ISACA CISM: Which is the PRIMARY role of an information security manager in software development project

Question

Which of the following is the PRIMARY role of an information security manager in a software development project?

A. To identify software security weaknesses
B. To identify noncompliance in the early design stage
C. To assess and approve the security application architecture
D. To enhance awareness for secure software design

Answer

C. To assess and approve the security application architecture

Explanation

The correct answer is C. To assess and approve the security application architecture. This is the primary role of an information security manager in a software development project because the security application architecture defines how the software will meet the security requirements and objectives of the organization. The information security manager is responsible for ensuring that the security application architecture is aligned with the business goals, risk appetite, and policies of the organization, and that it follows the best practices and standards for secure software development. The information security manager should also review and approve any changes to the security application architecture throughout the project lifecycle, and monitor its implementation and testing. By doing so, the information security manager can ensure that the software is designed and developed in a secure manner, and that it can protect the confidentiality, integrity, and availability of the information assets.

The other options are not the primary role of an information security manager in a software development project, but they may be part of their secondary or supporting roles. For example:

• A. To identify software security weaknesses: This is a role of a software security tester or analyst, who performs various types of testing (such as static analysis, dynamic analysis, penetration testing, etc.) to identify and report any vulnerabilities or defects in the software. The information security manager may oversee or coordinate these activities, but they are not their primary role.
• B. To identify noncompliance in the early design stage: This is a role of a software security auditor or assessor, who evaluates and verifies whether the software complies with the applicable laws, regulations, standards, and policies. The information security manager may participate or facilitate these activities, but they are not their primary role.
• D. To enhance awareness for secure software design: This is a role of a software security trainer or educator, who provides training and guidance to the software developers and other stakeholders on how to design and develop secure software. The information security manager may support or sponsor these activities, but they are not their primary role.

Reference

Isaca Certified Information Security Manager CISM certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Isaca Certified Information Security Manager CISM exam and earn Isaca Certified Information Security Manager CISM certification.