A divestiture (or divestment) is the disposal of a company’s assets or a business unit through a sale, exchange, closure, or bankruptcy; it is also a way to stay focused and remain profitable as companies grow and get involved in too many business lines. As a security professional, which of the following should you consider first to facilitate a divestiture?
A. Assets in scope
B. Business disruption
C. Leaks of intellectual property
D. Data privacy non-compliance
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Assets in scope.
As a security professional, you can start with any of the four options. However, it more effective to consider assets in scope first because business disruption, leaks of intellectual property, and data privacy non-compliance are effects or consequences resulting from assets in scope that determine both the uncertainty and effect.
Analysis approaches differ with respect to the orientation or starting point of the risk assessment, level of detail in the assessment, and how risks due to similar threat scenarios are treated. An analysis approach can be: (i) threat-oriented; (ii) asset/impact-oriented; or (iii) vulnerability-oriented.
A threat-oriented approach starts with the identification of threat sources and threat events, and focuses on the development of threat scenarios; vulnerabilities are identified in the context of threats, and for adversarial threats, impacts are identified based on adversary intent.
An asset/impact-oriented approach starts with the identification of impacts or consequences of concern and critical assets, possibly using the results of a mission or business impact analyses and identifying threat events that could lead to and/or threat sources that could seek those impacts or consequences.
A vulnerability-oriented approach starts with a set of predisposing conditions or exploitable weaknesses/deficiencies in organizational information systems or the environments in which the systems operate, and identifies threat events that could exercise those vulnerabilities together with possible consequences of vulnerabilities being exercised.
Source: NIST SP 800-30 R2
- What is a Divestiture?
- What are the security risks of a corporate divestiture?
- Cyber security in divestments
- Cybersecurity in M&A and divestments
- Mergers, acquisitions and divestitures
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.