You are the CISO working for a direct bank based in Taiwan that relies entirely on internet banking. You are evaluating security control frameworks to mitigate risks and enforce security. Which of the following is least likely to be included in a security control framework?
A. Residual risk after implementing controls
B. Audit procedure or assessment methods
C. The process to eliminate controls from baselines
D. Implementation guidance for access control
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Residual risk after implementing controls.
A security control framework is a collection of security controls and implementation and audit guidelines well-organized as a template or solution for organizations to mitigate risks.
For example, NIST SP 800-53 R4 and NIST SP 800-53A R4 are part of the NIST security control framework. NIST SP 800-53 R4 provides a collection of controls as control baselines, implementation guidance, enhancement, priority, and so forth. NIST SP 800-53A R4 provides assessment objectives, methods, objects, etc.
Residual risk is calculated case by case. It’s infeasible for a security control framework to suggest the residual risk after implementing its controls.