When an organization is implementing an information security governance program, its board of directors should be responsible for:
Click on the arrows to vote for the correct answer
A. B. C. D.C.
A board of directors should establish the strategic direction of the program to ensure that it is in sync with the company's vision and business goals.
The board must incorporate the governance program into the overall corporate business strategy.
Drafting information security policies is best fulfilled by someone such as a security manager with the expertise to bring balance, scope and focus to the policies.
Reviewing training and awareness programs may best be handled by security management and training staff to ensure that the training is on point and follows best practices.
Auditing for compliance is best left to the internal and external auditors to provide an objective review of the program and how it meets regulatory and statutory compliance.
When implementing an information security governance program, the board of directors plays a critical role in ensuring the success of the program. The board is responsible for setting the strategic direction of the program, ensuring that it aligns with the organization's goals and objectives. The board must also ensure that the program is adequately resourced and that the necessary funds are available to implement it effectively.
Therefore, option C, setting the strategic direction of the program, is the correct answer.
The board should also provide oversight and guidance to the organization's management team, who are responsible for implementing the program. They must ensure that management understands the importance of information security, that it is a priority for the organization, and that it is integrated into all aspects of the organization's operations.
The board should also review the organization's training and awareness programs to ensure that they are effective in educating employees about information security risks and the actions they can take to mitigate them. Therefore, option B is partially correct.
While the board may be involved in drafting information security policies, this is generally the responsibility of the organization's management team, who are closer to the day-to-day operations of the organization. Therefore, option A is incorrect.
Finally, while the board should provide oversight and monitor compliance with the program, auditing for compliance is generally the responsibility of an independent auditor. Therefore, option D is incorrect.