The Most Appropriate Board-Level Activity for Information Security Governance

A.

Information security governance is a critical aspect of managing and protecting an organization's information assets. The board-level activity for information security governance is responsible for setting the tone at the top, ensuring that adequate resources are allocated to information security, and overseeing the organization's overall security posture.

Out of the given options, the MOST appropriate board-level activity for information security governance is:

A. Establish security and continuity ownership

Establishing security and continuity ownership refers to assigning responsibility for information security to a specific individual or team within the organization. This activity is critical because it provides clarity on who is responsible for ensuring the organization's information security objectives are met, and it enables accountability for achieving those objectives.

By assigning ownership, the board demonstrates that information security is a priority for the organization, and it encourages a culture of accountability for information security throughout the organization. Furthermore, ownership enables clear lines of communication between the board and those responsible for information security, ensuring that the board is kept informed of the organization's security posture and any security incidents that may occur.

B. Developing what-if scenarios on incidents

Developing what-if scenarios on incidents is an important exercise for organizations to prepare for potential security incidents. However, this activity is more appropriate for the organization's security or incident response team, rather than the board-level activity for information security governance.

C. Establishing measures for security baselines

Establishing measures for security baselines is also an essential activity for information security governance, but it is primarily a responsibility of the organization's security team. While the board should ensure that security baselines are established, they should not be involved in the technical details of developing those measures.

D. Including security in job-performance appraisals

Including security in job-performance appraisals is an important aspect of creating a culture of security within the organization. However, this activity is primarily the responsibility of the organization's human resources department, rather than the board-level activity for information security governance.

In conclusion, the MOST appropriate board-level activity for information security governance is establishing security and continuity ownership. This activity assigns responsibility for information security, enables accountability for achieving objectives, and ensures clear lines of communication between the board and those responsible for information security.