You are the CISO working for a direct bank based in Taiwan that relies entirely on internet banking. You want to evaluate if security controls are implemented correctly, operating as intended, and producing the desired outcome. Which of the following should you conduct?
A. Risk assessment
B. Third-party audit
C. Business impact analysis
D. Security control assessment

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Security control assessment.

ISO 31000

Risk Assessment

According to ISO 31000, risk assessment comprises three steps: risk identification, risk analysis, and risk evaluation. The NIST Risk Assessment is similar to the one of ISO 31000.

Security controls are implemented as part of the risk treatment or response process. The process to evaluate security controls for assurance is called “security control assessment (SCA),” or security assessment.

Security Assessment and Audit

Security assessments conducted by an independent party, the auditor. An auditee can conduct security assessments as self-assessments or pre-audit activities. A third-party audit is usually conducted by the big four accounting firms or certification bodies like SGS, BSI, TUV, etc. The security department or CISO won’t conduct third-party audits.

Business impact analysis

Business impact analysis is conducted to identify critical business processes and dependent resources, represented by MTDs and RTOs respectively.

Security Control Assessment

The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization. (NIST SP 800-53 Rev. 4)