D makes more sense since this is the MOST important to start sorting the issues considering the risk and then start checking the cost of the mitigation control vs the impact.
Applying a risk-based approach involves identifying and assessing the risks faced by the organization and then designing security controls that are proportionate to the identified risks. This ensures that resources are allocated efficiently and that security measures are aligned with the organization's risk tolerance and priorities.
While focusing on preventive controls (option A) is important, an exclusive focus on prevention may not adequately address all potential risks. Applying controls to confidential information (option B) is essential but should be guided by the overall risk landscape. Evaluating the costs associated with controls (option C) is also important, but cost-effectiveness should be considered in the context of risk reduction. A risk-based approach helps organizations prioritize and tailor their security controls to address the most significant threats and vulnerabilities.
D
While preventive controls (option A) are important, they are only one aspect of a comprehensive security strategy. Focusing solely on preventive controls without considering the organization's specific risks may result in inefficient resource allocation and an inadequate response to the most critical threats.
Applying controls to confidential information (option B) is also important but should be guided by the overall risk assessment and not solely based on confidentiality. Different types of information may have varying levels of sensitivity, and a risk-based approach helps determine appropriate controls for each.
In summary, applying a risk-based approach to security control design ensures that an organization's security measures are tailored to its unique risk profile, leading to more effective and efficient security.
C. This is where experience comes in. Anyone who designs controls without cost in mind will know they will immediately be rejected by Senior Management. Its a waste of time if you dont consider cost. Also, this is a Business Mindset exam, not a sec analyst exam. Cost is everything for the CISM.
Value creation (one of the primary objectives of Governance) is realizing benefits at an optimal resource cost while optimizing risk.......So, no, cost is not everything. Cost if just one side of the coin.
If you don't know the risk, how would you calculate the cost vs benefit. I would think D is a better option than C. Interested to hear why is C a better answer than D?
Its C. its not asking about cost vs benefit. Just cost. I ALWAYS have to have cost in mind in designing controls. Otherwise, I design awesome controls and I get rejected for budget because they are more expensive than the assets they protect. If you dont get cost right, nothing else will matter because you wont get any money. This is business mindset exam, not a Security + exam.
Answer C
Think about small organisation which dont have much capital to invest, but has high potential risk for it's business vector. This kind of organisation looking for cost effective compensation controls instead of implementing expensive security controls. Hence top most priority is cost on selecting the controls.
D. Apply a risk-based approach is the MOST important when designing security controls. This means identifying and prioritizing risks, assessing the likelihood and impact of potential threats, and selecting controls that are appropriate and cost-effective to mitigate those risks. A risk-based approach ensures that security controls are tailored to the specific needs of the organization and aligned with its business objectives. While preventive controls are important, they may not be sufficient to address all security risks. It is also important to consider detective and corrective controls to detect and respond to security incidents. Confidential information may require more stringent controls, but all information assets should be assessed for risk and addressed accordingly. Finally, the costs associated with the controls should be evaluated, but this should not be the only consideration, as the cost of a security breach can be much higher.
Folks. The answer is D. Repeat after me..."Take a risk-based approach". All other options are part of taking an RBA. Always take a risk based approach when identifying controls. Did I mention...take a risk based approach when identifying controls? :)
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
greeklover84
1 month, 4 weeks agoalifjouj
2 months, 3 weeks agoViperhunter
12 months agoNickprata
1 year agoPerseus_68
1 year, 1 month agoAaronS1990
1 year, 2 months agooluchecpoint
1 year, 2 months agoAzurefox79
1 year, 3 months agoCISSPST
1 year, 2 months agoJKatta2023
1 year, 4 months agoAzurefox79
1 year, 3 months agokaranvp
1 year, 5 months ago[Removed]
1 year, 5 months agorichck102
1 year, 6 months agoSeasondream
1 year, 6 months agohardyheron
1 year, 8 months agocangurer
1 year, 8 months agoCarlLimps
1 year, 9 months agoSTUDYER2
1 year, 9 months agoAntonivs
1 year, 9 months ago