A. Create a dedicated position of CISO and delegate the CISO in charge of information security.
B. Wake up the awareness of the CEO and the board of directors that they are liable for including information security into the agenda of corporate strategy
C. Mitigate risks to the acceptable level of senior management to achieve confidentiality, integrity, and availability.
D. Govern or manage information security with a business mindset to deliver values.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Govern or manage information security with a business mindset to deliver values.
A function transforms something into another to deliver values. It may take input or consume resources to conduct the activities to produce something as output.
Security function protects assets and delivers confidence; it consumes resources as input, such as people, budget, time, system and processes, and so forth.
Security Function in Small Companies
As far as I am concerned, I will treat the security function as the unofficial security department. For companies that can not afford a security manager or CISO, they do have security needs to be addressed by someone or some function; I will say that they have an unofficial security department or security function.
Security Department in Big Companies
Security function can be conducted or fulfilled by an official or formal organization (business unit, department, or any other level of the organizational unit) headed by a manager or officer. In this situation, the security function is a formal organization.
It’s a good practice to govern or manage information security with a top/down approach. The governance level (the board and the senior management) has to be aware of the importance and ramifications of information security and includes it into the agenda of strategy. The position of security function has to be determined and the budget to be allocated.
If an official security organization is created and a security manager or CISO is delegated to govern or manage the security function (department), he or she has to align the information security strategy with the business and corporate strategies.
The information security strategy is developed and implemented to protect assets from threats in order to achieve the objectives of confidentiality, integrity, and availability, so as to support organizational mission and business process, and create and deliver values.
- A. Create a dedicated position of CISO and delegate the CISO in charge of information security.
Security function may be implemented with an unofficial or official security department, roles, and responsibilities.
- B. Wake up the awareness of the CEO and the board of directors that they are liable for including information security into the agenda of corporate strategy.
Awareness at the governance level is necessary but not sufficient. It does not fully address the strategic alignment and security function issues.
- C. Mitigate risks to the acceptable level of senior management to achieve confidentiality, integrity, and availability.
This is about risk management, or risk mitigation specifically.
- D. Govern or manage information security with a business mindset to deliver values.
This is my favorite perspective that deals with information security governance and management. This is an umbrella term and implies the topics, such as the purpose of governance, InfoSec organization, R&R, strategy development, strategy alignment, program execution, resource optimization, and performance monitoring.
This post is copied from the second question in CISSP PRACTICE QUESTIONS – 20190829, which has two questions, to serve as the QOTD of 20190908 on 20200816.