Your company, with regional offices across the country, sells toys online and ships globally. As the WHO announced that COVID-19 goes pandemic, you are responsible for responding to this crisis and evaluating the working-at-home solution. As a CISO, which of the following should be the highest priority?
A. Enforce remote access control
B. Review asset inventory, e.g., VPN licenses
C. Publish recommendations for cleaning, disinfection, and healthcare
D. Test the disaster recovery plan (DRP)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Publish recommendations for cleaning, disinfection, and healthcare.
The Sybex ISC2 official study guide states, “maintaining human safety is always your first priority.” It protects human life to “publish recommendations for cleaning, disinfection, and healthcare.”
Moreover, The end is more important than the means. The purpose or end of the working-at-home solution is to protect employees from infection of COVID-19, while the VPN connection with proper access control and sufficient licenses is one of the means. The business continuity plan (BCP), not the DRP, can be reviewed and tested to identify the gap so that actions can be taken to fill the gap.
The role of the security function should support the business. Departments should not have tunnel vision or operate independently like a silo. A CISO responsible for responding to the crisis of COVID-19 should not take care of technical issues only. VPN licenses, remote access control, or disaster recovery plan are all about technical stuff they are not directly contributing to the protection of human life.