Your company sells toys online worldwide. A web-based E-Commerce system developed in-house and deployed to a public cloud supports the business. The EC system accepts credit cards and processes personal data. Which of the following addresses those concerns and provides the best assurance?
B. Risk Assessment
C. Security Assessment
D. Third-party Audit
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Third-party Audit.
Assurance is the “measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy.”
Source: NIST Glossary
An assessment is performed to evaluate the fulfillment of specified requirements; an audit is a formal assessment conducted by independent parties or auditors.
The Payment Card Industry Data Security Standard (PCI-DSS) is “an information security standard for organizations that handle branded credit cards from the major card schemes. PCI-DSS itself, as a standard, won’t deliver assurance.”
The best assurance is accredited by independent third-party auditors that audit the organization per the audit criteria against the PCI-DSS standard to assure compliance.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.