Exam CISSP topic 1 question 348 discussion

I choose "A", The risk over cost.

The answer D says it is a "cost" effective solution. Hence it is a solution.

A for the test. D for real life.

I'm going with D as it focuses on the principle "most bang for my buck".

I say D...as a Manager, first thing I would look at is the budget, then consider the best options. The facility with the acceptable level of risk may be outside of the company's budget.

Price is part of a risk assesment

I vote for A. A facility that is cost-effective or has strong DR services may not necessarily provide an acceptable level of risk.

A - If the business simply can't afford it, its not a possibility

A. Facility provides an acceptable level of risk is the PRIMARY factor for selection according to cissp. This includes evaluating the security measures in place at the facility, such as physical access controls, network security, and incident response capabilities, to ensure that the facility meets the organization's security requirements and provides an acceptable level of risk for the organization's data and operations. Other factors, such as disaster recovery services, physical access protection measures and cost-effectiveness may also be considered but the primary concern is ensuring that the facility provides an acceptable level of risk.

I think of cost-benefit analysis contra cost-efficient. Meanwhile cost-efficient is pure about money, cost-benefit covers the balance between security, added value and cost. If i would prioritize cost before security, then i probably make a risk analysis and realize that OPEX/CAPEX of security controls will outpaces the price of more expensive but much safer hosting facility.

There are shared responsibilities between the customer and the Hosting providers. Hosting provider is not responsible to mitigate the customers' systems risk. This is the customer responsibility. And cost-effective does not mean no security. So I elect D.

Think like a Manager and get a more cost-effective solution with much quality.

Since the organization outgrew the internal data center, it's looking for a cheaper solution for higher volumes of data. A is not the primary factor.

Thinking like a CISO. B, C & D are all redundant if the facility does not provide an acceptable level of risk. I.e. You wouldn't take on unacceptable levels of risk to have DR, Physical access protection or to save money.

B and C are all covered under A

As I think like a manager I agree with "D"

The benefits of DCO may include reduced operational costs, more efficient use of infrastructure, and access to more server, storage or computing capacity on demand. The risks include lack of control over security and disaster recovery, lack of flexibility, problems with SLA fulfillment and vendor lock-in.