Which of the following is considered the FIRST step when designing an internal security control assessment?
Which of the following is considered the FIRST step when designing an internal security control assessment?
When designing an internal security control assessment, the first step is to create a plan based on a recognized framework of known controls. This provides a structured and organized approach, ensuring that all security controls are systematically covered. Frameworks such as NIST SP 800-53, ISO/IEC 27001, or CIS Controls offer comprehensive guidelines that form the baseline for the assessment. Establishing a framework first helps in covering all domains of security controls effectively, rather than starting with specific vulnerabilities or infrastructure reconnaissance.
You should only create a plan based on a recognized framework once you've done proper reconnaissance of your infrastructure. In most cases companies ignore this because they have a pretty good "idea" of what they have so they move to selecting a framework. But it is a critical FIRST step.
Do you not need a framework to assess against?
B is correct
B is correct, see NIST 800-115
C. Create a plan based on a recognized framework of known controls. When designing an internal security control assessment, the first step is to create a plan based on a recognized framework of known controls. Using established frameworks such as NIST SP 800-53, ISO/IEC 27001, or CIS Controls provides a structured approach to assessing security controls and ensures that relevant areas are covered systematically. While the other options (relying on comprehensive knowledge of known breaches, reconnaissance of the organization's infrastructure, recent vulnerability scans) are important aspects of security assessments, they come after the initial step of creating a plan based on a recognized framework of controls.
The VERY FIRST step would be to define a scope & objectives which is not listed. The 2nd step would be to pick a framework ANSWER C. Then the interviews/reconn, etc happens. The first few steps that apply here are: 1. Identify the scope and objectives of the assessment. 2. Select a recognized framework of known controls, such as NIST SP 800-53, ISO/IEC 27001, or CIS Controls. 3. Develop assessment procedures based on the chosen framework. 4. Determine the resources needed for the assessment, including personnel, tools, and documentation. 5. Schedule the assessment activities, including interviews, document reviews, and technical testing.
Identify the scope and objectives of the assessment is B. understand what you company is. what it has. how it works. what needs to protect etc.
B is right : You choose a framework depending on what inventory you have. For example, if you have credit card transactions you are working with PCI so PCI Compliance framework is applicable. You don't decide a framework and then look at the components/inventory
I go with C. Option B, - creating a plan based on reconnaissance of the organization's infrastructure, can be useful for understanding the organization's IT assets and identifying potential vulnerabilities. However, this also should be done after selecting a framework.
Yes, you are correct. The first step when designing an internal security control assessment is to create a plan based on a recognized framework of known controls. By doing so, the assessment can be conducted in a structured and organized manner, following established guidelines and best practices. This helps to ensure that all areas of security are covered and that the assessment is thorough and effective.
Agree. going to assess the internal controls, the 1st thing is need to recognized all running/existing controls.
This is CISSP, of course the answer is C.
C is the best answer. The first step when designing an internal security control assessment is to create a plan based on a recognized framework of known controls, such as NIST SP 800-53 or the CIS Controls. This provides a comprehensive set of relevant security controls to review, rather than basing the plan on specific known breaches, reconnaissance of infrastructure, or vulnerability scans, which may miss important control areas. A framework covers all domains of security controls and establishes a baseline for assessment. -A is incorrect because known breaches may not cover all necessary control areas. -B is incorrect because reconnaissance of infrastructure is too limited in scope. -D is incorrect because vulnerability scans, while useful, do not provide a full picture of security controls. +C is the best answer because starting with an established framework of controls provides the most complete baseline for an internal security assessment.
It's probably B. You have to know the system before you know what framework to use...
The first step should be recon.... got to know what we have first before assessing anything. CIS Top 18 - know your 1. hardware and 2. software.
C. Create a plan based on a recognized framework of known controls is considered the FIRST step when designing an internal security control assessment. When designing an internal security control assessment, the first step is typically to establish a framework of known controls. This framework provides a standardized set of security controls against which an organization can assess its own security posture.
Go with NIST or CIS as a first step, then pursue the others.
B. https://purplesec.us/learn/security-risk-assessment/ Looks like D comes next, but making an inventory of your infrastructure is first.
B. Create a plan based on reconnaissance of the organization's infrastructure. The sequence of steps should generally involve initial reconnaissance, followed by framework selection and planning based on the gathered information. This reconnaissance helps provide context and specific insights that can inform the selection and adaptation of a recognized framework.
Answer C) Create a plan based on a recognized framework of known controls. https://www.sharetru.com/blog/nist-security-controls-assessment-guide#:~:text=Developing%20a%20strategy%20for%20how%20to%20conduct%20your%20security%20control%20assessments%20makes%20it%20easier%20to%20ensure%20these%20assessments%20are%20uniform%2C%20cost%2Deffective%2C%20and%20comprehensive.
First C choose a framework, then B, SOA to determine which controls apply to your current Infrastructure
If we use the steps in nist 800-37(RMF), it would be B. Categorize your information systems. This includes questions such as "what do we have?" How does this system fit into our organizations business processes, how sensitive is it?" Once that is done then you move onto selecting security controls which might include selecting a recognized control framework such as 800-53
Answer is C
Frameworks are not exclusively used for external assessments; in fact, they are commonly used in both internal and external assessments. Many organizations use recognized security frameworks as a foundation for planning and performing internal assessments because these frameworks provide a standardized approach to identifying, implementing, and evaluating security controls. (aka. informal assessments)
Framework of best practices is best. It will also guide you in how and what to look for while assessing your orgs infrastructure. Also likely dealing with regulatory compliance so you would choose a framework based on how your business operates like PCI DSS or NIST and not based on the devices you have.
C is correct. that is why we have controls frameworks
When designing an internal security control assessment, the first step is to establish a structured approach using a recognized framework of known controls (e.g., NIST Cybersecurity Framework, ISO 27001, CIS Controls). This ensures that the assessment is comprehensive, standardized, and aligned with industry best practices.
ChatGTP: C When designing an internal security control assessment, the first step should be to align the assessment with a recognized framework (e.g., NIST 800-53, ISO/IEC 27001, COBIT). This ensures: The assessment is structured and standardized. Controls are comprehensive and traceable to known best practices. The plan is scalable and comparable across assessments and organizations.