After a periodic security assessment, you are reviewing the plan of action and milestones (POA&M) to correct non-compliance issues and mitigate risk. As a CISO, which of the following is your most concern?
A. Tasks not assigned an owner
B. Tasks underestimated on purpose
C. Tasks marked for further evaluation
D. Tasks solved and inherited from the previous report

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Tasks underestimated on purpose.

The risk-based approach is widely adopted in various areas, such as decision making, auditing, cybersecurity, banking, etc. “Risk is the effect of uncertainty on objectives.” (ISO 31000) It’s not a universally accepted term, but once a risk materializes or happens, it is better known as an “issue.”

The tasks in the POA&M for management review and approval should correct non-compliance issues and mitigate risk. If not, they may cause or trigger more risk. The four options in this question have different levels of risk exposure.

• Human is the weakest link in the security chain. If tasks are underestimated on purpose, it implies underrating risk, covering up wrongdoing, or other unexpected events. It may lead to more cascading risks or secondary risks.
• Tasks are not assigned with an owner is an issue, not really a risk. It has happened, and you know it; it can be corrected in time per your request.
• Tasks marked for further evaluation implies they are under control or attracted more attention.
• Presenting tasks that are solved and inherited from the previous report means 1) problems recur, or 2) they are listed for performance review. If problems recur, the root cause should be identified so that they can be eradicated.

Risk-Based Approach (RBA)

An RBA (Risk-based approach) to AML/CFT (Anti-Money Laundering/Countering the Financing of Terrorism) means that countries, competent authorities and financial institutions, are expected to identify, assess and understand the ML/TF (Money Laundering/Terrorist Financing) risks to which they are exposed and take AML/CFT measures commensurate to those risks in order to mitigate them effectively.

Source: The Financial Action Task Force (FATF)

Reference

• Risk-based auditing
• Risk-Based Approach
• GUIDANCE FOR A RISK-BASED APPROACH – THE BANKING SECTOR

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

在定期進行的安全評鑑之後，您正在查看行動計畫和里程碑(POA＆M)，以糾正不符合(non-compliance)的問題並緩解(mitigate)風險。 作為CISO，您會最關心以下哪項？
A. 未分配所有者(owner)的任務
B. 刻意低估的任務
C. 標示為待進一步評估的任務
D. 上一份報告中已解決的任務