An enterprise is developing a baseline cybersecurity standard its suppliers must meet before being awarded a contract. Which of the following statements is TRUE about the baseline cybersecurity standard?
A.
It should be expressed as general requirements.
B.
It should be expressed as technical requirements.
C.
It should be expressed in business terminology.
The correct answer is B. It should be expressed as technical requirements.
Baseline cybersecurity standards should be expressed as technical requirements because they need to provide clear, actionable guidelines that suppliers must follow to ensure their systems and processes meet the necessary security criteria. Technical requirements are specific and measurable, making it easier to assess compliance and enforce the standards
Option C, "It should be expressed in business terminology," is incorrect because baseline cybersecurity standards need to provide clear, actionable guidelines that can be directly implemented by technical teams. Expressing these standards in technical requirements ensures that they are specific, measurable, and enforceable, which is crucial for maintaining security and compliance12.
Business terminology might be too broad or vague, making it difficult for technical teams to understand and implement the necessary security measures. Technical requirements, on the other hand, provide the detailed instructions needed to effectively secure systems and data
The question asks about a baseline cybersecurity standard that suppliers must meet before being awarded a contract. The key here is ensuring that the standard is clear, actionable, and measurable in terms of security expectations.
B. It should be expressed as technical requirements is indeed the best answer. Cybersecurity standards must clearly define the specific security measures, and only technical requirements can ensure the correct implementation of these measures.
A baseline cybersecurity standard should be expressed in technical requirements to ensure clear and measurable expectations for suppliers. This includes specific controls, technologies, and processes that must be implemented.
While general requirements can provide a high-level overview, technical requirements are essential for effective evaluation and enforcement of the standard.
Here's a breakdown of why the other options are less effective:
A. General requirements: Too vague and difficult to enforce.
C. Business terminology: While understanding business needs is important, the standard should focus on technical implementation details.
D. Legal terminology: While legal considerations are important, the primary focus should be on technical requirements to ensure effective security.
Here’s why C. It should be expressed in business terminology is appropriate:
Clarity for Stakeholders: Using business terminology helps ensure that all stakeholders, including suppliers, understand the expectations and the rationale behind them. This approach promotes better alignment and cooperation.
Alignment with Business Objectives: Expressing cybersecurity requirements in business terms ensures that they are seen as integral to achieving business goals, rather than as isolated technical mandates.
Effective Communication: Managers and executives need to communicate security requirements in a way that resonates with the business context, making it easier for suppliers to see the value and necessity of compliance.
Refer to chapter 1 the description of SLA and SLR . It talk about the third party or company
of your supply chain shall has minimum security standards. It relates with business. Technical details was developed by third-party company by following your business requirements. You don't give then the details of Technical.
Think like a manager guys. Using business terminology to express technical security things to other stakeholders is what a manager would do. You don't want to use too technical or even legal terminology when communicating with other stakeholders like suppliers. Business terminology is what you want to use when communicating security baselines to prospective suppliers. Remember, you want to think like an executive or a manager not an engineer.
The correct answer is C - business terminology
The statement that is true regarding the enterprise's baseline cybersecurity standard for suppliers is that it should be expressed in business terminology, option C.
The standard should focus on desired security outcomes in plain business language, rather than technical details or legal jargon. This makes requirements accessible to suppliers without cybersecurity expertise.
Option A is incorrect because general requirements can be too vague. Specific outcomes should be stated.
Option B is incorrect because technical jargon would be hard for suppliers to understand.
Option D is incorrect because legal terminology is overly formal for a cyber baseline.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Chimchamp
2 weeks, 3 days agof168100
2 weeks, 5 days agoImranbhatti
3 weeks, 2 days agomax58
1 month, 2 weeks agodeeden
8 months agoRachy
8 months, 2 weeks agoChris
8 months, 4 weeks agoRamye
9 months, 1 week agoVasyamba1
1 year agohomeysl
1 year agoHongjun
1 year, 1 month agogjimenezf
1 year, 2 months agoYesPlease
1 year, 3 months agoSoleandheel
1 year, 3 months agoSoleandheel
1 year, 3 months agoInclusiveSTEAM
1 year, 5 months agoWz21
1 year, 6 months ago