"Best practice" approach

When I took the CISSP exam, I noticed that many questions asked about "What is the BEST PRACTICE to do something", regarding this domain or another.
I was wondering what is the exact approch for such questions. "Best practice" can be my experience, but my experience is mainly technical. Yes, I know that "you need to think like a manager" but what does it mean in this case?
"Best practice" can be a "fail-safe" approch (for example, if you encounter an inside threat, should you try to eliminate/mitigate it or take care that daily backups and immediate recovery mechanisms appear?), or "make the business/organization happy" approch (for example, choose as many risks as possible to make sure that the business is aware of the problems that may exist).

Thanks

Find more posts tagged with

Comments

OctalDump

I'd be guessing, but the ISO 27000 series is meant to represent Best Practice. It is probably that kind of thing, established frameworks (Cobit and NIST SP 800, ITIL ISO 20000, ISO 27000) rather than regulatory controls.
The thing is that those Best Practice, aren't necessarily the best practice for any particular organisation. It's up to the organisation, with the aid of skilled professionals, to determine what their particular needs are.

Mike7

barman wrote: »

I was wondering what is the exact approch for such questions. "Best practice" can be my experience, but my experience is mainly technical. Yes, I know that "you need to think like a manager" but what does it mean in this case?

Means think like information security manager and not a security analyst or engineer.
Security management and not people management.

OctalDump

Mike7 wrote: »

Means think like information security manager and not a security analyst or engineer.
Security management and not people management.

So kind of what I suggested? More about frameworks than about implementation details?

gespenstern

imho from a business standpoint

you know, costs/benefits, assessing the risks and even taking them without putting security controls in place if the costs of security controls are found to be higher than the costs of assets protected, etc.

this "manager hat" everybody is talking about all the time with CISSP

Mike7

OctalDump wrote: »

So kind of what I suggested? More about frameworks than about implementation details?

Yes.

Also about dollars and cents, TCO, ALE. If it cost $20K to totally protect a laptop from $5K worth of data loss, you should not do it. Instead look for a $500 solution that reduces the exposure factor and lowers the loss to say $2K.