Certified Information Security Manager (CISM) — Question 1068

Which of the following BEST demonstrates a security-conscious organizational culture?

Answer options

• A. Security incidents are reported directly to senior management.
• B. Security awareness metrics have been established and tracked.
• C. Phishing simulations are part of information security training.
• D. Employees identify potential incidents and report them.

Correct answer: D

Explanation

The correct answer, D, highlights the proactive role employees play in maintaining security by identifying and reporting potential incidents. While A, B, and C are important aspects of a security program, they do not reflect the same level of engagement and responsibility from employees as option D does.