CISSP PRACTICE QUESTIONS – 20210611

Effective CISSP Questions

As a CISO for a public company, you are developing an information security strategy. Which of the following renders the primary constituent elements of your strategy? (Wentz QOTD)
A. Acceptable use policy
B. Security control baselines
C. Business continuity program
D. Portfolios of security initiatives

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Portfolios of security initiatives.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams, and an informative reference for security professionals.

Strategic Portfolios
Strategic Portfolios

Security control baselines and business continuity programs are part of the information security strategy. The following are sample projects/initiatives identified by Vimal Mani towards achieving the strategic objectives of the Information Security function in an organization.

  • ISO 27K Gap & Risk Assessments
  • Develop I& Implement Information Security Policies & Procedures, Processes, Standards and other controls as per the Risk Treatment Plans identified from Gap & Risk Assessments.
  • Develop Information Security Competency Framework.
  • Develop an Information Security Training & Awareness Plan.
  • Roll out of Information Security Trainings as per the Information Security Training & Awareness Plan developed.
  • Information Security Awareness Creation as per the Information Security Training & Awareness Plan developed.
  • Improve the security posture of key IT Systems
  • Improve IT DR / BCM Capabilities
  • Develop Incident Response Capability
  • Ongoing research on Security Tools and bring improvements to the existing security automation.
  • Ongoing research on emerging Cyber Threats.
  • Participation & Presenting in outside Workshops conducted by partners such as CERT, ISC2, ISACA.
  • Launch Customer Satisfaction Surveys for Information Security Practice.
  • Benchmark the Information Security Practice of the organization with peers in the industry.
  • Periodic VA/PT, Reviews, Audits and Risk Assessments around Information Security Practice.

Acceptable Use Policy

Acceptable use policies are an integral part of the framework of information security policies; it is often common practice to ask new members of an organization to sign an AUP before they are given access to its information systems. For this reason, an AUP must be concise and clear, while at the same time covering the most important points about what users are, and are not, allowed to do with the IT systems of an organization. It should refer users to the more comprehensive security policy where relevant. It should also, and very notably, define what sanctions will be applied if a user breaks the AUP. Compliance with this policy should, as usual, be measured by regular audits.

Source: Wikipedia

Reference


作為一家上市公司的資安長(CISO),您正在發展資訊安全戰略(strategy)。 以下哪一項是您戰略的主要構成要素? (Wentz QOTD)
A. Acceptable use policy
B. Security control baselines
C. Business continuity program
D. Portfolios of security initiatives


Leave a Reply