Security awareness and training will give you CIA (option "C"). This training will/shall also cover the concepts of need-to-know and least privilege (option "A"). Therefore option "B" is the most appropriate.
did you even read the question? This is one of those questions that will get you in trouble by auto selecting an answer just cuz it has a policy in it. For one thing, this states an information technology policy. That tends to not be people/process specific.
Secondly, yes there would be a policy in place. BUT a policy is not the way you PROVIDE users with the required information as the question asks
I agree with you. Security Policy can include many points other than user training, and it should provide enough/complete security to protect vital information assets.
Answer B) Incorporating security awareness and training as part of the overall information security program
Answer B includes C since it references an "overall information security program". C does not need to contain anything about end user training.
Also, is states it verbatim in NIST SP800 Ch4:
"Establishing and maintaining a robust and relevant information security awareness and training program as part of the overall information security program is the primary conduit for providing the workforce with the information and tools needed to protect an agency’s vital information resources."
B. Incorporating security awareness and training as part of the overall information security program
Incorporating security awareness and training as part of the overall information security program is the primary mechanism for providing the workforce with the information needed to protect an agency's vital information resources. Educating employees and users about security risks, best practices, policies, and procedures helps them understand their roles and responsibilities in safeguarding information resources.
While the other options (implementation of access provisioning process, IT security policy, periodic security assessments) are important components of an information security program, security awareness and training play a critical role in ensuring that the workforce is informed and capable of protecting information resources effectively.
B. "providing the workforce with the information" sounds like training of employees, hence B is the only match. C wouldn't work because it doesn't train and it is too specific. At my CISSP class the instructor cautioned against too specific of an answer, the strategy is to go with the most comprehensive since CISSP is about high level, not the details.
Could B be a better answer ? Security and awareness training….
upvoted 5 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
WiDeBarulho
Highly Voted 2 years, 1 month agojackdryan
1 year, 6 months agoJay327
Highly Voted 2 years agoeboehm
7 months, 2 weeks agooudmaster
1 year, 11 months agoap0ls
8 months, 2 weeks ago8e1c45b
Most Recent 4 months, 1 week agoYesPlease
11 months, 1 week agoisaac592
1 year, 1 month agoisaac592
1 year, 1 month agoBoyBastos
1 year, 2 months agodark7ness
1 year, 4 months agoHughJassole
1 year, 5 months agoJohnyDal
1 year, 9 months agoDee83
1 year, 9 months agoDJOEK
1 year, 10 months agoIXone
2 years agopingundas
2 years agofranbarpro
2 years, 1 month agoSongOTD
2 years, 1 month agoCuteRabbit168
2 years, 1 month ago