As a security professional, you are responsible for protecting information assets. Which of the following should be conducted first to enforce information security? (Wentz QOTD)
A. Assess risk against assets
B. Classify assets based on business values
C. Assign asset owners
D. Select controls to protect assets
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Assign asset owners.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
Typical steps conducted are listed as follows:
- Take inventory of information assets
- Assign asset owners
- Asset owners classify assets based on business value.
- Assess risk against assets
- Select controls based on security control frameworks, if any, to protect assets
- Tailor the initial scope determined after control selection based on risk assessment
Reference
作為安全專業人員,您有責任保護信息資產。 為加強信息安全,應首先執行以下哪一項? (Wentz QOTD)
A. 評鑑資產風險
B. 根據商業價值對資產進行分類
C. 分配資產所有者
D. 選擇控制來保護資產
Is it B?