Your company establishes a security baseline that requires all laptop computers shall be provisioned with biometric authentication. However, a small portion of outdated laptops that support token-based authentication only cannot meet the requirement. If the security baseline must be tailored to exclude the laptops, which of the following actions should be taken first?
A. Submit a change request
B. Implement token-based authentication as the compensating control
C. Justify the request for the exception to the current security baseline
D. Communicate the performance to the management
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Justify the request for the exception to the current security baseline.
Since the security baseline must be tailored, it must follow change management. That is, a change request must be submitted to the CCB (Change Control Board) or other authorities for approval. Based on the approved change request, token-based authentication as the compensating control is implemented. After the implementation, the performance should be communicated to the management as part of performance management and continuous improvement.
However, before the change request is submitted, the change request for the corrective action, preventive action, defect repair, or updates to artifacts should be justified and documented as the basis for the CCB or other authorities to review and approve.
- A change request is a formal proposal to modify any document, deliverable, or baseline. Since a change request is a formal proposal, we don’t propose without justification.
- Performance is a measurable result. It is used to measure the progress to the objective, for example, key performance indicators (KPIs). In project management, performance can be collected as performance data, processed as performance information, and summarized as performance report.
The following is the suggested change management process:
- Identify alternatives and select the solution
- Justify and document the (change) request for the exception to the current security baseline
- Submit a change request
- Review and approve the change request (by CCB)
- Implement token-based authentication as the compensating control
- Communicate the performance to the management
Statement of Applicability (SOA)
In ISO 27001, the organization has to document the justification to include or exclude controls stated in Annex A.