Your company decides to subscribe to SaaS from a well-known cloud service provider. As a security professional, you are tasked to prepare for a security plan. Which of the following should you do first?
A. Determine data types processed by the SaaS cloud services.
B. Categorize the system based on its impact level
C. Scope and tailor security controls
D. Identify stakeholders
Wentz’s Book, The Effective CISSP: Security and Risk Management https://www.amazon.com/dp/B087JL6BXR
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Identify stakeholders.
According to the NIST RMF, system categorization based on the system impact level determined by data types is the first step, but identifying stakeholders first is more practical as stakeholders and their needs and requirements drive everything. It determines which types of data are processed on the cloud.
- Government departments and agencies can lookup data types specified in the NIST SP 800-60. However, the predefined data types in NIST SP 800-60 may not be applicable to private companies.
- Moreover, what services are provided by the SaaS? ERP, CRM, email, or document repository services? Are there any applicable legal or regulatory requirements? Identifying stakeholders helps in determining data types.
I designed this question based on a real case from a friend, also a CISSP. He is in charge of the security plan for the SaaS project.
Reference
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
Hi Wentz – this is a good question, as are all of the questions you post. I enjoy the challenge of trying to get into your mind and reason through to an answer. For this one, I’d like to offer that NIST SP 800-37 Rev 2 *does* offer further justification for why “Identify Stakeholders” might be a good first step, as the RMF describes the first step as “Prepare.” Specifically, this step entails: “Prepare to execute the RMF from an organization- and a system-level perspective by establishing a context and priorities for managing security and privacy risk.” In my opinion, identifying stakeholders at this stage makes perfect sense. Thank you for you do to further knowledge!