Certified Information Security Manager (CISM) — Question 142

Which of the following is the MOST important consideration when defining security configuration baselines?

Answer options

• A. The baselines address applicable regulatory standards.
• B. The baselines are proportionate to risk.
• C. The baselines address known system vulnerabilities.
• D. The baselines align with lines of business.

Correct answer: B

Explanation

The correct answer is B, as security configuration baselines should be designed to appropriately mitigate the risks faced by the organization. While addressing regulatory standards, vulnerabilities, and business alignment are important, they must all be considered in the context of the overall risk to ensure effective security measures.