CISSP PRACTICE QUESTIONS – 20210520

Effective CISSP Questions

As a CISO, you are developing the information security strategy that needs to be aligned with the corporate strategy and business objectives. Which of the following task should be done first? (Wentz QOTD)
A. Conduct the SWOT analysis
B. Develop a portfolio of initiatives
C. Issue information security policies
D. Determine the gap between the desired and current state

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Conduct the SWOT analysis.

I introduce strategic management in this post. My book, The Effective CISSP: Security and Risk Management, has details.

A policy stands for the management intention. Once the strategy is formulated or developed, policies are issued to direct the strategy execution/implementation.

Levels of Strategy
Levels of Strategy

Strategy

Strategy is a buzzword. Everybody uses it but may not use it with a consistent definition. Generally speaking, a strategy is a plan to achieve long-term or overall objectives derived from organizational mission and vision. It can be developed at the corporate, business, or functional levels by different levels of managers.

  • plan to achieve a long-term or overall objective (ISO 9000:2015)
  • plan to accomplish the organization’s mission and achieve the organization’s vision (ISO 21001:2018)
  • organization’s overall plan of development, describing the effective use of resources in support of the organization in its future activities
    Note 1 to entry: involves setting objectives and proposing initiatives for action (ISO/IEC/IEEE 24765:2017)
  • organization’s approach to achieving its objectives (ISO 30400:2016)

Strategic Management

Strategic management, a crucial element of corporate governance, comprises three phases: strategy formulation/development (strategic thinking, external and internal analysis, gap analysis), strategy implementation/execution, and strategy evaluation.

David’s Model of the Strategic Management’s Process
David’s Model of the Strategic Management’s Process
Information Security Governance
Information Security Governance

Strategy Formulation

Strategic Thinking

Strategy formulation typically starts with strategically thinking about organizational mission and vision, which shapes its long-term and overall nature. Strategic goals and objectives are derived from the mission and vision. Strategic thinking helps define the desired state.

Strategic Thinking
Strategic Thinking
Goals, Strategy, and Risk
Goals, Strategy, and Risk
Goals and Objectives
Goals and Objectives

External and Internal Analysis

External and internal analysis is typically conducted to scan the macro and micro environments and industries for opportunities and threats, identify stakeholders, understand their needs and requirements, determine the constraints and resources, and so forth. SWOT analysis is one of the most well-known tools for external and internal analysis; it helps determine the current state and may contribute to the desired state.

External and Internal Analysis
External and Internal Analysis

Gap Analysis

Determining the gap between the desired and current state implies that the desired and current state have been determined. Once the gap has been identified, a roadmap with milestones and initiatives is defined to move from the current state to the desired state. A strategy can be expressed as portfolios of initiatives. A business case evaluates an initiative in terms of cost and benefit and other feasibility dimensions. If the business case is approved, the initiative is turned into a project. A portfolio, evaluated by return on investment, can comprise one or more programs or projects.

Strategy Development
Strategy Development
Strategic Portfolios
Strategic Portfolios

Strategy Implementation/Execution

Strategy, Initiative, Product, and Project
Strategy, Initiative, Product, and Project
Project Life Cycle
Project Life Cycle (Source: PMBOK)

Strategy Evaluation (Performance Measurement)

Balanced Scorecard (BSC)
Balanced Scorecard (BSC)

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

作為CISO,您正在開發需要與公司戰略和業務目標保持一致的資訊安全戰略。 首先應完成以下哪個任務?(Wentz QOTD)
A. 進行SWOT分析
B. 發展一系列初始提案(initiatives)
C. 發布資訊息安全政策(policies)
D. 確定期望狀態與當前狀態之間的差距

1 thought on “CISSP PRACTICE QUESTIONS – 20210520

  1. Pingback: 戰略管理(strategic management) – Choson資安大小事

Leave a Reply