nerdexam
GIAC

GSEC · Question #88

GSEC Question #88: Real Exam Question with Answer & Explanation

The correct answer is B. Define security policy requirements. An effective risk management program must begin with defining security policy requirements, as policy establishes the governance framework that drives all subsequent decisions.

Question

Which of the below choices should an organization start with when implementing an effective risk management process?

Options

  • AImplement an incident response plan
  • BDefine security policy requirements
  • CConduct periodic reviews
  • DDesign controls and develop standards for each technology you plan to deploy

Explanation

An effective risk management program must begin with defining security policy requirements, as policy establishes the governance framework that drives all subsequent decisions.

Common mistakes.

  • A. An incident response plan is a reactive component of risk management and can only be meaningfully designed after policies define what assets and risks require protection.
  • C. Periodic reviews are an ongoing, cyclical activity intended to assess the effectiveness of controls already in place and cannot be the starting point of a program.
  • D. Designing controls and technology standards presupposes that policies exist to specify what must be protected and to what degree, so controls must follow policy, not precede it.

Concept tested. Risk management process initiation with security policy

Reference. https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GSEC Practice