According to The IIA's Three Lines Model, which of the following IT security activities is commonly shared by all three lines?
According to The IIA's Three Lines Model, which of the following IT security activities is commonly shared by all three lines?
Assessments of third parties and suppliers are an IT security activity that involves evaluating the risks associated with third parties and suppliers, which is crucial for all three lines of defense in an organization. The first line (operational management), second line (risk management and compliance), and third line (internal audit) all need to be aware of and involved in assessing these external risks to ensure comprehensive security posture.
Shouldn't it be B or A? Any thoughts
Or maybe in fact it should be C after reading more carefully. Each dept classifies data and design access privileges for its dept members to keep segregation of duties and adequate access rights assignment.
This should be A. Per GTAG: Assessing cybersecurity risk.
Copy pasted from GTAG Page 12: "Conduct cyber risk assessments of service organizations, third parties, and suppliers (note: first and second lines of defense share this ongoing responsibility)"