It's good to have a mission, goal, and objectives in your personal life as well as professional environment.
Click here to read the most recent post: CISSPs Must Know Organization Goals, Objectives, and Mission
Here are some possible CISSP exam questions regarding this topic:
1. "The company will attain ISO 27001 Certification by the end of this year", this is an example of what?
A quick way to eliminate a possible answer is to remember that a vision can never be achieved. It is a conceptual idea of where a company wants to be. And what is the #1 goal of every company? To be the #1 company in the world.
The correct answer is C, objective, because objectives can be measured.
2. What is the most important step to complete before implementing security controls?
A. Management support and approval
B. A risk analysis
C. Business Impact Analysis
D. User support
When words like "most important" or "ultimately responsible" show up on the exam in regards to security, the answer is most likely going to be senior management support or approval.
The answer is A.
Additionally, in order for a company to exercise proper risk assessments, the senior management team must provide approval and show support.
One more time, the senior management team must provide approval and show support.
A company's risk assessment exercise can take up to 30 days. During these 30 days, employees can get tired of the work, begin to argue against the risk assessment, come up with excuses for not doing work, stop cooperating, or start sabotaging the numbers.
Why would employees act like children when risk assessments are a critical part of maintaining a sound and effective information security program?
Because some adults need parental figures at their jobs. Someone who sets the rules and says what is expected of them.
Imagine if an entire company got an email from senior management with the following:
The senior management of this company has decided to approve and support a company-wide information security policy. Risk assessments are a part of this information security policy and they will be conducted next month by a third-party source. Employees are expected to comply with changes to their daily operations, and to accommodate the risk assessment team. A risk assessment will not only secure our company but also validate proper due care in case of any liability from our customers.
Thank you for your cooperation.
The official email has made perfectly clear the importance of a security policy, a risk assessment, and full employee cooperation.
The CISSP Exam will test us on understanding that the first thing about an information security policy is obtaining senior management's approval and support. It is critical in not only a successful security policy, but running a successful business.