Your organization plans to establish a dedicated department for the security function. Which of the following is the consideration of least importance? (Wentz QOTD)
A. Legal and regulatory requirements
B. The boundary of security and IT operations
C. Customer’s needs and requirements
D. Security and privacy security controls selection

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Security and privacy security controls selection.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

Organizations exist to serve customers; their needs and requirements matter. Organizations conduct external and internal analysis or context and organizational analysis before starting strategic initiatives. Stakeholders or interested parties are identified and analyzed in the meantime.

Establishing a department to take care of security functions is an organizational change. It’s not uncommon required by the legal and regulatory requirements or customer’s needs and requirements. The position, roles, and responsibilities of the security function may overlap with the IT function. For example, firewalls, end-point security, security operation centers, and service desks may use shared resources and blur the boundary of security operations and IT operations.

The selection of security and privacy security controls is important, but it’s not as critical as other factors mentioned above because controls can be considered after the security department has been set up. Moreover, controls can be applied at various levels, such as the information systems level, facility level, business process level, or organizational level. Controls are part of the risk mitigation strategy. They are implemented after risk assessment. As a result, it’s more of a risk management concern, instead of an issue when establishing the security department.

Reference

---

您的組織計劃為建立一個專責的資安部門(security function)。 以下哪一項是最不重要的考慮？ (Wentz QOTD)
A. 法律和監管要求
B. 安全和 IT 運營的邊界
C. 客戶的需要和要求
D. 安全和隱私安全控制選擇