Exam CISSP topic 1 question 344 discussion

Do you not need a framework to assess against?

You should only create a plan based on a recognized framework once you've done proper reconnaissance of your infrastructure. In most cases companies ignore this because they have a pretty good "idea" of what they have so they move to selecting a framework. But it is a critical FIRST step.

Framework of best practices is best. It will also guide you in how and what to look for while assessing your orgs infrastructure. Also likely dealing with regulatory compliance so you would choose a framework based on how your business operates like PCI DSS or NIST and not based on the devices you have.

Frameworks are not exclusively used for external assessments; in fact, they are commonly used in both internal and external assessments. Many organizations use recognized security frameworks as a foundation for planning and performing internal assessments because these frameworks provide a standardized approach to identifying, implementing, and evaluating security controls. (aka. informal assessments)

Answer is C

It's probably B. You have to know the system before you know what framework to use...

If we use the steps in nist 800-37(RMF), it would be B. Categorize your information systems. This includes questions such as "what do we have?" How does this system fit into our organizations business processes, how sensitive is it?" Once that is done then you move onto selecting security controls which might include selecting a recognized control framework such as 800-53

The VERY FIRST step would be to define a scope & objectives which is not listed. The 2nd step would be to pick a framework ANSWER C. Then the interviews/reconn, etc happens. The first few steps that apply here are: 1. Identify the scope and objectives of the assessment. 2. Select a recognized framework of known controls, such as NIST SP 800-53, ISO/IEC 27001, or CIS Controls. 3. Develop assessment procedures based on the chosen framework. 4. Determine the resources needed for the assessment, including personnel, tools, and documentation. 5. Schedule the assessment activities, including interviews, document reviews, and technical testing.

First C choose a framework, then B, SOA to determine which controls apply to your current Infrastructure

Answer C) Create a plan based on a recognized framework of known controls. https://www.sharetru.com/blog/nist-security-controls-assessment-guide#:~:text=Developing%20a%20strategy%20for%20how%20to%20conduct%20your%20security%20control%20assessments%20makes%20it%20easier%20to%20ensure%20these%20assessments%20are%20uniform%2C%20cost%2Deffective%2C%20and%20comprehensive.

B. Create a plan based on reconnaissance of the organization's infrastructure. The sequence of steps should generally involve initial reconnaissance, followed by framework selection and planning based on the gathered information. This reconnaissance helps provide context and specific insights that can inform the selection and adaptation of a recognized framework.

C is the best answer. The first step when designing an internal security control assessment is to create a plan based on a recognized framework of known controls, such as NIST SP 800-53 or the CIS Controls. This provides a comprehensive set of relevant security controls to review, rather than basing the plan on specific known breaches, reconnaissance of infrastructure, or vulnerability scans, which may miss important control areas. A framework covers all domains of security controls and establishes a baseline for assessment. -A is incorrect because known breaches may not cover all necessary control areas. -B is incorrect because reconnaissance of infrastructure is too limited in scope. -D is incorrect because vulnerability scans, while useful, do not provide a full picture of security controls. +C is the best answer because starting with an established framework of controls provides the most complete baseline for an internal security assessment.

C. Create a plan based on a recognized framework of known controls. When designing an internal security control assessment, the first step is to create a plan based on a recognized framework of known controls. Using established frameworks such as NIST SP 800-53, ISO/IEC 27001, or CIS Controls provides a structured approach to assessing security controls and ensures that relevant areas are covered systematically. While the other options (relying on comprehensive knowledge of known breaches, reconnaissance of the organization's infrastructure, recent vulnerability scans) are important aspects of security assessments, they come after the initial step of creating a plan based on a recognized framework of controls.

This is CISSP, of course the answer is C.

B. https://purplesec.us/learn/security-risk-assessment/ Looks like D comes next, but making an inventory of your infrastructure is first.

Go with NIST or CIS as a first step, then pursue the others.

C. Create a plan based on a recognized framework of known controls is considered the FIRST step when designing an internal security control assessment. When designing an internal security control assessment, the first step is typically to establish a framework of known controls. This framework provides a standardized set of security controls against which an organization can assess its own security posture.