An information security measurement program can be scoped to a variety of environments and needs. Which of the following is the least feasible scope? (Wentz QOTD)
A. The information system-level security performance for an operational information system
B. The integration of information security into the system development life cycle (SDLC)
C. The linkage between information security and enterprise strategic planning
D. The enterprise-wide information security performance
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. The linkage between information security and enterprise strategic planning.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
This question is written to introduce the perspective of how NIST SP 800-55 R1 determines the scope of an information security measurement program:
Information security measures can be obtained at different levels within an organization. Detailed measures, collected at the information system level, can be aggregated and rolled up to progressively higher levels, depending on the size and complexity of an organization. While a case can be made for using different terms for more detailed and aggregated items, such as “metrics” and “measures,”
Information security measures are based on information security performance goals and objectives. Information security performance goals state the desired results of an information or security program implementation.
Information security measures monitor the accomplishment of goals and objectives by quantifying the implementation, efficiency, and effectiveness of security controls; analyzing the adequacy of information security program activities; and identifying possible improvement actions.
An information security measurement program can be scoped to a variety of environments and needs:
• Quantifying information system-level security performance for an operational information system;
• Quantifying the integration of information security into the system development life cycle (SDLC) during information system and software development processes; and
• Quantifying enterprise-wide information security performance.
Information security measures can be applied to organizational units, sites, or other organizational constructs. Organizations should carefully define the scope of their information security objectives, operating environments, risk priorities, and information security program maturity.Source: NIST SP 800-55 R1
Reference
- NIST SP 800-55 R1
- Practical Use of Program Evaluation among Sexually Transmitted Disease (STD) Programs
信息安全測量計晝(measurement program)的範圍可以根據各種環境和需求來定義。 以下哪一項是最不可行的範圍? (Wentz QOTD)
A. 運營信息系統的信息系統級安全績效
B. 將信息安全融入系統開發生命週期(SDLC)
C. 信息安全與企業戰略規劃的聯動
D. 企業範圍的信息安全績效