Your company decides to subscribe to a portfolio of software services as SaaS from a well-known cloud service provider. The program policy limits the consumption of software to business use only. Employees are not allowed to use the software at home or for personal use. As a security professional, you are tasked to assess the risk and propose solutions to mitigate risk. Which of the following least contributes to the risk assessment process. (Source: Wentz QOTD)
A. Context diagram
B. Location-based authentication
C. OSINT (Open-source intelligence)
D. SDLC (System Development Life Cycle)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Location-based authentication.
Location-based authentication is a solution to be compliant with the policy. It’s part of the risk treatment or response strategy, so it contributes to the risk assessment process the least.
System Development Life Cycle (SDLC) is crucial to security engineering. We have to take care of security concerns across the SDLC. However, the term “development” in SDLC can be misleading, as a system is composed of many elements that can be made inhouse or bought from external parties. Subscription to cloud services is a procurement project. That’s part of the SDLC.
A context diagram depicts stakeholders for further analysis. OSINT can be conducted to collect information about providers or any stakeholders.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.