An organization outgrew its internal data center and is evaluating third-party hosting facilities. In this evaluation, which of the following is a PRIMARY factor for selection?
A.
Facility provides an acceptable level of risk
B.
Facility provides disaster recovery (DR) services
C.
Facility has physical access protection measures
D.
Facility provides the most cost-effective solution
Too little information to make a good decision. A makes the most sense in terms of risk management. D would make sense if we knew what defined cost effective. Is it taking into account primary and secondary cost, cost in terms of cost-benefit analysis, or just the price?
I say D...as a Manager, first thing I would look at is the budget, then consider the best options. The facility with the acceptable level of risk may be outside of the company's budget.
A. Facility provides an acceptable level of risk is the PRIMARY factor for selection according to cissp. This includes evaluating the security measures in place at the facility, such as physical access controls, network security, and incident response capabilities, to ensure that the facility meets the organization's security requirements and provides an acceptable level of risk for the organization's data and operations. Other factors, such as disaster recovery services, physical access protection measures and cost-effectiveness may also be considered but the primary concern is ensuring that the facility provides an acceptable level of risk.
I think of cost-benefit analysis contra cost-efficient. Meanwhile cost-efficient is pure about money, cost-benefit covers the balance between security, added value and cost. If i would prioritize cost before security, then i probably make a risk analysis and realize that OPEX/CAPEX of security controls will outpaces the price of more expensive but much safer hosting facility.
There are shared responsibilities between the customer and the Hosting providers.
Hosting provider is not responsible to mitigate the customers' systems risk. This is the customer responsibility.
And cost-effective does not mean no security.
So I elect D.
Thinking like a CISO. B, C & D are all redundant if the facility does not provide an acceptable level of risk. I.e. You wouldn't take on unacceptable levels of risk to have DR, Physical access protection or to save money.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
ItsBananass
Highly Voted 2 years, 5 months agojackdryan
1 year, 9 months agoimather
Most Recent 1 month, 2 weeks agoDtony66
6 months, 1 week agoSkittle4710
8 months, 2 weeks ago041ba31
9 months, 1 week agoshmoeee
1 year, 3 months agoTygrond87
1 year, 9 months agoRollingalx
2 years agoBerto
2 years agoDJOEK
2 years, 1 month agoeddievonbahnhof
2 years, 2 months agooudmaster
2 years, 2 months agoMann0302
2 years, 2 months agoPeepoK
2 years, 2 months agoBP_lobster
2 years, 2 months agoJamati
2 years, 3 months agofranbarpro
2 years, 4 months ago