Exam CISSP topic 1 question 70 discussion

A baseline cybersecurity standard should be expressed in technical requirements to ensure clear and measurable expectations for suppliers. This includes specific controls, technologies, and processes that must be implemented. While general requirements can provide a high-level overview, technical requirements are essential for effective evaluation and enforcement of the standard. Here's a breakdown of why the other options are less effective: A. General requirements: Too vague and difficult to enforce. C. Business terminology: While understanding business needs is important, the standard should focus on technical implementation details. D. Legal terminology: While legal considerations are important, the primary focus should be on technical requirements to ensure effective security.

B. Its a cybersecurity standard so I will guess its a cyber Vendors

Here’s why C. It should be expressed in business terminology is appropriate: Clarity for Stakeholders: Using business terminology helps ensure that all stakeholders, including suppliers, understand the expectations and the rationale behind them. This approach promotes better alignment and cooperation. Alignment with Business Objectives: Expressing cybersecurity requirements in business terms ensures that they are seen as integral to achieving business goals, rather than as isolated technical mandates. Effective Communication: Managers and executives need to communicate security requirements in a way that resonates with the business context, making it easier for suppliers to see the value and necessity of compliance.

Standards must be set to meet business goals. If it does not meet business needs then it’s useless.

this is related to SLR before signing the contract.

Baseline is the keyword

Refer to chapter 1 the description of SLA and SLR . It talk about the third party or company of your supply chain shall has minimum security standards. It relates with business. Technical details was developed by third-party company by following your business requirements. You don't give then the details of Technical.

C. Business Terminology

Answer C) It should be expressed in business terminology. Too technical or legal and you may confuse your vendor(s).

C. It should be expressed in business terminology.

Think like a manager guys. Using business terminology to express technical security things to other stakeholders is what a manager would do. You don't want to use too technical or even legal terminology when communicating with other stakeholders like suppliers. Business terminology is what you want to use when communicating security baselines to prospective suppliers. Remember, you want to think like an executive or a manager not an engineer.

The correct answer is C - business terminology The statement that is true regarding the enterprise's baseline cybersecurity standard for suppliers is that it should be expressed in business terminology, option C. The standard should focus on desired security outcomes in plain business language, rather than technical details or legal jargon. This makes requirements accessible to suppliers without cybersecurity expertise. Option A is incorrect because general requirements can be too vague. Specific outcomes should be stated. Option B is incorrect because technical jargon would be hard for suppliers to understand. Option D is incorrect because legal terminology is overly formal for a cyber baseline.

C: Business terminology

This the baseline, go general to get the largest supplier audience without giving away details of your cybersecurity and then once some qualify that you can hold accountable set the details.

B. https://www.nymissa.org/wp-content/uploads/2016/01/Minimum-Baseline-Standards-Presentation_02-21-2016.pdf

Clearly an organization will have multiple suppliers for different products and services. A baseline cybersecurity standard will have to be included as part of it's technical requirements.

Think of baseline security as the bare minimum requirements to sufficiently protect against vulnerabilities and threats.