GIAC Security Leadership Certification (GSLC) — Question 6

The model for the Three Lines of Defense in Effective Risk Management and Control prescribes which of the following?

Answer options

• A. Risk Owners in the second line of defense should not delegate the day-to-day management of security controls
• B. Security teams should have complete responsibility for implementing security controls that catch unexpected events
• C. Internal auditors have a high level of independence that is not available in the second line of defense
• D. Risk Control and Compliance personnel can offer completely independent analysis to governing bodies in the final line of defense

Correct answer: A

Explanation

Option A is correct because it aligns with the principle that Risk Owners retain accountability for the management of security controls. Options B, C, and D misrepresent the roles; B inaccurately suggests security teams assume full responsibility, C wrongly implies internal auditors lack independence in the second line, and D incorrectly states Risk Control and Compliance personnel have complete independence, which is not the case.