An enterprise is developing a baseline cybersecurity standard its suppliers must meet before being awarded a contract. Which of the following statements is TRUE about the baseline cybersecurity standard?
A.
It should be expressed as general requirements.
B.
It should be expressed as technical requirements.
C.
It should be expressed in business terminology.
A baseline cybersecurity standard should be expressed in technical requirements to ensure clear and measurable expectations for suppliers. A baseline cybersecurity standard should clearly outline specific technical requirements that suppliers must meet to ensure they adhere to the necessary security controls and best practices. This approach ensures that suppliers implement concrete measures to protect against cyber threats, aligning with recognized industry standards and frameworks such as ISO 27001 and NIST CSF.
The correct answer is B. It should be expressed as technical requirements.
Baseline cybersecurity standards should be expressed as technical requirements because they need to provide clear, actionable guidelines that suppliers must follow to ensure their systems and processes meet the necessary security criteria. Technical requirements are specific and measurable, making it easier to assess compliance and enforce the standards
Option C, "It should be expressed in business terminology," is incorrect because baseline cybersecurity standards need to provide clear, actionable guidelines that can be directly implemented by technical teams. Expressing these standards in technical requirements ensures that they are specific, measurable, and enforceable, which is crucial for maintaining security and compliance12.
Business terminology might be too broad or vague, making it difficult for technical teams to understand and implement the necessary security measures. Technical requirements, on the other hand, provide the detailed instructions needed to effectively secure systems and data
The question asks about a baseline cybersecurity standard that suppliers must meet before being awarded a contract. The key here is ensuring that the standard is clear, actionable, and measurable in terms of security expectations.
B. It should be expressed as technical requirements is indeed the best answer. Cybersecurity standards must clearly define the specific security measures, and only technical requirements can ensure the correct implementation of these measures.
A baseline cybersecurity standard should be expressed in technical requirements to ensure clear and measurable expectations for suppliers. This includes specific controls, technologies, and processes that must be implemented.
While general requirements can provide a high-level overview, technical requirements are essential for effective evaluation and enforcement of the standard.
Here's a breakdown of why the other options are less effective:
A. General requirements: Too vague and difficult to enforce.
C. Business terminology: While understanding business needs is important, the standard should focus on technical implementation details.
D. Legal terminology: While legal considerations are important, the primary focus should be on technical requirements to ensure effective security.
Here’s why C. It should be expressed in business terminology is appropriate:
Clarity for Stakeholders: Using business terminology helps ensure that all stakeholders, including suppliers, understand the expectations and the rationale behind them. This approach promotes better alignment and cooperation.
Alignment with Business Objectives: Expressing cybersecurity requirements in business terms ensures that they are seen as integral to achieving business goals, rather than as isolated technical mandates.
Effective Communication: Managers and executives need to communicate security requirements in a way that resonates with the business context, making it easier for suppliers to see the value and necessity of compliance.
Refer to chapter 1 the description of SLA and SLR . It talk about the third party or company
of your supply chain shall has minimum security standards. It relates with business. Technical details was developed by third-party company by following your business requirements. You don't give then the details of Technical.
Think like a manager guys. Using business terminology to express technical security things to other stakeholders is what a manager would do. You don't want to use too technical or even legal terminology when communicating with other stakeholders like suppliers. Business terminology is what you want to use when communicating security baselines to prospective suppliers. Remember, you want to think like an executive or a manager not an engineer.
This section is not available anymore. Please use the main Exam Page.CISSP Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
cysec_4_lyfe
3 weeks, 3 days agoRedMartian
3 weeks, 5 days agoChimchamp
1 month, 2 weeks agof168100
1 month, 2 weeks agoImranbhatti
1 month, 2 weeks agomax58
2 months, 2 weeks agodeeden
8 months, 4 weeks agoRachy
9 months, 2 weeks agoChris
9 months, 3 weeks agoRamye
10 months, 1 week agoVasyamba1
1 year, 1 month agohomeysl
1 year, 1 month agoHongjun
1 year, 1 month agogjimenezf
1 year, 3 months agoYesPlease
1 year, 4 months agoSoleandheel
1 year, 4 months agoSoleandheel
1 year, 4 months ago