Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Mahender
Newcomer II
‎09-20-2024 06:06 AM
‎09-20-2024 06:06 AM

Security governance

Optimally, security governance is performed by a board of directors, but smaller organizations may simply have the CEO or CISO perform the activities of security governance. Which
of the following is true about security governance?
A. Security governance ensures that the requested activity or access to an object is possible
given the rights and privileges assigned to the authenticated identity.
B. Security governance is used for efficiency. Similar elements are put into groups, classes,
or roles that are assigned security controls, restrictions, or permissions as a collective.
C. Security governance is a documented set of best IT security practices that prescribes
goals and requirements for security controls and encourages the mapping of IT security
ideals to business objectives.
D. Security governance seeks to compare the security processes and infrastructure used
within the organization with knowledge and insight obtained from external sources.

 

Hard to believe on the answer given by ISC2 which is D, but the correct answer is C. Correct me if I am wrong?

Reply
0 Kudos
11 Replies
Mahender
Newcomer II
‎09-27-2024 12:14 AM
‎09-27-2024 12:14 AM

Yes sir, it's CISSP ISC2 Official 9th edition guide in PDF format. Seems it will be addressed below by Wiley & Sons publications. Sorry for the delayed response.
Reply
JohnEricsson
Newcomer I
3 weeks ago
3 weeks ago

I answered "C" but now think "D" is best.

 

For "C", I would say "Security Governance" (SG) is an oversight that a standard is being met. I think what the answer says is part of the oversight, but not SG itself.  

 

For "D", SG is the top tier of oversight, While it does not set the standard (that could be management instruction), SG role is to make sure it is being met (see answer C as to how) and provide assurance of it. However it can not  do that in isolation, it needs external input to determine best practice, it needs external input to determine new risks (e.g. supply chain with AI python repositories). 

 

However I could be CISSP definition of SG is different to mine. 

Reply
0 Kudos