During an investigation where criminal activity is suspected, preservation of information is critical to ensure evidence is not altered or destroyed, maintaining its integrity for potential legal proceedings.

Key Considerations in Criminal Investigations:

Maintain chain of custody to ensure admissibility of evidence.

Document and preserve logs, artifacts, and affected system states.

Other Activities:

Communication: Important but secondary to preserving evidence.

Eradication and Restoration: Typically done after evidence is collected.

Determining Attack Source: Valuable but dependent on preserved data.

Incident Handling and Forensics: Stresses the importance of evidence preservation in investigations.

Legal and Compliance Requirements: Aligns with the need for defensible evidence in cases of suspected criminal activity.

 Background Checks as Security Controls:

Background checks are administrative controls because they pertain to policies and procedures designed to manage personnel security.

 Purpose:

These checks aim to verify the trustworthiness of individuals accessing sensitive systems or data.

 Supporting Reference:

CCISO defines administrative controls as processes and guidelines that include personnel management and access authorization measures.

The "no right to privacy" and AUP establish that users consent to monitoring, but proper procedures must still be followed to prevent abuse of power and protect organizational trust.

In this scenario, escalating the request to a higher authority ensures transparency and accountability.

 Why Other Options Are Incorrect:

A. Grant access: Directly granting access without oversight could result in misuse and liability.

C. Reset password: This bypasses proper oversight and due process.

D. Deny the request citing national privacy laws: If the employee has consented to monitoring, this response is unwarranted.

 EC-Council CISO Reference:

The curriculum discusses balancing security controls and ethical considerations, ensuring decisions align with organizational policies and legal frameworks.

Comprehensive and Detailed Explanation (250–350 words) From Exact Extract from Chief Information Security Officer (CCISO) Documents:

According to the EC-Council CCISO framework, a security strategy must clearly define alignment to business objectives and articulate the organization’s risk tolerance. CCISO documentation repeatedly emphasizes that security programs exist to enable the business, not operate independently of it.

The security strategy outlines how security initiatives support revenue, operational resilience, regulatory compliance, and strategic growth while operating within acceptable risk boundaries defined by leadership. CCISO guidance notes that without this alignment, security programs become cost centers rather than value enablers.

Market data, audit history, or board statements may inform strategy, but they are not core components. Therefore, alignment with business goals and risk tolerance is most often included.

Comprehensive and Detailed 250–300 Words Explanation From Exact Extract from Chief Information Security Officer (CCISO) Documents:

According to the EC-Council CCISO Body of Knowledge, a matrix organizational structure is defined as a hybrid model that blends elements of both functional and project-based organizational structures. In a matrix structure, employees typically report to two authorities simultaneously: a functional manager (such as IT, security, or operations) and a project or program manager.

CCISO documentation highlights that matrix structures are commonly used in complex enterprises where resources must be shared across multiple initiatives without losing functional expertise. For CISOs, this structure is particularly relevant because information security initiatives often span multiple departments, including IT, legal, compliance, HR, and business units. The matrix model enables better collaboration while preserving accountability within functional domains.

The CCISO program emphasizes that while matrix structures improve flexibility and cross-functional alignment, they also introduce governance challenges, such as conflicting priorities, unclear authority, and resource contention. As a result, strong leadership, clearly defined roles, and executive sponsorship are required to prevent confusion and inefficiency.

The other options are not organizational reporting structures in the CCISO context. “Distributed” refers to system architecture, “sole owner” and “limited liability” describe business ownership/legal models, not internal organizational design.

Therefore, per CCISO governance and leadership principles, the correct answer is Matrix, as it uniquely combines functional and project-based reporting into a hybrid structure.

Comprehensive and Detailed 250–300 Words Explanation From Exact Extract from Chief Information Security Officer (CCISO) Documents:

The EC-Council CCISO Body of Knowledge identifies ensuring board approval of security policies and procedures as the most important responsibility of an Information Security Steering Committee. CCISO guidance emphasizes that this committee serves as a governance bridge between executive leadership, the board, and operational security functions.

