CISSP Question #1461: Real Exam Question with Answer & Explanation

Question

An enterprise is developing a baseline cybersecurity standard its suppliers must meet before being awarded a contract. Which of the following statements is TRUE about the baseline cybersecurity standard?

Options

• AIt should be expressed as general requirements.
• BIt should be expressed in legal terminology.
• CIt should be expressed in business terminology.
• DIt should be expressed as technical requirements.

Explanation

A baseline cybersecurity standard for suppliers should be expressed in business terminology so that non-technical supplier stakeholders can understand and comply with the requirements.

Common mistakes.

• A. Expressing requirements as general requirements is too vague and provides insufficient specificity for suppliers to implement consistent, measurable controls, undermining the purpose of a baseline standard.
• B. Legal terminology is appropriate for contracts and agreements but is not ideal for a cybersecurity baseline standard, as it can be ambiguous regarding specific security expectations and difficult for supplier security teams to interpret and implement.
• D. Technical requirements are appropriate for internal IT or engineering teams but are unsuitable as the primary expression of a supplier baseline standard, since many supplier stakeholders lack the technical background needed to interpret and act on such language.

Concept tested. Supply chain cybersecurity baseline standard communication

Reference. https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final

No community discussion yet for this question.