Which of the following is considered the FIRST step when designing an internal security control assessment?
Which of the following is considered the FIRST step when designing an internal security control assessment?
When designing an internal security control assessment, the first step is to create a plan based on a recognized framework of known controls. This provides a structured and organized approach, ensuring that all security controls are systematically covered. Frameworks such as NIST SP 800-53, ISO/IEC 27001, or CIS Controls offer comprehensive guidelines that form the baseline for the assessment. Establishing a framework first helps in covering all domains of security controls effectively, rather than starting with specific vulnerabilities or infrastructure reconnaissance.
You should only create a plan based on a recognized framework once you've done proper reconnaissance of your infrastructure. In most cases companies ignore this because they have a pretty good "idea" of what they have so they move to selecting a framework. But it is a critical FIRST step.
Do you not need a framework to assess against?
B is correct
The VERY FIRST step would be to define a scope & objectives which is not listed. The 2nd step would be to pick a framework ANSWER C. Then the interviews/reconn, etc happens. The first few steps that apply here are: 1. Identify the scope and objectives of the assessment. 2. Select a recognized framework of known controls, such as NIST SP 800-53, ISO/IEC 27001, or CIS Controls. 3. Develop assessment procedures based on the chosen framework. 4. Determine the resources needed for the assessment, including personnel, tools, and documentation. 5. Schedule the assessment activities, including interviews, document reviews, and technical testing.
Identify the scope and objectives of the assessment is B. understand what you company is. what it has. how it works. what needs to protect etc.
C. Create a plan based on a recognized framework of known controls. When designing an internal security control assessment, the first step is to create a plan based on a recognized framework of known controls. Using established frameworks such as NIST SP 800-53, ISO/IEC 27001, or CIS Controls provides a structured approach to assessing security controls and ensures that relevant areas are covered systematically. While the other options (relying on comprehensive knowledge of known breaches, reconnaissance of the organization's infrastructure, recent vulnerability scans) are important aspects of security assessments, they come after the initial step of creating a plan based on a recognized framework of controls.
B is correct, see NIST 800-115
C is the best answer. The first step when designing an internal security control assessment is to create a plan based on a recognized framework of known controls, such as NIST SP 800-53 or the CIS Controls. This provides a comprehensive set of relevant security controls to review, rather than basing the plan on specific known breaches, reconnaissance of infrastructure, or vulnerability scans, which may miss important control areas. A framework covers all domains of security controls and establishes a baseline for assessment. -A is incorrect because known breaches may not cover all necessary control areas. -B is incorrect because reconnaissance of infrastructure is too limited in scope. -D is incorrect because vulnerability scans, while useful, do not provide a full picture of security controls. +C is the best answer because starting with an established framework of controls provides the most complete baseline for an internal security assessment.
This is CISSP, of course the answer is C.
I go with C. Option B, - creating a plan based on reconnaissance of the organization's infrastructure, can be useful for understanding the organization's IT assets and identifying potential vulnerabilities. However, this also should be done after selecting a framework.
Yes, you are correct. The first step when designing an internal security control assessment is to create a plan based on a recognized framework of known controls. By doing so, the assessment can be conducted in a structured and organized manner, following established guidelines and best practices. This helps to ensure that all areas of security are covered and that the assessment is thorough and effective.
Agree. going to assess the internal controls, the 1st thing is need to recognized all running/existing controls.
Answer is C
It's probably B. You have to know the system before you know what framework to use...
If we use the steps in nist 800-37(RMF), it would be B. Categorize your information systems. This includes questions such as "what do we have?" How does this system fit into our organizations business processes, how sensitive is it?" Once that is done then you move onto selecting security controls which might include selecting a recognized control framework such as 800-53
First C choose a framework, then B, SOA to determine which controls apply to your current Infrastructure
Answer C) Create a plan based on a recognized framework of known controls. https://www.sharetru.com/blog/nist-security-controls-assessment-guide#:~:text=Developing%20a%20strategy%20for%20how%20to%20conduct%20your%20security%20control%20assessments%20makes%20it%20easier%20to%20ensure%20these%20assessments%20are%20uniform%2C%20cost%2Deffective%2C%20and%20comprehensive.
B. Create a plan based on reconnaissance of the organization's infrastructure. The sequence of steps should generally involve initial reconnaissance, followed by framework selection and planning based on the gathered information. This reconnaissance helps provide context and specific insights that can inform the selection and adaptation of a recognized framework.
B. https://purplesec.us/learn/security-risk-assessment/ Looks like D comes next, but making an inventory of your infrastructure is first.
Go with NIST or CIS as a first step, then pursue the others.
C. Create a plan based on a recognized framework of known controls is considered the FIRST step when designing an internal security control assessment. When designing an internal security control assessment, the first step is typically to establish a framework of known controls. This framework provides a standardized set of security controls against which an organization can assess its own security posture.