As the head of cybersecurity, you are concerned with security incidents that may degrade the quality of business processes. You decide to manage the incident response quantitatively to improve process quality and reduce business loss. Which of the following is the best means? (Wentz QOTD)
A. CMMI
B. COBIT
C. Six Sigma
D. Common Criteria
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Six Sigma.
Six Sigma (6σ) is a set of techniques and tools for process improvement. It was introduced by American engineer Bill Smith while working at Motorola in 1986. A six sigma process is one in which 99.99966% of all opportunities to produce some feature of a part are statistically expected to be free of defects.
Source: Wikipedia
According to ISACA, COBIT 2019 is the most recent evolution of the COBIT framework. IMO, COBIT is a governance framework primarily designed in terms of IT governance, even though it can be applied to information security according to the COBIT Focus Area: Information Security, which helps integrate information security throughout the organization. However, when it comes to incident response, Six Sigma is a better choice for process improvement.
CMMI is a unified capacity maturity model used to evaluate the capabilities of software development, acquisition, and service delivery. It’s not an ideal instrument to evaluate process efficiency and improve processes.
Common Criteria is used to evaluate the security function and assurance of IT products.
Reference
- Six Sigma
- The Use of Six Sigma in Security
- ISACA’s Guide to COBIT 5 for Information Security
- COBIT 2019 Framework: Introduction and Methodology
- 3 reasons why ITSM practitioners should consider COBIT 2019
- An Examination of the Practicability of COBIT Framework and the Proposal of a COBIT-BSC Model
- Using COBIT and CGEIT to achieve enterprise governance success
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
作為網路安全主管,您擔心資安事件可能會降低業務流程的品質。您決定採用量化方式來管理事件回應,以提高流程品質與減少業務損失。 下列哪項是最好的方法?(Wentz QOTD)
A. CMMI
B. COBIT
C. 六個標準差 (Six Sigma)
D. 共同標準 (Common Criteria)