The Three Lines of Defense Model classifies risk management roles as follows:
First Line of Defense: Operational management responsible for risk controls (e.g., blocking unauthorized traffic, encrypting data).
Second Line of Defense: Risk management and compliance functions that monitor and assess the effectiveness of first-line controls (e.g., reviewing disaster recovery test results).
Third Line of Defense: Independent audit functions providing assurance (e.g., conducting security assessments).
Option C (Reviewing disaster recovery test results) aligns with the second line of defense because it involves oversight and evaluation of IT controls rather than direct execution.
[Reference: IIA Three Lines Model – Risk Management, , , ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit