Exchanging information between systems begins with a planning phase in which the participating organizations perform preliminary activities and examine the relevant technical, security, and administrative issues. Which of the following should be conducted first? (Wentz QOTD)
A. Conduct security assessments
B. Conduct risk assessments
C. Define the business case
D. Document the memoranda of understanding/agreement (MOU/A).
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Define the business case.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
“A business case captures the reasoning for initiating a project or task.” (Wikipedia) It typically comprises one or more alternatives for evaluation, e.g., feasibility and cost/benefit analysis. Payback period (PB), internal rate of return (IRR), and net present value (NPV) are common financial approaches of cost/benefit analysis. The selected alternative is initiated as a project, authorized by the project charter, and backed up by the project sponsor. A project is the smallest unit of a strategy, which comprises portfolios, programs, and projects.
- NIST SP 800-47 Rev. 1: Managing the Security of Information Exchanges
- An Introduction to Capital Budgeting
- Business case
系統之間的信息交換始於規劃階段，在該階段，參與組織執行初步活動並檢查相關的技術、安全和管理問題。 以下哪一項應首先進行？ (Wentz QOTD)
A. 進行安全評鑑 (assessments)
C. 定義業務案例 (business case)
D. 記錄諒解備忘錄/協議 (MOU/A)