An enterprise is developing a baseline cybersecurity standard its suppliers must meet before being awarded a contract. Which of the following statements is TRUE about the baseline cybersecurity standard?
An enterprise is developing a baseline cybersecurity standard its suppliers must meet before being awarded a contract. Which of the following statements is TRUE about the baseline cybersecurity standard?
A baseline cybersecurity standard should be expressed as technical requirements. This is because it needs to outline the specific security measures and controls that suppliers must have in place to ensure an adequate level of cybersecurity. General or business terminology might not provide the necessary detail for suppliers to understand and implement the required security measures effectively. Legal terminology is also too formal and may not convey the practical steps needed to meet the cybersecurity standards.
This the baseline, go general to get the largest supplier audience without giving away details of your cybersecurity and then once some qualify that you can hold accountable set the details.
Correct
C. Business Terminology
The correct answer is C - business terminology The statement that is true regarding the enterprise's baseline cybersecurity standard for suppliers is that it should be expressed in business terminology, option C. The standard should focus on desired security outcomes in plain business language, rather than technical details or legal jargon. This makes requirements accessible to suppliers without cybersecurity expertise. Option A is incorrect because general requirements can be too vague. Specific outcomes should be stated. Option B is incorrect because technical jargon would be hard for suppliers to understand. Option D is incorrect because legal terminology is overly formal for a cyber baseline.
C: Business terminology
B. https://www.nymissa.org/wp-content/uploads/2016/01/Minimum-Baseline-Standards-Presentation_02-21-2016.pdf
B is correct
Think of baseline security as the bare minimum requirements to sufficiently protect against vulnerabilities and threats.
B. Its a cybersecurity standard so I will guess its a cyber Vendors
Here’s why C. It should be expressed in business terminology is appropriate: Clarity for Stakeholders: Using business terminology helps ensure that all stakeholders, including suppliers, understand the expectations and the rationale behind them. This approach promotes better alignment and cooperation. Alignment with Business Objectives: Expressing cybersecurity requirements in business terms ensures that they are seen as integral to achieving business goals, rather than as isolated technical mandates. Effective Communication: Managers and executives need to communicate security requirements in a way that resonates with the business context, making it easier for suppliers to see the value and necessity of compliance.
Standards must be set to meet business goals. If it does not meet business needs then it’s useless.
this is related to SLR before signing the contract.
Baseline is the keyword
Refer to chapter 1 the description of SLA and SLR . It talk about the third party or company of your supply chain shall has minimum security standards. It relates with business. Technical details was developed by third-party company by following your business requirements. You don't give then the details of Technical.
Answer C) It should be expressed in business terminology. Too technical or legal and you may confuse your vendor(s).
C. It should be expressed in business terminology.
Think like a manager guys. Using business terminology to express technical security things to other stakeholders is what a manager would do. You don't want to use too technical or even legal terminology when communicating with other stakeholders like suppliers. Business terminology is what you want to use when communicating security baselines to prospective suppliers. Remember, you want to think like an executive or a manager not an engineer.
Clearly an organization will have multiple suppliers for different products and services. A baseline cybersecurity standard will have to be included as part of it's technical requirements.