First Line of Defense (Operational Management): Performs daily IT security tasks, such as blocking unauthorized traffic and encrypting data.
Second Line of Defense (Risk Management & Compliance): Monitors and reviews security controls, including disaster recovery testing and risk management activities.
Third Line of Defense (Internal Audit): Provides an independent assessment of IT security controls.
Why Option C (Review Disaster Recovery Test Results) Is Correct?
The second line of defense is responsible for monitoring and evaluating IT risk management processes, including disaster recovery and business continuity planning.
Reviewing disaster recovery test results ensures that the organization is prepared for IT disruptions and meets compliance requirements.
IIA Standard 2110 – Governance requires auditors to evaluate whether IT risk management activities (such as disaster recovery) are being effectively monitored.
Why Other Options Are Incorrect?
Option A (Block unauthorized traffic):
This is a first-line defense task, typically handled by IT security teams (e.g., firewall and intrusion detection system monitoring).
Option B (Encrypt data):
Encryption is part of daily IT security operations and is handled by the first line of defense.
Option D (Provide an independent assessment of IT security):
Independent assessments are the responsibility of internal audit (third line of defense), not the second line.
The second line of defense focuses on monitoring IT risk, making disaster recovery test review a key responsibility.
IIA Standard 2110 and the Three Lines of Defense Model confirm this role.
Final Justification:IIA References:
IPPF Standard 2110 – Governance (IT Risk Management)
IIA Three Lines of Defense Model
COBIT Framework – IT Governance & Risk Management
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit