Which of the following falls within the scope of an information security governance committee?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
An Information Security Governance Committee (ISGC) is a committee that is responsible for managing and overseeing an organization's information security program. The committee is usually comprised of senior management and other key stakeholders within the organization. Its primary objective is to ensure that the organization's information assets are protected against unauthorized access, disclosure, alteration, destruction, and disruption.
Now, let's analyze each answer choice in relation to the scope of an ISGC:
A. Approving access to critical financial systems: This falls within the purview of an access control committee, which is responsible for granting and revoking access to critical systems and data based on the principle of least privilege. While the ISGC may provide oversight to the access control committee, it does not typically make decisions regarding access to specific systems or data.
B. Prioritizing information security technology initiatives: This is a core responsibility of an ISGC. The committee is responsible for assessing the organization's information security needs, identifying potential vulnerabilities and threats, and developing strategies to mitigate risks. Prioritizing technology initiatives is a critical component of this process.
C. Reviewing content for information security awareness programs: This is another responsibility of an ISGC. The committee is responsible for ensuring that employees are adequately trained and informed about the organization's information security policies, procedures, and best practices. Reviewing and approving content for information security awareness programs is an essential component of this process.
D. Selecting the organization's external security auditors: This is typically the responsibility of an audit committee, which is responsible for overseeing the organization's internal and external audit functions. While the ISGC may provide input into the selection of external auditors, it does not typically make the final decision.
Therefore, based on the above analysis, the answer choices that fall within the scope of an ISGC are B (Prioritizing information security technology initiatives) and C (Reviewing content for information security awareness programs).