As the customer relationship management (CRM) system owner, you collaborate with data owners and other stakeholders to determine the compensating security control for replacing a baseline control. Which of the following best describes the process you are conducting?
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Tailoring.
Scoping refers to reviewing baseline security controls and selecting only those controls that apply to the IT system you’re trying to protect. For example, if a system doesn’t allow any two people to log on to it at the same time, there’s no need to apply a concurrent session control.
Tailoring refers to modifying the list of security controls within a baseline so that they align with the mission of the organization. For example, an organization might decide that a set of baseline controls applies perfectly to computers in their main location, but some controls aren’t appropriate or feasible in a remote office location. In this situation, the organization can select compensating security controls to tailor the baseline to the remote location.
Stewart, James M.; Chapple, Mike; Gibson, Darril. CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide (Kindle Locations 5849-5855). Wiley. Kindle Edition.
Verification and Validation
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
作為客戶關係管理(CRM)系統所有者(system owner)，您與數據所有者(data owner)和其他利害關係人(stakeholder)協作，以確定用於替換基準控制(baseline control)的補償性(compensating)安全控制。 以下哪項最能描述您正在進行的過程？