Many selected C. but security strategies is certainly a part of information security governance, but it's not the primary responsibility. The governance function also needs to advise on risk appetite and tolerance, ensure compliance with regulations, and oversee the implementation of security strategies.
Selected C but B seems to be more appropriate when i read the question. What is the role of information security governance it would be B since governance talks about the entire business not the role of the information security manager..
The purpose of information security in an organization is to assist the organization in achieving its objectives, and it is the primary goal of an information security strategy. The PRIMARY goal of developing an information security strategy is to: establish security metrics and performance monitoring.
Option B, advising senior management on optimal levels of risk appetite and tolerance, is a primary responsibility of information security governance because it involves setting the tone for how an organization should approach and tolerate risks related to information security, which is a strategic decision at the highest level of management.
One of the most important responsibilities of the information security governance function is to advise senior management on optimal levels of risk appetite and tolerance. This means helping senior management to understand the risks to the organization's information assets and to make informed decisions about how much risk the organization is willing to accept.
According to the ISACA, a primary responsibility of the information security governance function is to advise senior management on optimal levels of risk appetite and tolerance³. This involves providing guidance to senior management on the acceptable levels of risk that the organization is willing to take on in pursuit of its objectives. So, the correct answer to your question would be option B.
B-RISK is the primary. Once an org understands it's risk tolerance, then they can decide which security strategies/controls to implement. Until risk is understood, an org won't be able to make choices on which strategies are best for the org. Risk informs budget, areas of focus in the org, what controls/systems to delegate to a 3rd party, whether risk is offset to another entity, etc.
Once risk is understood, then and only then can an alignment exist between the biz goals and the org's security program.
This section is not available anymore. Please use the main Exam Page.CISM Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Adabach
1 month agoe891cd1
7 months agooluchecpoint
9 months agooluchecpoint
1 year, 1 month agooluchecpoint
9 months agoafc1019
1 year, 2 months agopaul1394
1 year, 2 months agosham222
1 year, 3 months agorichck102
1 year, 4 months agodedfef
1 year, 7 months agoAwonenji
1 year, 8 months agoDelTrotter
1 year, 10 months agoukwummere1
1 year, 11 months agotoffboi
1 year, 11 months ago