Certified Chief Information Security Officer (CCISO) — Question 84

A security professional has been promoted to be the CISO of an organization. The first task is to create a security policy for this organization. The CISO creates and publishes the security policy.
This policy, however, is ignored and not enforced consistently. Which of the following is the MOST likely reason for the policy shortcomings?

Answer options

• A. Lack of a formal risk management policy
• B. Lack of a formal security policy governance process
• C. Lack of formal definition of roles and responsibilities
• D. Lack of a formal security awareness program

Correct answer: B

Explanation

The correct answer is B because without a formal governance process, there is no mechanism to ensure that the security policy is enforced and adhered to throughout the organization. Options A, C, and D, while important, do not directly address the enforcement and consistency of the policy itself.