Question

The BEST way to ensure information security efforts and initiatives continue to support corporate strategy is by:

A. including the CIO in the information security steering committee
B. conducting benchmarking with industry best practices
C. including information security metrics in the organizational metrics
D. performing periodic internal audits of the information security program

Correct Answer: C????? or D??????????????

______________________

Note

■ Some experts claim that the correct answer is: "C. including information security metrics in the organizational metrics"

■ Other experts claim that the correct answer is: "D. performing periodic internal audits of the information security program"

■ What do you think about that? Please explains: Why B and "not" C......or.......Why C and "not" B

Many thanks!

Answer 1

The security matrix allows the user to interact with data. like which data is available to which user.

In big organizations Sensitive data is not accessible to employees or interns it is only accessible to senior managers and other heads. So if the organization wants to maintain the security of data then they have to implement the Security matrix.

In simple words, we can say that the Security matrix is used to assign roles to users. For example a person working with IT should not have access to crucial information on the mechanical team or electronics team.

Another example is if a person leaves an organization then his/her access rights should be revoked that person should not be allowed to access the information of that organization.

Internal audit on information systems is an independent assessment of the system for knowing about vulnerabilities, and other security issues. The goal of an audit is to minimize security issues.

internal audit is very important in highlighting information security and privacy risks in an organization.

Both are very important With respect to information security.

But in Question, it mentioned ensuring security and good initiative so I think correct is

C: Including information security metrics in the organizational metrics

it is a good initiative to give different access to the different employees so implementing this information security matrix should be implemented with organizations matrix.

Both answers to the questions are correct but I think in most organizations security matrix is a priority than internal audits.