Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Mahender
Viewer
yesterday
yesterday

Security governance

Optimally, security governance is performed by a board of directors, but smaller organizations may simply have the CEO or CISO perform the activities of security governance. Which
of the following is true about security governance?
A. Security governance ensures that the requested activity or access to an object is possible
given the rights and privileges assigned to the authenticated identity.
B. Security governance is used for efficiency. Similar elements are put into groups, classes,
or roles that are assigned security controls, restrictions, or permissions as a collective.
C. Security governance is a documented set of best IT security practices that prescribes
goals and requirements for security controls and encourages the mapping of IT security
ideals to business objectives.
D. Security governance seeks to compare the security processes and infrastructure used
within the organization with knowledge and insight obtained from external sources.

 

Hard to believe on the answer given by ISC2 which is D, but the correct answer is C. Correct me if I am wrong?

Reply
0 Kudos
4 Replies
Steve-Wilme
Advocate II
yesterday
yesterday

D is like an incomplete version of C, although C itself isn't a good description.

 

Yes governance will involve examining the external context, starting with applicable legislation and regulation, codes that apply in your industry, then the frameworks which best match those and the capabilities/resources of the organisation.  Generally, you find different external stakeholders will generate or refer out to their preferred frameworks and then the challenge often is to map all of that across to the controls your organisation can implement and operate.  So governance isn't about best in class or ideals it's about what are appropriate to the context and can be complied with.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Reply
ericgeater
Community Champion
yesterday
yesterday

@Steve-Wilme , yeah, I agree with you that it is poorly worded.  @Mahender , are you certain that this question came from ISC2?  

-----------
A claim is as good as its veracity.
Reply
0 Kudos
Mahender
Viewer
yesterday
yesterday

I mean, in our ISC2 9E document questionnaire, the answer was given as Option D. We mostly refer this document, but in fact it is not accurate to follow some times.

Reply
0 Kudos
dcontesti
Community Champion
yesterday
yesterday

I think this question should be referred back to the Exam Development team for review.  Maybe @CBMExamTeam can stick handle to the correct folk.

 

I personally do not like any of the answers as any and all of them are partially correct..  I prefer the Gartner definition:

 

Security governance is a process for overseeing the cybersecurity teams who are responsible for mitigating business risks. Security governance leaders make the decisions that allow risks to be prioritized so that security efforts are focused on business priorities rather than their own.

 

Others

 

d

 

Reply
0 Kudos