Question

The ultimate goal of the review and approval processes is to gain senior executive approval of the policy or standard by the chief information security officer (CISO). In order to gain this approval, the CISO requires direct-reports or other advisors to sign off on the document. Which of the following is not among the textbook's suggested list of people who should be given the chance to become a second or third layer of review?

a) Legal Counsel
b) Human Resources
c) IT Support Staff
d) External Auditors

Answer 1

External auditors are not typically part of the direct review process for internal policies and standards within an organization; they are involved in external financial verification.

Step-by-step explanation:

The question pertains to the review and approval processes in corporate governance, specifically related to the role and the approval activities of the Chief Information Security Officer (CISO). The textbook suggests certain individuals who should review a policy or standard before it reaches the CISO for final approval. Among the options provided, external auditors are not typically part of the direct review process for internal policies within the organization, as they are more involved with the external verification of a company's financial records and compliance with regulations. The usual process would involve legal counsel, human resources (HR), and IT support staff in the review layers before reaching the CISO.