Which of the following defines the MOST comprehensive set of security requirements for a newly developed information system?
Which of the following defines the MOST comprehensive set of security requirements for a newly developed information system?
A risk assessment systematically identifies, analyzes, and evaluates potential risks impacting an information system. It informs the development of a comprehensive set of security requirements tailored to the specific risks faced by the system. This ensures that both existing and additional necessary security controls are addressed, making it the most thorough approach compared to predefined baseline controls, audit findings, or key risk indicators.
Baseline controls represent the most comprehensive set of security requirements for a newly developed information system. These controls provide a foundation of security measures that should be implemented regardless of the specific risks or vulnerabilities of the system. They cover a wide range of security aspects, including access control, data protection, network security, and application security.
C. Risk assessment results
Risk assessment first, before developing Baseline controls. You cannot apply controls blindly without knowing what needs it
C. Risk assessment results is more comprehensive than A. Baseline controls
The most comprehensive set of security requirements for a newly developed information system would be defined by C. Risk assessment results. Risk assessment is a systematic process of identifying, analyzing, and evaluating potential risks to determine the effectiveness of existing security controls and identify any additional security requirements that may be necessary. By analyzing the results of a risk assessment, one can determine the specific security measures and controls needed to protect the information system effectively.
The answer is C, key here is provide a foundation.
Sorry I meant to say A.
If risks are accepted without any need for additional controls, then the risk assessment itself doesn't result in new requirements. Baseline controls are a set of standard security requirements that apply to all systems within an organization to provide a minimum level of security.
Baseline is minimum = least COMPREHENSIVE C is comprehensive
I would go with A
I would go with A stating baseline requirements for a newly developed information system as they don't require to be part of the system however analysis from the risk assessment results would be involved in the selection of baseline controls.
C. Risk assessment results