Board approval provides authority, accountability, and enforceability to security policies. Without this approval, policies lack governance backing and are often ignored or inconsistently applied. While diversity of membership and audit reviews are important, they are supporting functions.

CCISO materials stress that the steering committee ensures security aligns with business objectives and risk tolerance through formal board endorsement. Therefore, option C is correct.

Comprehensive and Detailed 250–300 Words Explanation From Exact Extract from Chief Information Security Officer (CCISO) Documents:

The EC-Council CCISO Body of Knowledge stresses that the CISO’s role is not to unilaterally block business initiatives, but to enable informed risk-based decision-making. When a business unit proposes technology that violates security standards, the best course of action is to perform a risk analysis and present the results to the business.

CCISO materials emphasize that risk ownership lies with the business, not the security function. The CISO is responsible for identifying, analyzing, and communicating risk—not for making business decisions. Performing a risk analysis provides clarity on potential impacts, likelihood, regulatory exposure, and mitigation options.

Blocking deployment without analysis damages business alignment. Automatically granting exceptions undermines governance. Altering standards to fit technology weakens control frameworks.

Therefore, performing a risk analysis and enabling the business to make a risk-informed decision is the most effective and CCISO-aligned approach.

 Purpose of a Business Case

A business case for a security project is developed to:

Communicate risks to stakeholders.

Provide a justification for resource allocation and investment.

Forecast budgetary and resource requirements.

 Comparison of Options

A. Estimate risk and negate liability: Business cases estimate risk but do not primarily negate liability.

B. Understand attack vectors and sources: While important, this is not the primary focus of a business case.

D. Forecast usage and cost per software licensing: This may be part of a business case but is not its primary purpose.

 EC-Council References

Emphasized in EC-Council frameworks, a business case is essential for aligning security projects with organizational priorities and securing executive buy-in.

Immutable data storage is highly effective against ransomware threats because it ensures that stored data cannot be altered or deleted, even by malicious actors. This allows organizations to recover from ransomware attacks quickly without paying ransoms. Phishing exercises (A) and endpoint anti-malware (D) are preventive measures, while blocking wireless networks (C) is unrelated to ransomware mitigation.

Comprehensive and Detailed Explanation (250–350 words)

===========

According to EC-Council CCISO documentation, the final step in the system authorization process is obtaining a formal Authority to Operate (ATO) from executive management or an authorizing official. CCISO materials align this process with NIST authorization models, emphasizing that authorization is a management decision, not a technical one.

Security scans, vulnerability remediation, and configuration hardening (Options C and D) occur before authorization. Connecting systems to an ISP (Option A) is operational and irrelevant to authorization. The authorization decision signifies that leadership accepts residual risk and formally approves system operation in the production environment.

CCISO stresses that without executive authorization, systems should not be placed into service, regardless of technical readiness. Therefore, Option B is correct.

 Understanding the Authorization Process

The system authorization process is a structured methodology ensuring that a system operates securely within an acceptable risk framework. According to EC-Council Certified CISO standards, this process follows a lifecycle approach which culminates in obtaining formal approval from senior management.

 Steps in the Authorization Process

a. Risk Assessment: Evaluate threats, vulnerabilities, and potential impacts.

b. Implementation of Security Controls: Deploy safeguards to mitigate identified risks.

c. Testing and Validation: Conduct tests such as vulnerability assessments to ensure controls are functioning correctly.

d. Documentation: Record compliance with security controls and assessments.

e. Final System Review: This includes activities like scanning the system and ensuring all identified high and medium vulnerabilities are addressed.

 Final Step: Authority to Operate

After the above steps are completed, the system owner or project leader submits the authorization package to executive management. The final decision lies with senior-level stakeholders who evaluate if the system meets all organizational security requirements and residual risk is acceptable. Upon approval, they provide formal authorization to operate (ATO).

 Why Option B is Correct

This aligns with EC-Council's emphasis on governance and senior management oversight in risk management frameworks. The ultimate authority for the operation of any system lies with the top executives who are accountable for the organization's security posture.

 References

This procedure is documented in various EC-Council CISO materials, ensuring it is consistent with best practices for managing organizational cybersecurity frameworks.