Based on the Ulasien (2008) article, why is an IT security audit critical in developing an enterprise security strategy?  Should threats to the enterprise be reviewed and assessed on a regular basis?

Based on the Drumheller (2007) article, why should the critical business processes be identified and their impact on the business be evaluated along with the threats for developing the enterprise security strategy?  Should impact on business processes of the enterprise be reviewed and assessed on a regular basis?