You are the CISO working for a direct bank based in Taiwan that relies entirely on internet banking. You developed an information security policy and put it into effect. Which of the following is the most effective for you to enforce its compliance?
A. Provide more training to improve awareness and skill levels
B. Conduct frequent audits to improve continuously
C. Develop standards, procedures, and guidelines to support the policy
D. Collaborate with the audit department
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Collaborate with the audit department.
Providing training and developing supporting documents are good practices that promote compliance, but they don’t enforce compliance.
As a CISO, you may or may not define standards that support a policy. Middle management is more suitable to do so. Procedures and guidelines are typically artifacts at the operations level. It’s uncommon for senior management to provide step-by-step instructions.
Training and supporting documents contribute to the effectiveness of compliance, but audits determine if the organization is compliant with the information security policy.
Enforcing compliance typically relates to corrective actions, continuous improvement, or even sanctions or penalties.
CISO typically is not responsible for auditing, so he or she won’t conduct audits but facilitate audits. However, it’s a good practice to collaborate with the audit department to facilitate audits to enforce compliance.
- How CISOs can leverage the internal audit process
- Is It Better To Promote Compliance Or Enforce It?
- What is compliance?
- Compliance Enforcement and Auditing with ActiveDocs