Information security controls should be designed PRIMARILY based on:
Information security controls should be designed PRIMARILY based on:
Information security controls should be designed primarily based on business risk scenarios. This approach ensures that the most important assets and processes of an organization are protected by addressing the hypothetical situations that pose the greatest potential harm. Aligning security controls with business risk scenarios allows for prioritization of efforts and resources to mitigate the most significant risks, thereby supporting the overall risk management strategy and business objectives.
Information security controls should be designed primarily based on business risk scenarios because they ensure that an organization's most important assets and processes are protected. A business risk scenario is a hypothetical situation that could potentially cause harm to the organization's assets or operations. By identifying and understanding these scenarios, an organization can prioritize its efforts and resources to mitigate the most significant risks to the business. Additionally, this approach allows the organization to align its security controls with its overall risk management strategy and business objectives.
ISC follows Security Strategy, and security strategy (approved by security steering commiitee) follows business objectives, always. stakeholders do not care some risks at all if the risk is USD 100,000.00, but the likelyhood is 0.001%.
A BIA will show you where you should be putting your efforts at.
risk management is based on scenario.
I like C as well.
C is included in D so D
A = Law B = probability C = risk result D = criticalness Controls should be designed based on criticalness C is efficiency, D is effectiveness
C. business risk scenarios.
I believe the best answer here is D.
First to under stand BIA, (CISM Prep Guide, Mc Graw Hill) Business Impact Analysis Business impact analysis (BIA) is the study of business processes in an organization to understand their relative criticality, their dependencies upon resources, and how they are affected when interruptions occur. The objective of the BIA is to identify the impact that different business disruption scenarios will have on ongoing business operations. The results of the BIA drive subsequent activities—namely, BCP and DRP. The BIA is one of several steps of critical, detailed analysis that must be carried out before the development of continuity or recovery plans and procedures. The question is "Information security controls should be designed PRIMARILY based on"
Information Security Control Design and Selection The procedures, mechanisms, systems, and other measures designed to reduce risk through compliance to policies are known as controls. An organization develops controls to ensure that its business objectives will be met, risks will be reduced, and errors will be prevented or corrected. Controls are created to ensure desired outcomes and to avoid unwanted outcomes. They are created for several reasons, including the following: • Regulation A regulation on cybersecurity or privacy may emphasize certain outcomes, some of which may compel an organization to develop controls. • Risk assessment A recent risk assessment or targeted risk analysis may indicate a higher than acceptable risk. The chosen risk treatment may be mitigation in the form of a new control. • Audit result The results of a recent audit may indicate a trouble spot warranting additional attention and care.
Controls are provided based on the security risk assessment.
and you dont need a BIA to define controls.