An organization involved in e-commerce activities operating from its home country opened a new office in another country with stringent security laws. In this scenario, the overall security strategy should be based on:
An organization involved in e-commerce activities operating from its home country opened a new office in another country with stringent security laws. In this scenario, the overall security strategy should be based on:
When operating in a new country with stringent security laws, the overall security strategy should be based on the most stringent requirements to ensure compliance with local regulations and avoid any legal consequences. This approach ensures that the organization meets or exceeds all necessary security standards, thus maintaining the integrity and legality of its operations in the international context.
In this scenario, the overall security strategy should be based on the most stringent requirements, which means complying with the security laws and regulations of the country where the new office is located.
In this case, we should create local version of policy and standards, but not changing strategy
The CISM Review Manual, 16th Edition eBook* states "The global enterprise may need to establish different security strategies for each regional division, or it can base policy on the most restrictive requirements to be consistent across the enterprise."
PFB the excerpt from ISACA Review Manual 16th ed. Page 32 1.3 "......the global enterprise may need to establish different security strategies for each regional division, or it can base policy on the most RESTRICTIVE requirements to be consistent across the enterprise."
When an organization opens a new office in another country, it is indeed important to perform a risk assessment to understand the potential risks and vulnerabilities associated with the new location.
The CISM Review Manual 27th Edition (Page 81) notes: "Risk identification is the first step in the risk assessment process. It determines what could cause potential harm... When performing risk identification, it is important to consider all relevant sources of risk, whether internal or external to the organization." CISM tries to get one main point to us. Our loyalty it first and foremost to the company. If the risk of not following the law is within their appetite and is generating more revenue than it would cost us for noncompliance, we don't care. A for sure imo.
The correct answer shall be A. I don't know how most people chose C? it's talking about overall strategy, if you create your strategy based on C, then you may end up with unnecessary spending or spending in areas which is not required, and this is not risk based decision making and will not support the business at all.
I agree
not overall strategy but the question said "stringent security laws", your business will be closed if not following the local security laws,
I will go with A. Security strategy should be based on reducing risk to acceptable level and not regulatory compliance
the question said "stringent security laws"
Asking for the overall security strategy. Based on that I am assuming it has to be a common strategy for both locations and so to be in compliance and obey the laws of the local regulations following the stringent requirements is the best bet.
In the scenario described, the overall security strategy should be based on: A. Risk assessment results. When expanding operations to a new country with stringent security laws, it is important to conduct a comprehensive risk assessment specific to the new environment. This assessment should identify and evaluate potential risks, vulnerabilities, and threats associated with the new office and its operations. By conducting a risk assessment, the organization can gain insights into the specific security challenges and requirements posed by the new country's security laws. It allows the organization to prioritize and address risks effectively, tailor security measures to the local context, and allocate resources appropriately.
C. the most stringent requirements.
Option C
C based on the question
compliance can be treated as any other risk
I believe the answer is C. Why I believe this is C because its asking what the security strategy will be based off of. Once you have understanding of the security requirements (C) you will then do a risk assessment to find the gaps. If you go straight to a risk assessment you will have no idea what requirements need to be met.
A. is correct. I think most people selected C because local regulations should override on company security policies. But C is saying most stringent requirement, which is not regulation or compliance. imagine all your doc can be only viewed after 2 levels of decryption. (C)
Agreed with C, but in the real life, it would be costly if my pool of customers from 20 countries, only one is most stringent. That meant i will have to rework on my others e-commerce sites.
base on the most restricted if you cannot provide a local policy.