Examice

Exam CISM All QuestionsBrowse all questions from this exam

Question 718

Which of the following is the MOST important consideration when establishing an organization's information security governance committee?

Members represent functions across the organization

Members have knowledge of information security controls

Members are rotated periodically

Members are business risk owners

Correct Answer: A

When establishing an organization's information security governance committee, it's most important to ensure that the members represent functions across the organization. This broad representation ensures that various perspectives and expertise are brought to the table, enhancing the committee’s ability to address information security comprehensively. It helps in identifying and addressing security issues from different angles, understanding the unique requirements and risks of various departments, and fostering a culture of security awareness and responsibility throughout the organization.

Discussion

shootnotOption: A

Between A and D, the answer is A because A could include D but D does not necessarily guarantee A.

POWNEDOption: A

The most important part of steering committee is to have representatives that cover multiple functions across the organization. If you dont have this then there will be a lack of advocates in certain divisions of the business.

xcjxcj

The committee is not to cover all stakeholders. E.g. admin department is not required. Only important stakeholders are needed.

TamerBeSafeOption: D

D. Members are business risk owners: Information security is not just an IT issue; it's a business issue. Business leaders who are also risk owners have a deep understanding of the organization's overall objectives, priorities, and risk appetite. When these leaders are involved in the information security governance committee, decisions related to security measures are more likely to align with the broader business strategy, and there is a better chance of achieving a balance between security and business objectives.

ccKaneOption: D

Why not "Members are business risk owners" ?

cangurer

end users/operational users could be a member as well.

cosmo4ng

Correct, and they not necessarily business risk owners.

CISSPST

Good to see a discussion for the first time on this forum.

03allenOption: A

It's A, it does not have to be that everyone is a business owner.

yottabyteOption: A

Overall understanding is required here so members representing functions from various business units across the organization can provide that.

richck102Option: A

A. Members represent functions across the organization