You work for a public traded company. Which of the following has the highest risk exposure?
A. The CISO reports to the COO instead of the CEO.
B. The company website gets defaced through SQL injection.
C. The official financial reports for shareholders are disclosed.
D. One of the RAID disks for the core database becomes malfunctioning.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. The company website gets defaced through SQL injection.
This question’s core concept is how you analyze risk, either qualitatively or quantitatively, to determine the risk exposure, expressed in monetary value, score, scale, opinion, you name it. I suggest B as the answer based on my “risk criteria” used to evaluate the risk exposure. There is no absolutely correct answer. If you can justify your response with the concept of risk analysis and risk exposure, well-justified responses are good answers.
Risk Exposure is the “potential loss presented to an individual, project, or organization by a risk.” (ISO 16085:2006) “Potential” is the uncertainty of risk, while “loss” is the effect of risk.
Disclosure of Financial Reports
The public traded companies shall disclose the official financial reports to shareholders to comply with legal and regulatory requirements. As a result, option C will not be identified as a risk. The following are actual reports of Amazon:
Option A implies an organizational restructuring to reposition the security function. It can be an organization-level risk that has a low possibility of occurrence and reporting to the COO, generally speaking, may bring a positive effect.
Significant decisions about the security function, for example, are the position, reporting line, and the role and responsibilities of CISO. The best arrangement is to have the CISO report to the CEO directly. The following are alternative arrangements:
- COO: It’s a good choice as well because the COO understands the business and operations most. With his or her supervision, the CISO can do a good job in integrating security into business processes.
- CIO: The CISO has a good command of information technologies, but is subject to a conflict of interest.
- Audit committee: It’s not a good option because the audit function shall be independent.
If one of the RAID disks for the core database becomes malfunctioning, the system can still operate with lower performance. It’s an IT incident that impacts service level that has moderate likelihood and low impact from my point of view. It can be rated as low risk with a scale of Very High, High, Moderate, Low, Very low.
If the company website gets defaced, it can result in organizational reputation damage, data or privacy breach, credential compromise, internal lateral movement, and so on, and so forth. It has a moderate likelihood and high impact.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
您在一家上市公司工作。 下列哪個曝險值(risk exposure)最高？