Certified Information Security Manager (CISM) — Question 555

A new information security manager finds that the organization tends to use short-term solutions to address problems. Resource allocation and spending are not effectively tracked, and there is no assurance that compliance requirements are being met. What should be done FIRST to reverse this bottom-up approach to security?

Answer options

• A. Implement an information security awareness training program.
• B. Conduct a threat analysis.
• C. Establish an audit committee.
• D. Create an information security steering committee.

Correct answer: D

Explanation

Creating an information security steering committee is essential as it establishes a structured governance framework to address security issues effectively. The other options, while beneficial, do not directly tackle the fundamental governance and strategic oversight needed to shift away from a reactive approach to security.