Exam CISM topic 1 question 23 discussion

Executive leaderschip decides to let senior maangeent focus on runnig the business. Security is part of the business so B.

• Information Security Management Does Not Fully Accept the Responsibility for Information Security Governance (D): If the information security management team does not fully accept responsibility for information security governance, it can create a significant barrier to the successful implementation and ongoing management of the security framework. A lack of ownership and commitment from those directly responsible for overseeing information security can lead to poor implementation, inadequate enforcement of policies, and a general failure to integrate security governance effectively within the organization

Executive management are ultimately responsible for the security governance of the business and they are also needed to support and sponsor the program. So if their understanding is lacking that will be the greatest risk..

For a security governance framework to be successful, it is crucial that executive leadership understands and actively supports information security governance. If leadership views it primarily as the concern of the information security management team alone, it may lead to a lack of commitment, insufficient resources, and a failure to integrate security into the overall business strategy. A successful security governance framework requires top-down commitment and involvement from executive leadership to ensure that security is aligned with business priorities. While the other options (executive leadership becoming involved, information security staff lacking experience, and information security management not fully accepting responsibility) are also potential challenges, the lack of engagement and understanding from executive leadership can have broad-reaching impacts on the success of the security governance framework.

I would say answer is D. Responsibility cannot be outsourced.

this might answer it. Another key element that shouldbe understood is that although the security manager is the facilitator of the program, the ultimate responsibility or ownership for protecting information is at the executiveleadership and board of directors levels. The security charter gives the security leaderauthority to design and operate the program, but accountability is shared between thesecurity leader and the executive leadership team and board of directors.

B. Executive leadership views information security governance primarily as a concern of the information security management team

to down approach

B for sure. Want to make sure leadership sees this as a business risk, not ONLY infosec issue.

hard question this one