ALL IN ONE CISM EXAM GUIDE, Mc Graw Hill
Information Security Program Metrics
A metric is a measurement of a periodic or ongoing activity intended to help management understand the activity within the context of overall business operations. In short,
metrics are the means through which management can measure key processes and know
whether their strategies are working. Metrics are used in many operational processes, but
this section emphasizes metrics related to security governance. In other words, there is
a distinction between tactical IT security metrics and those that reveal the state of the
overall security program. The two are often related, however, as discussed in the sidebar
“Return on Security Investment,” later in this chapter.
I will go with C, senior leadership is involved here. assessing the risk progress can be done by the steering committee for option D but for senior leadership, C is more important probably.
I will go with D here. C is the responsibility of infosec manager, not senior leadership. However, senior leadership will assess the progress of risk mitigation efforts via metrics.
But yeah, unnecessarily tricky question with somewhat bad wording.
Senior leadership always ties with Metrics. The technical jargon has to be dumbed down for senior leadership with metrics. No they are not building the metrics, but they need to insure they are part of reporting so that they can understand what is going on.
In order to ensure the risk is mitigated to the proper risk acceptance level senior leadership needs to assess the progress of risk mitigation efforts. Answer is D
I would say D, because C is not responsilibity of senior leadership. Establishment of metrics is responsibility of InfoSec Manager and senior leadership needs to make sure that they are assessing the progress of risk mitigation efforts.
In order to understand an organization's security posture, it is MOST important for an organization's senior leadership to assess the progress of risk mitigation efforts (option D). According to ISACA, security posture is defined as "the security status of an enterprise’s hardware, software and policies. It is the overall security status of an enterprise’s information technology (IT) environment and activities. Security posture is determined by evaluating threats and vulnerabilities and by identifying potential areas of risk. The goal of security posture management is to maintain an optimal level of security for the enterprise’s systems and data."
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
SHERLOCKAWS
4 days, 21 hours agoThavee
5 months, 2 weeks agoyottabyte
6 months, 2 weeks agoAlexJacobson
8 months, 1 week agoPOWNED
8 months, 1 week agoPOWNED
8 months, 2 weeks agoPOWNED
8 months agoiacini
1 year agooluchecpoint
1 year agorichck102
1 year, 2 months agodevilend
1 year, 3 months agomad68
1 year, 4 months agoGr3yGh0sT
1 year, 5 months agoCarlLimps
1 year, 7 months agoBroesweelies
1 year, 8 months ago