Certified Information Security Manager (CISM) — Question 813

Which of the following is MOST important to convey to employees in building a security risk-aware culture?

Answer options

• A. Employee access should be based on the principle of least privilege.
• B. Personal information requires different security controls than sensitive information.
• C. The responsibility for security rests with all employees.
• D. Understanding an information asset's value is critical to risk management.

Correct answer: C

Explanation

The correct answer is C because cultivating a security risk-aware culture requires that every employee understands their role in maintaining security. Options A, B, and D, while important, focus on specific aspects of security rather than emphasizing the collective responsibility that all employees must embrace.