CISSP PRACTICE QUESTIONS – 20220215

Posted on by
Effective CISSP Questions

According to FIPS 200, adequate security emphasizes that security should be “commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.” Which of the following best justifies implementing security controls and demonstrates the adequate security concept? (Wentz QOTD)
A. Information security policy
B. Security awareness
C. Management commitment
D. Business case


Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Business case.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

Goals, Strategy, and Risk
Goals, Strategy, and Risk

Goals and objectives drive organizational activities. Setting goals and objectives should follow the SMART principles. A strategy is an overall plan or approach to achieve long-term goals derived from organizational purpose, mission, and vision. According to ISO 31000, the risk is the effect of uncertainty on objectives. To achieve goals, we need to manage strategies and risks.

Strategic Planning
Strategic Planning
SMART Goals and Objectives
SMART Goals and Objectives
(Source: PMI Business Analysis for Practitioners – A Practice Guide)
PMI OPM Strategy Execution Framework
PMI OPM Strategy Execution Framework
What is Risk?
What is Risk?

Risk Management

Security controls are mitigation measures taken to respond to or treat risks after risk assessment. Risk treatment should consider risk appetite, feasibility, and costs/benefits. A business case is a feasibility study that considers the costs and benefits or business value that an initiative can create. A risk treatment strategy may comprise one or more solutions as initiatives that entail spending or investments and need to be evaluated with a business case.

Wentz’s Information Risk Model
Wentz’s Information Risk Model
ISO 31000
ISO 31000
Risk Treatment (Risk Response)
Risk Treatment (Risk Response)
Risk Treatment
Risk Treatment
Business Case
Business Case
Example Hierarchy from Goals to Business Cases
Example Hierarchy from Goals to Business Cases
(Source: PMI Business Analysis for Practitioners – A Practice Guide)

Reference

根據 FIPS 200,適當的安全性(adequate security)強調安全應“與信息丟失、誤用或未經授權訪問或修改信息所造成的風險和損害程度相稱”。 以下哪項最能證明實施安全控制的合理性並展示了適當的安全概念? (Wentz QOTD)
A. 信息安全政策
B. 安全意識
C. 管理承諾
D. 商業案例 (business case)

Leave a Reply