An organization is setting a security assessment scope with the goal of developing a Security Management Program (SMP). The next step is to select an approach for conducting the risk assessment. Which of the following approaches is MOST effective for the SMP?
A business processes based risk assessment with a focus on business goals is the most effective approach for developing a Security Management Program (SMP). This approach aligns risk assessment activities with the broader strategic objectives of the organization, ensuring that security measures directly support business continuity and success. A business-centric perspective is essential for identifying critical processes and understanding how security risks can impact these processes. By focusing on business goals, organizations can prioritize their resources to protect the most vital areas, thereby achieving a more comprehensive and effective security management strategy.
This is an easy one . The reason we conduct security assessments as part of developing a functional/relevant security program is to generate value to the stakeholders by ensuring that the identified risks to the BUSINESS are optimized and we are left with residuals . Other answers are tactical .As a cybersecurity leaders you must turn tactical observations into strategic insights but first must find out what business process / function is the cash cow or star player and then identify the assets , data etc that enable it and then get tactical and geek out with your security toys . This question wants to measure your business savvy, savvy ? lol
First step of Risk Assessment is to identify assets. https://sansorg.egnyte.com/dl/RFrVIbX2oc
C is correct
A data-driven risk assessment approach involves identifying and analyzing the organization's data assets, understanding the data flows, and assessing the risks associated with the confidentiality, integrity, and availability of the data. This approach allows for a focused examination of the specific data elements and their associated risks, which can be crucial for organizations that heavily rely on data processing and storage. By understanding the criticality and sensitivity of different types of data, the organization can prioritize its security efforts and implement appropriate safeguards to protect the data. This approach aligns with the principle of risk-based decision-making, where resources are allocated based on the potential impact and likelihood of data-related risks. In summary, both option B: Business processes based risk assessment with a focus on business goals and option D: Data-driven risk assessment with a focus on data can be effective approaches for conducting the risk assessment as part of developing an SMP. The choice between these approaches will depend on the specific needs, priorities, and nature of the organization.
Its all about the data, baby
B is out because a CISSP wouldn't be evaluating business process. It's all about securing assets, so C.
This post explores the methodology one should use for that risk assessment, including the different approaches to building a strong information security management program. ...When conducting an information security risk assessment, you first need to identify and understand all the risk-prone IT assets in your enterprise. https://reciprocity.com/risky-business-risk-assessments-101/
B. Business processes based risk assessment with a focus on business goals. Think like a manager guys. It's always about the priorities of the business.
B. Security SUPPORTS the Business Goal. Without the business, there is no security, who will be paying security? The Business Goal is most important, Security will support the Business Goal
ANSWER: B. Business processes based risk assessment with a focus on business goals https://www.ifc.org/content/dam/ifc/doc/mgrt/p-handbook-securityforces-2017.pdf https://policy.un.org/sites/policy.un.org/files/files/documents/2020/Oct/spm_-_chapter_iv_-_section_a_-_security_risk_management_2.pdf https://documents1.worldbank.org/curated/en/962101606403107500/pdf/Security-Management-Plan-Emergency-Locust-Response-Program-P173702.pdf https://documents1.worldbank.org/curated/en/099530109052230270/pdf/P1767580b5e94b07108eb00a05d98f790d1.pdf
Business goal is the most important.
The answer should be B An organization is setting a security assessment scope with the goal of developing a Security Management Program (SMP). The next step is to select an approach for conducting the risk assessment. Which of the following approaches is MOST effective for the SMP? A. Security controls driven assessment that focuses on controls management B. Business processes based risk assessment with a focus on business goals C. Asset driven risk assessment with a focus on the assets D. Data driven risk assessment with a focus on data
B. Business goals
Considering the fact that most valuable assets for my business overtime is data. We can boil down to the most important consideration i.e. Data
Answer C) Asset driven risk assessment with a focus on the assets Security management is the high-level process of cataloguing enterprise IT assets and developing the documentation and policies to protect them from internal, external, and cyber threats. https://www.hpe.com/us/en/what-is/security-management.html
I'm gonna say the business goals. It just says organization, not a for profit business, there are some situations like governments and nonprofits (and even some instances in normal for profit business) where you won't care about the assets as long as you're meeting the goal.
The most effective approach for the Safety Management Program (SMP) is : B. Business process-based risk assessment with a focus on business objectives. This approach ensures that risk assessment is aligned with business objectives and needs, enabling risk management that directly supports the organization's strategic objectives. By focusing on business processes, the organization can better understand how security risks affect its operations, and make informed decisions to mitigate these risks appropriately.
Security strategy needs to be in line with business strategy. Answer is B.