Because it takes time to change an organization’s culture, the ISO must continually monitor security policy compliance. The ISO
reports to leadership on the current effectiveness of the security policies and will also have to ask the business to accept any residual risk or come up with a way to reduce it. True False
Part of the roles of an Information Security Officer (ISO) is monitoring the network usage to ensure compliance with security policies and collaborating with management and the IT department to improve security.
This means that he must keep the organization informed about the shortfalls of the security system while the organization is still trying to get adapted to using it.
Residual risk comes up if the system is not a 100% secure. It is the amount of risk that usually remains after implementing a security system. If a system is 99% secure, that means that it is 1% vulnerable, and that is the residual risk.
It is the Job of the ISO to inform the company about any residual risk in a security policy or come up with measures aimed at mitigating it.
If you have important data on your hard drive that is not backed up and your Windows installation is so corrupted you know that you must refresh the entire installation you should make every attempt to recover the data.