Exam CISSP topic 1 question 265 discussion

Conducting a site physical security survey should enable the gathering of all information necessary to make an intelligent and informed risk assessment of the sites or facilities and create a physical security profile. From this point, additional controls can be developed and implemented to provide the most cost-effective security profile tailored to the specific needs of an enterprise.

I think CISSP made a good point about the difference between classification and categorization of data. However, in order to do this, you have to have an inventory of assets first, hence the discovery (site survey).

While asset categorization (D) remains a critical step, conducting a site survey (detailed examination of the location to identify potential security vulnerabilities) can be considered an even earlier and complementary action before selecting a physical baseline Protection Profile (PP).

The correct answer is D. Categorize assets. Before deciding on a physical baseline Protection Profile (PP), it is essential to categorize the assets that need to be protected. Asset categorization involves identifying and classifying the organization's assets based on their criticality, sensitivity, and value. This step helps in determining the appropriate level of protection required for each asset and guides the selection of a suitable Protection Profile. While conducting a site survey is an important step in assessing the physical security of a location, it is typically done after categorizing assets and selecting a suitable Protection Profile. The site survey helps identify vulnerabilities and implement the necessary security controls based on the chosen PP.

D. Categorize assets. Categorizing assets involves identifying and classifying the assets in terms of their importance, sensitivity, and criticality to the organization. This categorization helps in determining the appropriate security requirements and controls needed for protecting those assets. Once assets are categorized, it becomes easier to specify the security profile and protection measures required in a physical baseline Protection Profile (PP).

A PP is a document that defines the security objectives and requirements for a system or product that conforms to the Common Criteria standard. Categorizing assets is a process of identifying and classifying the resources, information, and functions that are valuable and need protection. Categorizing assets can help to determine the protection needs, threats, and risks for a PP.

D. Categorizing Assets is the first step always. Once you know what you are protecting, then you can do a site survey.

Imagine your boss have 1T of gold and 5T of wood, the boss ask you to design a security baseline for protection. what's the first question / thing you will do? Do you want to go to the site first or you want to know gold or wood first?

Normally PP stands for protection profile which comes under Common criteria. I will go with D

A is correct

Answer is correct: "Conducting a site physical security survey should enable the gathering of all information necessary to make an intelligent and informed risk assessment of the sites or facilities and create a physical security profile. " https://www.sciencedirect.com/topics/computer-science/protection-profile

Think it is D