Today is the first day of the year 2022. As a CISO, which of the following matters foremost? (Wentz QOTD)
A. Information Security Strategy
B. Information Security Program Policies
C. Security control baselines
D. Organizational objectives

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Organizational objectives.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

The security function is not a silo of business function. As the CISSP exam outline depicts, as shown above, the information security strategy shall collaborate with other business functions and align with the business and organizational mission, goals, and strategies.

Information Security Program Policies direct the implementation or execution of the information security strategy. Standards, procedures, and guidelines are developed to support policies. Baselines are means to comply with standards.

The following diagram is a good example to demonstrate the relationship between strategy, policy, and program.

Reference

---

今天是 2022 年的第一天。作為 CISO，以下哪個最重要？ (Wentz QOTD)
A. 資訊安全策略
B. 資訊安全計晝政策
C. 安全控制基準
D. 組織目標