"Best practice" approach
When I took the CISSP exam, I noticed that many questions asked about "What is the BEST PRACTICE to do something", regarding this domain or another.
I was wondering what is the exact approch for such questions. "Best practice" can be my experience, but my experience is mainly technical. Yes, I know that "you need to think like a manager" but what does it mean in this case?
"Best practice" can be a "fail-safe" approch (for example, if you encounter an inside threat, should you try to eliminate/mitigate it or take care that daily backups and immediate recovery mechanisms appear?), or "make the business/organization happy" approch (for example, choose as many risks as possible to make sure that the business is aware of the problems that may exist).
Thanks
I was wondering what is the exact approch for such questions. "Best practice" can be my experience, but my experience is mainly technical. Yes, I know that "you need to think like a manager" but what does it mean in this case?
"Best practice" can be a "fail-safe" approch (for example, if you encounter an inside threat, should you try to eliminate/mitigate it or take care that daily backups and immediate recovery mechanisms appear?), or "make the business/organization happy" approch (for example, choose as many risks as possible to make sure that the business is aware of the problems that may exist).
Thanks
Comments
-
OctalDump
Member Posts: 1,722
I'd be guessing, but the ISO 27000 series is meant to represent Best Practice. It is probably that kind of thing, established frameworks (Cobit and NIST SP 800, ITIL ISO 20000, ISO 27000) rather than regulatory controls.
The thing is that those Best Practice, aren't necessarily the best practice for any particular organisation. It's up to the organisation, with the aid of skilled professionals, to determine what their particular needs are.2017 Goals - Something Cisco, Something Linux, Agile PM -
Mike7
Member Posts: 1,107 ■■■■□□□□□□
I was wondering what is the exact approch for such questions. "Best practice" can be my experience, but my experience is mainly technical. Yes, I know that "you need to think like a manager" but what does it mean in this case?
Means think like information security manager and not a security analyst or engineer.
Security management and not people management. -
OctalDump
Member Posts: 1,722
Means think like information security manager and not a security analyst or engineer.
Security management and not people management.
So kind of what I suggested? More about frameworks than about implementation details?2017 Goals - Something Cisco, Something Linux, Agile PM -
gespenstern
Member Posts: 1,243 ■■■■■■■■□□
imho from a business standpoint
you know, costs/benefits, assessing the risks and even taking them without putting security controls in place if the costs of security controls are found to be higher than the costs of assets protected, etc.
this "manager hat" everybody is talking about all the time with CISSP -
Mike7
Member Posts: 1,107 ■■■■□□□□□□
Yes.So kind of what I suggested? More about frameworks than about implementation details?
Also about dollars and cents, TCO, ALE. If it cost $20K to totally protect a laptop from $5K worth of data loss, you should not do it. Instead look for a $500 solution that reduces the exposure factor and lowers the loss to say $2K.