As a CISO, you shall align the security function to business strategy, goals, mission, and objectives. Which of the following is the best description of the security function?
A. The position and organization of information security
B. The assurance of independent security audits
C. The implementation of information security programs
D. The capability provided by the system or a system element
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. The position and organization of information security.
- According to the NIST glossary, the security function refers to “the capability provided by the system or a system element” at the system level.
- The assurance of independent security audits is part of the assurance function.
- The implementation of information security programs realizes the information security strategy.
In the organization’s context, the security function refers to the activities performed to protect assets to enforce security and support business. Regardless of the size of an organization, every organization needs to perform the security function either through a formal or informal security organization or organizational unit.
- In an informal organization of the security function, security activities can be performed by any people in various departments; it’s not uncommon for IT people to take care of security.
- In a formal organization, a dedicated position of information security manager or CISO is set up. The position of the security department (function) in an organization determines the CISO’s reporting line. There are pros and cons for CISO to report to various senior executives. For example, CEO, COO, CIO, CFO, etc.
Reference
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
作為CISO,您應使安全功能(security function)與業務戰略、目標(goal)、使命(mission)和目的(objective)保持一致。 以下哪項是對安全功能的最佳描述?
A. 資訊安全的定位和組織
B. 獨立之安全稽核的保證
C. 實施資訊安全計畫(program)
D. 由系統或系統元素提供的能力(capability)