Your company is implementing the ERP system. As a security professional, you are selecting security controls as a baseline from a well-known security control framework and customizing it according to your company’s specific requirements and constraints. Which of the following is the least concern during the process of scoping and tailoring?
A. Compensating controls
B. Common controls
C. The impact level of the ERP system
D. Certification and accreditation
Wentz’s Book, The Effective CISSP: Security and Risk Management https://www.amazon.com/dp/B087JL6BXR
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Certification and accreditation.
Scoping and Tailoring
It’s common to determine security controls that protect our information systems based on their impact. However, we don’t do that from scratch but follow some approach to classify or categorize assets and select controls as a baseline from security control frameworks and customize them per business requirements and constraints. The selection and customization process is also known as scoping and tailoring.
Security Control Framework
FIPS 199 and NIST SP 800-63 describe the procedure to categorize information systems while FIPS 200 and NIST SP 800-53 provide the security control framework. ISO 27001 Annex A also provides a list of controls; ISO 27002 is the code of practice or implementation guideline for them.
Compensating Controls
Compensating controls are interpreted as the ones that back up the primary control in case it fails. However, it’s often that some controls in the baseline are infeasible, being subject to some conditions or constraints. We may replace the infeasible controls specified in the baseline and replace them with “compensating controls.” It’s for sure that we have to justify the replacement.
Common Controls
Common controls are shared across systems, e.g., physical access control to the data center or computer room that hosts the ERP system. Common controls may not meet the security requirements of specific information systems or data types.
Certification and accreditation
Certification and accreditation (C&A) is typically a concern after the system and controls are implemented. It’s too early to consider C&A when selecting and customizing controls.
Reference
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
Wouldn’t you want any compliance requirements (e.g. SOC2) to be met from the get-go?
^ just read the question again, “certification and accreditation” doesn’t refer to regulatory compliance.