Exam CISSP topic 1 question 439 discussion

yep, EOL and EOS are biggest concerns atm

I would check if vendor will support patching. The equipment is already bought and stakeholders may have been part of the discussion in purchasing the used equipment. D makes logical sense to me.

Option D limitations: Vendor support is important for maintaining the equipment, but it doesn't determine the level of protection needed. Even equipment with minimal vendor support might require significant protection if it plays a critical role in business processes.

Board has made decision to buy used, stakeholders trust board and are aware of intention to save $$$, though all must work, therefore you care about how much longer you can have the gear supported

Answer: C Stakeholder concerns could range from data privacy and security to compliance with industry regulations. Identifying the equipment that requires protection involves understanding the specific needs and concerns of stakeholders. If customer data is processed or stored on the acquired equipment, it would need to be protected to ensure data privacy and compliance with data protection regulations such as encryption, access controls, and monitoring, to protect the equipment and the sensitive information it handles. The total monetary value of the acquisition does not necessarily correlate with the level of protection needed, as lower-value assets can still contain sensitive information. The age of the computing hardware is not the sole determinant of protection requirements, as even older equipment can store critical data. The length and extent of vendor support are important for maintenance and updates but that isn't comprehensive support.

Answer C) Stakeholder concerns of how the assets are used Just my 2 cents... The fact that the equipment is used is trying to throw you off the real question. (**I think I see a pattern with CISSP questions when they are three sentences long...these seem to want to throw you off the real question at the end**). The real question is asking you what you need to take into consideration in order to identify the equipment that needs to be protected most. Of all the answers, only one is not left up for interpretation/speculation. The Stakeholders concerns will tell you which equipment will need the most protection. Age and Value are wrong because they could be less than a year older than production and cost pennies on the dollar and just because they are not new doesn't mean that they are anywhere near the end of support.

C. Stakeholder concerns of how the assets are used........The success of the business functions is always a priority and the stakeholders define that.

Does not all risk managment start with knowing Asset value ?

The age of the computing hardware is a key factor to consider because even if the vendor provides support for the equipment, older hardware may have outdated security features that cannot be updated. Additionally, newer hardware may have improved security features that older equipment may not have, even if it is still supported by the vendor.

I go with D.

The most appropriate consideration to identify the equipment that requires protection is C. Stakeholder concerns of how the assets are used. This is because the equipment may store or process sensitive information that needs to be protected from unauthorized access, disclosure, modification, or destruction. The stakeholder concerns may include the confidentiality, integrity, availability, and accountability of the information, as well as the compliance with legal, regulatory, or contractual obligations. The other considerations are less relevant or less specific to the protection of the equipment. For example, the total monetary value of the acquisition may not reflect the value of the information, the age of the computing hardware may not indicate the level of security or vulnerability, and the length and extent of support by the vendor may not address the risks or threats to the equipment.