Strong Security Governance Requires Well-Defined Policies:
Cybersecurity governance is built upon clear, documented, and enforceable security policies that outline expectations, roles, responsibilities, and processes.
Policies define acceptable behaviors, security controls, incident response, and compliance requirements.
IIA Standard 2110 - Governance: Requires organizations to establish effective IT security governance, including policies that address cybersecurity risks.
IIA GTAG (Global Technology Audit Guide) on Information Security Governance:
Recommends that clear policies should guide security controls, user access, and incident response to address cybersecurity threats.
A. Inventory of information assets (Incorrect)
While identifying critical information assets is essential for risk management, it does not constitute security governance on its own.
Asset inventories support governance but must be reinforced by policies that define how data should be protected.
B. Limited sharing of data files with external parties (Incorrect)
Restricting data sharing is a control measure, not a governance principle.
Policies define when, how, and under what conditions data can be shared securely.
C. Vulnerability assessment (Incorrect)
Assessments help identify security gaps but do not establish governance.
Effective governance ensures that vulnerabilities are identified, prioritized, and remediated in accordance with policies.
Explanation of Answer Choice D (Correct Answer):Explanation of Incorrect Answers:Conclusion:To ensure strong security governance, organizations must have clearly defined security policies (Option D) as a foundation for managing cybersecurity threats.
IIA References:
IIA Standard 2110 - Governance
IIA GTAG - Information Security Governance
