CISSP PRACTICE QUESTIONS – 20201215

Effective CISSP Questions

A newly hired CISO got onboard recently. He proposed a grand information security strategy called “zero risks.” As the CEO, which of the following should you do?
A. Approve the strategy and report to the board
B. Reject the strategy and ask for detailed risk assessment
C. Invite feedback from the senior management team and the board
D. Issue a program policy to initiate the information security program

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Invite feedback from the senior management team and the board.

ISO 31000
ISO 31000

It’s generally accepted in the risk management community that risk cannot be eliminated, and “no risks” is impossible because we can manage identified risks (known unknowns), but managing surprises (unknown unknowns) is not possible. However, it’s not uncommon that senior management and the board prefer “no surprises” and put “no risks” in place as the ultimate goal. In this case, awareness, training, and communication are needed.

Context, Stakeholders, and Criteria

The “No Risks” strategy is not realistic. The CISO should be informed of the risk appetite or the “Amount and type of risk that an organization is prepared to pursue, retain, or take.” To invite feedback from the senior management team and the board can determine the risk appetite. The acceptable level of residual risk can then be further defined.

Informed Decisions

Informed decisions are necessary. To approve or reject the strategy with insufficient information, e.g., risk appetite, is not a good practice. Issuing a program policy to initiate the information security program is done after the strategy is approved.

Risk Appetite

Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its objectives, before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits of innovation and the threats, that change inevitably brings. The ISO 31000 risk management standard refers to risk appetite as the “Amount and type of risk that an organization is prepared to pursue, retain or take”. This concept helps guide an organization’s approach to risk and risk management.

Source: Wikipedia

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

新聘的CISO最近入職。 他提出了一個宏偉的資訊安全策略,稱為“零風險”。 作為首席執行官,您首先應該做什麼?
A. 批准該策略(strategy)並向董事會報告
B. 拒絕該策略並要求進行詳細的風險評鑑(risk assessment)
C. 邀請高級管理團隊和董事會提供反饋
D. 發布計畫政策(program policy)以啟動資訊安全計畫(program)

Leave a Reply