An organization has defined a set of standard security controls. This organization has also defined the circumstances and conditions in which they must be applied.
What is the NEXT logical step in applying the controls in the organization?
An organization has defined a set of standard security controls. This organization has also defined the circumstances and conditions in which they must be applied.
What is the NEXT logical step in applying the controls in the organization?
After an organization has defined a set of standard security controls and the conditions in which they must be applied, the next logical step is to perform an asset classification. This step involves identifying and categorizing the organization's assets to understand what needs to be protected and to what extent. Asset classification provides the necessary context to apply the defined security controls appropriately, ensuring that the right controls are applied to the right assets based on their value and risk profile.
Since the organization has already defined its security controls and their application conditions, the next step is to analyze the existing controls on systems (Option C). This will help the organization understand where these standard controls need to be applied or where existing controls may need to be updated.
How do you define new set of controls without first analyzing the exisiting controls to determine their effectiveness or otherwise. You can only come up with the standard controls and their applicability after thorough understanding of existing controls not the other way round. Answer C is incorrect.
What happens before you apply controls, you need to know your assets and what level of protection they need based on the standards.
analyze existing controls. asset classification must be in place already. how to apply the correct controls if you do not know the asset classification?
That was my first thought. But the question does not state a program has been implemented and it is being reviewed. Our only info is the company has some documentation on controls, not that any have been applied, so the first step in Risk management is to categorize the Asset or System, pg 71 CCISO guide.
Maybe the question is not 100% clear for me, i was rather thinking about Control Lifecycle Management . The steps are select, validate, catalog, implement. So if in first step a control has been selected/defined...next to validate (which i thought also analyse existing ones...)
Asset classification is the first step
After defining the standard security controls and the conditions for their application, the next step is to analyze the existing controls on the systems to identify any gaps or overlaps. This analysis helps in understanding how well the current controls align with the new standards and where adjustments or enhancements are needed. By doing this, the organization can ensure that the new controls are effectively integrated and that all systems comply with the updated security requirements.