Considering the criticality of application for daily operation, Business may accept the Risk. While accepting the risk is not always the best long-term solution, in some cases, it may be a pragmatic approach to managing the immediate impact of a critical vulnerability until a permanent fix can be implemented. This approach may be accompanied by temporary measures to mitigate the risk and a plan to implement a permanent fix as soon as feasible.
For Question #5, CISSP preaches that the safety of humans is the #1 priority, no matter what. Why isn't B) Relocating the data center to fire-resistant building, not the best answer? This would warrant immediate action. Developing and testing a DRP would take a while, and humans would still be at risk due to the high possibility of a fire event.
Organizations today operate in a hybrid environment where Organizational Devices and BYOD go hand in hand. Enforcing the BYOD policy and providing a secure, approved device for the executive is the most appropriate action because it ensures security compliance, mitigates risks, maintains consistency in policy enforcement, and helps the executive understand the importance of security practices. In practice, Senior Executives are provided with secure devices (eg. Mobile, iPad etc) while they also use BYOD for ease of business.
Qts 2 .. I disagree with the answer. Let me support my case with this example. Imagine having a car that was recalled due to braking system. Would you accept the risk and keep driving the car? Please I'm here to learn, teach me more. Thank you!
Thanks @danielumeh3610 for your review. Could you please imagine the same car carrying a critical patient to hospital ? Risk is always proportionate to the Reward. The question mentions "application is critical for daily operations". Always remember, as a CISSP you are only consulted (RACI matrix) but the actual decision will be with the Business. t.me/CisspInfosecGuardians
I disagree too. I think the question lacks details to be sure about an accurate answer. Even in your answer you say the organisation "may" choose ... The answer depends on how "critical" the vulnerability is (software is internet reachable, easy to find/exploit vulnerability, ...etc), and what risks it presents (e.g. attacker might overtaken the whole internal network or just one server, reputation can be ruined, all customer data can be compromised, ..etc). For example, if the risk cost is higher than the "daily operations" disruption costs on the company, avoiding the risk (until the issue is mitigated) could be a better decision. Also "mitigating the risk" could be good, for example, if a FW or a WAF can help controlling some of the risk.
you can also imagine arround a danger zone whereby you need to drive temporarily to save avoid the danger zone... this is what is meant by accepting the risk in the short term while working arround mitigation on the long term.
I find explanations not very correct here. Accepting the risk despite knowing critical vulnerability ? Forcing BYOD policy first and then providing separate devices to the executive. I really couldn’t understand it.
Thanks for your review. Let us understand the rationale. For the First comment:- Risk Acceptance is always decided by Business. While may rate the Issue / Vulnerability as Critical, Business nay still continue with the Risk to cease opportunity. Classic example is WFH during Pandemic. Security is a support function to Business and not a Business in itself. Second Comment:- Organizations today operate in a hybrid environment where Organizational Devices and BYOD go hand in hand. Enforcing the BYOD policy and providing a secure, approved device for the executive is the most appropriate action because it ensures security compliance, mitigates risks, maintains consistency in policy enforcement, and helps the executive understand the importance of security practices. In practice, Senior Executives are provided with secure devices (eg. Mobile, iPad etc) while they also use BYOD for ease of business.
In this scenario the organization may be in compliance with PCI DSS but that doesn't guarantee a protection against a breach. Whenever a business is performed, there are always certain risk involved which in this case was vulnerability in payment system. There is always a time lag between vulnerability identification to its remediation and during this time, the system will be at a risk.
This is a surprising answer... Accepting the risk is a big gamble when a critical vulnerability is already identified.
Considering the criticality of application for daily operation, Business may accept the Risk.
While accepting the risk is not always the best long-term solution, in some cases, it may be a pragmatic approach to managing the immediate impact of a critical vulnerability until a permanent fix can be implemented. This approach may be accompanied by temporary measures to mitigate the risk and a plan to implement a permanent fix as soon as feasible.
For Question #5, CISSP preaches that the safety of humans is the #1 priority, no matter what. Why isn't B) Relocating the data center to fire-resistant building, not the best answer? This would warrant immediate action. Developing and testing a DRP would take a while, and humans would still be at risk due to the high possibility of a fire event.
Question 4. You cannot provide a secure approved device for the executive, and enforce BYOD at the same time.
Organizations today operate in a hybrid environment where Organizational Devices and BYOD go hand in hand.
Enforcing the BYOD policy and providing a secure, approved device for the executive is the most appropriate action because it ensures security compliance, mitigates risks, maintains consistency in policy enforcement, and helps the executive understand the importance of security practices.
In practice, Senior Executives are provided with secure devices (eg. Mobile, iPad etc) while they also use BYOD for ease of business.
Very useful content 😊
Qts 2 .. I disagree with the answer. Let me support my case with this example. Imagine having a car that was recalled due to braking system. Would you accept the risk and keep driving the car? Please I'm here to learn, teach me more. Thank you!
Thanks @danielumeh3610 for your review.
Could you please imagine the same car carrying a critical patient to hospital ?
Risk is always proportionate to the Reward.
The question mentions "application is critical for daily operations".
Always remember, as a CISSP you are only consulted (RACI matrix) but the actual decision will be with the Business.
t.me/CisspInfosecGuardians
I disagree too. I think the question lacks details to be sure about an accurate answer. Even in your answer you say the organisation "may" choose ...
The answer depends on how "critical" the vulnerability is (software is internet reachable, easy to find/exploit vulnerability, ...etc), and what risks it presents (e.g. attacker might overtaken the whole internal network or just one server, reputation can be ruined, all customer data can be compromised, ..etc). For example, if the risk cost is higher than the "daily operations" disruption costs on the company, avoiding the risk (until the issue is mitigated) could be a better decision. Also "mitigating the risk" could be good, for example, if a FW or a WAF can help controlling some of the risk.
you can also imagine arround a danger zone whereby you need to drive temporarily to save avoid the danger zone... this is what is meant by accepting the risk in the short term while working arround mitigation on the long term.
I find explanations not very correct here.
Accepting the risk despite knowing critical vulnerability ?
Forcing BYOD policy first and then providing separate devices to the executive.
I really couldn’t understand it.
Thanks for your review.
Let us understand the rationale.
For the First comment:-
Risk Acceptance is always decided by Business.
While may rate the Issue / Vulnerability as Critical, Business nay still continue with the Risk to cease opportunity. Classic example is WFH during Pandemic.
Security is a support function to Business and not a Business in itself.
Second Comment:-
Organizations today operate in a hybrid environment where Organizational Devices and BYOD go hand in hand.
Enforcing the BYOD policy and providing a secure, approved device for the executive is the most appropriate action because it ensures security compliance, mitigates risks, maintains consistency in policy enforcement, and helps the executive understand the importance of security practices.
In practice, Senior Executives are provided with secure devices (eg. Mobile, iPad etc) while they also use BYOD for ease of business.
Why is question 1 not a compliance risk? I keep seeing PCI DSS
In this scenario the organization may be in compliance with PCI DSS but that doesn't guarantee a protection against a breach. Whenever a business is performed, there are always certain risk involved which in this case was vulnerability in payment system. There is always a time lag between vulnerability identification to its remediation and during this time, the system will be at a risk.
Some of the answers are not correct in this video can't agree to the given explanation to the answer.
Not accurate