Your organization set up a new position, CISO, which reports to the CIO, to be in charge of cybersecurity. As the CISO, you aim to support the business effectively. Which of the following is the most critical task for you?
A. Integrate security into IT processes
B. Implement comprehensive network access control
C. Sponsor and direct the business continuity program
D. Develop an information security management system

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Develop an information security management system.

Developing an information security management system (ISMS) is the most appropriate and critical among the four options. The ISMS starts with management commitment and policies that drive information security to meet the stakeholders’ (or interested parties) protection needs and security requirements. It covers network access control, IT processes, and the Information security aspects of business continuity.

• Implementing comprehensive network access control is necessary but not sufficient and not a priority.
• Integrating security into IT processes is necessary but not sufficient. No matter which role a CISO is reporting to, he or she should ensure security function supports the business and security is integrated into “ALL” organizational processes, not only IT processes.
• Unless a CISO understands the business very well and is fully empowered and delegated, it’s not a good idea for him or her to sponsor and direct the business continuity program. Business continuity is about the continual delivery of products and services that involves organizational processes, not only IT, security, or assurance processes. The CEO, COO, or a committee is more appropriate. The CISSP exam outline and ISO 27001 don’t even deal with all the business continuity requirements, as the following screenshot shows.

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

您的組織設置了一個新職位CISO，該職位的CISO向CIO報告，主要負責資訊安全事務。 身為CISO，您想要有效地支持組織的業務。以下哪一項對您來說是最關鍵的任務？
A. 將安全性整合到IT流程中
B. 建置全面的網路訪問控制
C. 贊助(sponsor)並指導(direct)業務連續性計劃
D. 發展資訊安全管理系統(ISMS)