An IT risk practitioner has been asked to regularly report on the overall status and effectiveness of the IT risk management program.
Which of the following is MOST useful for this purpose?
A . Capability maturity level
B . Balanced scorecard
C . Control self-assessment (CSA)
D . Internal audit plan
Answer: B