While regulatory compliance is important, it's not necessarily the most important consideration when defining security configuration baselines. Compliance with regulations can help reduce risk, but baselines should first and foremost be proportionate to the risks the organization faces. This means that the baselines should be tailored to the specific risks and threats that the organization is most likely to encounter, rather than simply aiming to meet a minimum standard set by a regulation. Compliance with regulations is important, but it should not be the only or primary consideration when defining security configuration baselines.
Its B, because of the word "proportionate". This means that the baseline configuration is well balanced between potential operational restrictions (e.g., blocking USB usage) and security benefits. Essentially proportionate risk can include the considerations of all other answer options A,C and D.
This is actually a tricky one. For example, if the industry regulation demands that you protect confidentiality of data with encryption that has at least 2048-bit long encryption keys, then your security baselines have to reflect that with stating what encryption algorithms must be used at minimum. Otherwise you're breaking the regulatory requirements. Therefore, A would be a correct answer.
On the other hand, if the risk of non-compliance with regulatory requirements is actually acceptable to the business, then baselines can also reflect that. In that case the answer should be B.
Interested in hearing other opinions. Maybe I'm just overthinking it...
B. The baselines are proportionate to risk.
Security measures should be balanced and aligned with the specific risks faced by an organization. This approach allows for a more efficient allocation of resources and helps avoid overburdening systems with unnecessary security configurations or neglecting critical security measures that are relevant to the organization's risk profile. Therefore, ensuring that security measures are proportionate to the risk is a key principle in effective cybersecurity.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Broesweelies
Highly Voted 1 year, 7 months agoJosef4CISM
Most Recent 1 month, 3 weeks agossdny
5 months, 1 week agoAlexJacobson
7 months, 1 week agoSalilgen
6 months, 1 week agooluchecpoint
12 months agoAgamennore
1 year agoJae_kes
1 year, 2 months agorichck102
1 year, 2 months agoaokisan
1 year, 8 months ago