responsible for approval of major policy statements and requests to fund the information
security practice. Evaluation of vendors, assessment of risks and monitoring compliance with
regulatory requirements are day-to-day responsibilities of the information security manager; in
some organizations, business management is involved in these other activities, though their
primary role is direction and governance.
Which of the following would BEST ensure the success of information security governance
within an organization?
A. Steering committees approve security projects
B. Security policy training provided to all managers
C. Security training available to all employees on the intranet
D. Steering committees enforce compliance with laws and regulations
The existence of a steering committee that approves all security projects would be an indication
of the existence of a good governance program. Compliance with laws and regulations is part of
the responsibility of the steering committee but it is not a full answer. Awareness training is
important at al levels in any medium, and also an indicator of good governance. However, it
must be guided and approved as a security project by the steering committee.
Information security governance is PRIMARILY driven by:
A. technology constraints.
B. regulatory requirements.
C. litigation potential.
D. business strategy.
Governance is directly tied to the strategy and direction of the business. Technology constraints,
regulatory requirements and litigation potential are all important factors, but they are necessarily
in line with the business strategy.
Which of the following represents the MAJOR focus of privacy regulations?
A. Unrestricted data mining
B. Identity theft
C. Human rights protection D.
D. Identifiable personal data
Protection of identifiable personal data is the major focus of recent privacy regulations such as