As the enterprise resource planning (ERP) system owner, you chair a meeting and collaborate with data owners and other stakeholders to determine the scope of security controls. The HR head proposes that an extra token-based authentication factor should be added to protect personal data. After discussion for a while, you ask for a vote on a consensus basis to decide if the multifactor authentication (MFA) should be implemented. Which of the following is the primary reason not requiring a change request to introduce the new control to enhance security?
A. Configuration management is not implemented.
B. The change control board (CCB) is not chartered.
C. The cost/benefit of the proposal has been justified.
D. The selected security controls have not been signed off.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. The selected security controls have not been signed off.

Changes to the baseline, which is anything formally approved, shall be managed. If selected security controls are not approved or signed off, or baselined, there is no need to submit a change request.

Change Management

• The (configuration) baseline is the “formally approved version of a configuration item, regardless of media, formally designated and fixed at a specific time during the configuration item’s life cycle.” (ISO/IEC/IEEE 15288:2015)
• Change management is the “process for recording, coordination, approval and monitoring of all changes.” (ISO/IEC TS 22237-7:2018)

Configuration Management

• Configuration is the “arrangement of the elements of a system.” (ISO 10209:2012)
• Configuration Item is an “entity within a configuration that satisfies an end use function and that can be uniquely identified at a given reference point.” (ISO/IEC 12207:2008)
• Configuration Management is the “process for logging and monitoring of configuration items.” (ISO/IEC TS 22237-7:2018)

Business Case

• document which summarizes the scope, benefits, costs and risks of a proposed solution to a business need. (ISO 41011:2017)
• documented justification to support decision making about the commitment to a project, program or portfolio. (ISO/TR 21506:2018)

Change Control Board (CCB)

The change control board is “a formally chartered group responsible for reviewing, evaluating, approving, delaying, or rejecting changes to a project, and for recording and communicating such decisions.” (PMBOK® Guide, 5th)

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

作為企業資源計劃(ERP)系統所有者，您主持會議並與數據所有者(data owner)和其他利害關係人協作以確定安全控制的範圍。 人力資源主管建議應添加一個額外的基於令牌(token-based)的身份驗證因素(factor)，以保護個人資料。 在會議中討論了一段時間後，您要求以共識決(consensus)進行投票，以決定是否應實施多因子身份驗證(MFA)。 下列哪個是實施這個新控制項以增強安全性，卻不需要提出變更申請的主要原因？
A. 未實施組態管理(configurations management)。
B. 變更控制委員會(CCB)未成立。
C. 提案的成本/效益是合理的。
D. 所選定的安全控制尚未被簽字核可(signed off)。