Which of the following situations must be corrected FIRST to ensure successful information
security governance within an organization?
A.
The information security department has difficulty filling vacancies.
B.
The chief information officer (CIO) approves security policy changes.
C.
The information security oversight committee only meets quarterly.
D.
The data center manager has final signoff on all security projects.
Explanation:
A steering committee should be in place to approve all security projects. The fact that the data
center manager has final signoff for all security projects indicates that a steering committee is not
being used and that information security is relegated to a subordinate place in the organization.
This would indicate a failure of information security governance. It is not inappropriate for an
oversight or steering committee to meet quarterly. Similarly, it may be desirable to have the chief
information officer (CIO) approve the security policy due to the size of the organization and
frequency of updates. Difficulty in filling vacancies is not uncommon due to the shortage of good,
qualified information security professionals.