Exam CISSP topic 1 question 57 discussion

This is an easy one . The reason we conduct security assessments as part of developing a functional/relevant security program is to generate value to the stakeholders by ensuring that the identified risks to the BUSINESS are optimized and we are left with residuals . Other answers are tactical .As a cybersecurity leaders you must turn tactical observations into strategic insights but first must find out what business process / function is the cash cow or star player and then identify the assets , data etc that enable it and then get tactical and geek out with your security toys . This question wants to measure your business savvy, savvy ? lol

First step of Risk Assessment is to identify assets. https://sansorg.egnyte.com/dl/RFrVIbX2oc

When developing a Security Management Program (SMP), the primary objective is to align security efforts with the organization’s overall business goals. A business process-based risk assessment ensures that the security strategies directly address and protect critical processes that are essential for achieving organizational objectives. This approach effectively identifies risks in the context of the organization's operations and priorities.

first thing to do when conducting risk assessment is the identifications of assets , the data is included as an asset , then the control based risk assessment to make sure the security controls are implemented correctly when needed and the B choice it is rarely when security is being an important as business goal ,but thu it is not the first step as the question tells

This approach focuses on identifying and assessing risks that could impact the organization's ability to achieve its business goals. This is the most effective approach for developing a Security Management Program (SMP) because it ensures that security controls are aligned with the organization's strategic objectives.

I agree with the majority in saying that everything needs to align with the business goals i.e., assets, security controls, etc. But I can't get my head around the idea that most risk management framework always starts with discovery and asset identification. You can't protect what you don't know. Now, this question is about the scope of security assessment, and the approach for conducting risk assessment. Personally, I would select a risk-based approach (but it's not an option) and that would just take you back to asset identification.

Security is protecting your crown jewels. What are your assets and why you have to protect them, what are th business goals you have driven. All ties to Assets first.

Security strategy needs to be in line with business strategy. Answer is B.

The most effective approach for the Safety Management Program (SMP) is : B. Business process-based risk assessment with a focus on business objectives. This approach ensures that risk assessment is aligned with business objectives and needs, enabling risk management that directly supports the organization's strategic objectives. By focusing on business processes, the organization can better understand how security risks affect its operations, and make informed decisions to mitigate these risks appropriately.

ANSWER: B. Business processes based risk assessment with a focus on business goals https://www.ifc.org/content/dam/ifc/doc/mgrt/p-handbook-securityforces-2017.pdf https://policy.un.org/sites/policy.un.org/files/files/documents/2020/Oct/spm_-_chapter_iv_-_section_a_-_security_risk_management_2.pdf https://documents1.worldbank.org/curated/en/962101606403107500/pdf/Security-Management-Plan-Emergency-Locust-Response-Program-P173702.pdf https://documents1.worldbank.org/curated/en/099530109052230270/pdf/P1767580b5e94b07108eb00a05d98f790d1.pdf

B. Security SUPPORTS the Business Goal. Without the business, there is no security, who will be paying security? The Business Goal is most important, Security will support the Business Goal

I'm gonna say the business goals. It just says organization, not a for profit business, there are some situations like governments and nonprofits (and even some instances in normal for profit business) where you won't care about the assets as long as you're meeting the goal.

Answer C) Asset driven risk assessment with a focus on the assets Security management is the high-level process of cataloguing enterprise IT assets and developing the documentation and policies to protect them from internal, external, and cyber threats. https://www.hpe.com/us/en/what-is/security-management.html

B. Business processes based risk assessment with a focus on business goals. Think like a manager guys. It's always about the priorities of the business.

Considering the fact that most valuable assets for my business overtime is data. We can boil down to the most important consideration i.e. Data

B. Business goals

The answer should be B An organization is setting a security assessment scope with the goal of developing a Security Management Program (SMP). The next step is to select an approach for conducting the risk assessment. Which of the following approaches is MOST effective for the SMP? A. Security controls driven assessment that focuses on controls management B. Business processes based risk assessment with a focus on business goals C. Asset driven risk assessment with a focus on the assets D. Data driven risk assessment with a focus on data