Steve, a department manager, has been asked to join a committee that is responsible for defining an acceptable level of risk for the organization, reviewing risk assessment and audit reports, and approving significant changes to security policies and programs. What committee is he joining?

A.
Security policy committee

B.
Audit committee

C.
Risk management committee

D.
Security steering committee

Explanation:
D: Steve is joining a security steering committee, which is responsible for making decisions on tactical and strategic security issues within the enterprise. The committee
should consist of individuals from throughout the organization and meet at least quarterly. In addition to the responsibilities listed in the question, the security steering committee
is responsible for establishing a clearly defined vision statement that works with and supports the organizational intent of the business. It should provide support for the goals of
confidentiality, integrity, and availability as they pertain to the organization’s business objectives. This vision statement should, in turn, be supported by a mission statement that
provides support and definition to the processes that will apply to the organization and allow it to reach its business goals.
A is incorrect because a security policy committee is a committee chosen by senior management to produce security policies. Usually senior management has this
responsibility unless they delegate it to a board or committee. Security policies dictate the role that security plays within the organization. They can be organizational, issuespecific,
or system-specific. The steering committee does not directly create policies but reviews and approves them if acceptable.
B is incorrect because the audit committee’s goal is to provide independent and open communications among the board of directors, management, internal auditors, and
external auditors. Its responsibilities include the company’s system of internal controls, the engagement and performance of independent auditors, and the performance of the
internal audit function. The audit committee would report its findings to the steering committee, but not be responsible for overseeing and approving any part of a security
program.
C is incorrect because the purpose of a risk management committee is to understand the risks that the organization faces as a whole and work with senior management to
reduce these risks to acceptable levels. This committee does not oversee the security program. The security steering committee usually reports its findings to the risk
management committee as it relates to information security. A risk management committee must look at overall business risks, not just IT security risks.