibility and value proposition indicates whether the project will be able to address risk with effective ROIs and whether it will help to achieve organizational objectives.
- What is the best way to address the reluctance of the senior management in providing a budget for new security initiatives?
A. To develop and present a business case.
B. To develop various risk scenarios.
C. To let the user management take the initiative.
D. To organize security awareness training for the senior management.
Answer: A. To develop and present a business case.
Explanation: A business case is the best way to present the link between a new security project and organization's business objectives. Senior management is keen to protect and achieve the business objectives. If they see value in the project in terms of business support, there will not be any reluctance. Risk scenarios should be considered as a part of the business case. The other options will not be effective to address their concerns.
- The information security manager is evaluating two technologies to address a particular risk and is required to select one for implementation. What is the best approach for the security manager with a limited budget to choose between the two technologies?
A. A risk assessment.
B. A business impact analysis.
C. An ROI prediction.
D. A cost-benefit analysis.
Answer: D. A cost-benefit analysis.
Explanation: A cost-benefit analysis will be the best approach to inform a decision. Cost-benefit analyses indicate the cost of implementing the control and its expected benefits. The cost of a control should not exceed the benefit to be derived from it. A risk assessment is a step prior to the evaluation and implementation of a control. In security parlance, ROI is difficult to calculate, as returns are in terms of safety and security.
- How is an information security program best justified?
A. An impact analysis.
B. A detailed business case.
C. Industry benchmarks
D. Acceptance by users.
Answer: B. A detailed business case.
Explanation: A business case is the justification for the implementation of the program. It contains a rationale for making an investment. It indicates the cost of the project and its expected benefits. The other options by themselves are not sufficient to justify the information security program. User acceptance may not always be reliable for a security program, as security and performance often clash.
- What factor is most likely to persuade the management of the approval of a new information security budget?
A. A detailed risk assessment.
B. Risk treatment options.
C. A well-developed business case.
D. Calculating the future value of a current budget
Answer: C. A well-developed business case.
Explanation: A business case is the justification for the implementation of the security program. It contains a rationale for making an investment. It indicates the cost of the project and its expected benefits. The other options by themselves are not sufficient to justify the information security budget.
- Which of the following is the most important thing to consider in the development of a business case?
A. Various risk scenarios.
B. Industry benchmarks.
C. Implementation benefits.
D. Affordability.
Answer: C. Implementation benefits.
Explanation: A business case is the justification for the implementation of the security program. It contains a rationale for making an investment. It indicates the cost of the project and its expected benefits. The other options by themselves are not sufficient to justify the information security budget.