Your company plans to create a new position, CISO. It is responsible for formulating and executing information security strategies. The board of directors is holding a meeting to revise the Corporate bylaws and calls for the conclusion that the CISO shall report to the audit committee. As the CEO attending the meeting, which of the following is the best feedback?
A. Agree with the resolution as it’s a good arrangement.
B. Suggest that internal audit capability should be put in the job skills of CISO.
C. Propose a clause to separate the CISO and CIO role to avoid conflict of interests.
D. Remind that the independence of auditing would be hindered.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Remind that the independence of auditing would be hindered.
SEGREGATION OF DUTIES
- When duties are properly segregated, no single employee will have the ability to commit fraud or make a mistake and have the ability to cover it up.
- e.g. Auditing people do not have other operational duties related to what they are auditing.
Stewart, James M.; Chapple, Mike; Gibson, Darril. CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide9. Wiley.