You are the CISO working for a direct bank based in Taiwan that relies entirely on internet banking. You are reviewing the performance of security operations. Which of the following is most likely out of the review scope?
A. Development progress of the business continuity plan
B. Walkthrough result of the disaster recovery plan
C. The efficiency of the incident response
D. The validity of backup data
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Development progress of the business continuity plan.
Unlike a project as a temporary endeavor, security operations are ongoing execution of repetitive security activities per the procedures to enforce security. A project is closed after it delivered its results that are turned into the operations. For example, a project is initiated for implementing a business continuity management system (BCMS) in one year. The project for BCMS is closed after the BCMS gets approved and comes into effect.
Business continuity management is part of security operations while developing the business continuity plan is a temporary endeavor, the work of a project.
The following are the ongoing execution of repetitive security activities:
- Walkthrough result of the disaster recovery plan
- The efficiency of the incident response
- The validity of backup data