After conducting a risk assessment, your organization identified the risk of fire on facilities and data centers. You are considering security controls to respond to the risk. Which of the following should be implemented first? (Wentz QOTD)
A. Conduct fire drills
B. Buy fire insurance
C. Build fire suppression systems
D. Deliver fire safety awareness and training
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Deliver fire safety awareness and training.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams, and an informative reference for security professionals.
We typically apply controls to mitigate risk, decreasing the uncertainty, reducing the effect, or both. The best strategy is to prevent risk from happening; that is, decreasing the uncertainty (likelihood or possibility). Even if we have controls to lower the uncertainly, risk may still happen. In this situation, we can minimize the negative effect.
- Conducting fire drills is a preventive control that needs orientation or training in advance to be effective.
- Buying fire insurance reduces financial loss. It assumes the fire has happened and loss has materialized.
- Building fire suppression systems takes time. It’s a corrective control.
- Delivering fire safety awareness and training is a preventive control.
The best strategy is to prevent fire from happening. Delivering fire safety awareness and training has many benefits:
- Human is the weakest link of the security chain. Promoting fire security awareness and teaching employees the concept of the fire triangle help prevent and suppress fire timely.
- People are also the most valuable assets. Training helps in suppressing fire and evacuating employees.
- Besides, awareness and training are cost-effective and can be conducted very soon.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.