Effective CISSP Questions

After conducting a risk assessment, your organization identified the risk of fire on facilities and data centers. You are considering security controls to respond to the risk. Which of the following should be implemented first? (Wentz QOTD)
A. Conduct fire drills
B. Buy fire insurance
C. Build fire suppression systems
D. Deliver fire safety awareness and training

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Deliver fire safety awareness and training.

What is Risk?
What is Risk?

We typically apply controls to mitigate risk, decreasing the uncertainty, reducing the effect, or both. The best strategy is to prevent risk from happening; that is, decreasing the uncertainty (likelihood or possibility). Even if we have controls to lower the uncertainly, risk may still happen. In this situation, we can minimize the negative effect.

  • Conducting fire drills is a preventive control that needs orientation or training in advance to be effective.
  • Buying fire insurance reduces financial loss. It assumes the fire has happened and loss has materialized.
  • Building fire suppression systems takes time. It’s a corrective control.
  • Delivering fire safety awareness and training is a preventive control.

The best strategy is to prevent fire from happening. Delivering fire safety awareness and training has many benefits:

  • Human is the weakest link of the security chain. Promoting fire security awareness and teaching employees the concept of the fire triangle help prevent and suppress fire timely.
  • People are also the most valuable assets. Training helps in suppressing fire and evacuating employees.
  • Besides, awareness and training are cost-effective and can be conducted very soon.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

在進行風險評鑑後,您的組織識別出設施和數據中心可能發生火災的風險。您正在考慮安全控制來應對這個風險。以下哪項應最先實施?(Wentz QOTD)
A. 進行消防演習
B. 購買火災保險
C. 建立滅火系統
D. 提供消防安全意識和培訓

Leave a Reply