The chief information security officer (CISO) should ideally have a direct reporting relationship to
the:
A.
head of internal audit.
B.
chief operations officer (COO).
C.
chief technology officer (CTO).
D.
legal counsel.
Explanation:
The chief information security officer (CISO) should ideally report to as high a level within the
organization as possible. Among the choices given, the chief operations officer (COO) would have
not only the appropriate level but also the knowledge of day-to-day operations. The head of
internal audit and legal counsel would make good secondary choices, although they would not be
as knowledgeable of the operations. Reporting to the chief technology officer (CTO) could become
problematic as the CTO’s goals for the infrastructure might, at times, run counter to the goals of
information security.