Since management is ultimately responsible for information security, it should approve
information security policy statements; the information security manager should not have final
approval. Evaluation of third parties requesting access, assessment of disaster recovery plans
and monitoring of compliance with physical security controls are acceptable practices and do
not present any conflicts of interest.
Which of the following situations must be corrected FIRST to ensure successful information
security governance within an organization?
A. The information security department has difficulty fil ing vacancies.
B. The chief information officer (CIO) approves security policy changes.
C. The information security oversight committee only meets quarterly.
D. The data center manager has final signoff on all security projects.
A steering committee should be in place to approve all security projects. The fact that the data
center manager has final signoff for all security projects indicates that a steering committee is
not being used and that information security is relegated to a subordinate place in the
organization. This would indicate a failure of information security governance. It is not
inappropriate for an oversight or steering committee to meet quarterly. Similarly, it may be
desirable to have the chief information officer (CIO) approve the security policy due to the size
of the organization and frequency of updates. Difficulty in fil ing vacancies is not uncommon due
to the shortage of good, qualified information security professionals.
Which of the following requirements would have the lowest level of priority in information
Information security priorities may, at times, override technical specifications, which then must
be rewritten to conform to minimum security standards. Regulatory and privacy requirements
are government-mandated and, therefore, not subject to override. The needs of the business
should always take precedence in deciding information security priorities.
When an organization hires a new information security manager, which of the following goals
should this individual pursue FIRST?
A. Develop a security architecture
B. Establish good communication with steering committee members