The CEO set out a grand growth strategy that involves a portfolio of mergers and acquisitions. As a CISO, which of the following is most crucial to align the information security strategy with the grand strategy? (Wentz QOTD)
A. Neutrality of the security function
B. Independence of audit function
C. Exercise of due diligence
D. Use of due care
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Exercise of due diligence.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
When it comes to CISSP, the definition of Due Diligence (DD) is obscure and inconsistent.
IMO, DD entails defining a standard in terms of contexts. The standard of DD in the legal sector is different from the one in finance.
The Audit Office of New South Wales defines the standard of DD in terms of third-party engagement. It’s a good practice.
Standard of Due Diligence
However, how much diligence or how diligent is enough to meet the standard of due diligence? There is no uniform or widely agreed standard, and it varies across professions or contexts. For example, in the context of a merger & acquisition case, the following professional due diligence may be performed:
- Financial due diligence may focus on uncovering any financial abnormalities.
- Legal due diligence may involve analyzing the company’s agreements, licenses, ownership, and legal standing to operate.
- Information security due diligence may contain activities such as data leakage review, cyber health check, supply chain risk assessment, SDLC and DevOps evaluation, and so forth.
- detailed assessment of one or more business processes or production lines, culture, assets, liabilities, intellectual property, judicial and financial situation in order to make the outsourcing decisions. (ISO 37500:2014)
- detailed assessment conducted by an economic operator to evaluate a supplier’s compliance with the guidance principles.
Note 1 to entry: In the context of the guidance principles, due diligence is conducted through second-party audits or third-party audits and, wherever feasible, regularly monitored through government inspections and oversight. (ISO/IWA 19:2017)
- comprehensive, proactive process to identify the actual and potential negative social, environmental and economic impacts of an organization’s decisions and activities over the entire life cycle of a project or organizational activity, with the aim of avoiding and mitigating negative impacts. (ISO 26000:2010)
- process through which organizations proactively identify, assess, prevent, mitigate and account for how they address their actual and potential adverse impacts as an integral part of decision-making and risk management. (ISO 20400:2017)
- compilation, comprehensive appraisal and validation of information of an organization required for assessing accuracy, commercial integrity, financial stability and functional competence integrity at the appropriate stage of the agreement sourcing process (ISO 41011:2017)
- process to further assess the nature and extent of the bribery risk and help organizations make decisions in relation to specific transactions, projects, activities, business associates and personnel. (ISO 37001:2016)
首席執行官制定了一項涉及多項併購之投資組合的大成長戰略。 作為 CISO，以下哪一項對於將信息安全戰略與該大戰略保持一致最重要？ (Wentz QOTD)
A. 安全功能(security function)的中立性
B. 審計職能(audit function)的獨立性
C. 盡職調查(due diligence)
D. 使用應有的注意(due care)