Which of the following roles would represent a conflict of interest for an information security
manager?

A.
Evaluation of third parties requesting connectivity

B.
Assessment of the adequacy of disaster recovery plans

C.
Final approval of information security policies

D.
Monitoring adherence to physical security controls

Explanation:

Since management is ultimately responsible for information security, it should approve information
security policy statements; the information security manager should not have final approval.
Evaluation of third parties requesting access, assessment of disaster recovery plans and
monitoring of compliance with physical security controls are acceptable practices and do not
present any conflicts of interest.