Which of the following roles would represent a conflict of interest for an information security manager?
A . Evaluation of third parties requesting connectivity
B . Assessment of the adequacy of disaster recovery plans
C . Final approval of information security policies
D . Monitoring adherence to physical security controls
Answer: C
Explanation:
Since management is ultimately responsible for information security, it should approve information security policy statements; the information security manager should not have final approval. Evaluation of third parties requesting access, assessment of disaster recovery plans and monitoring of compliance with physical security controls are acceptable practices and do not present any conflicts of interest.