Certified Information Systems Security Professional (CISSP) — Question 268

Which of the following is considered the FIRST step when designing an internal security control assessment?

Answer options

• A. Create a plan based on comprehensive knowledge of known breaches.
• B. Create a plan based on reconnaissance of the organization's infrastructure.
• C. Create a plan based on a recognized framework of known controls.
• D. Create a plan based on recent vulnerability scans of the systems in question.

Correct answer: C

Explanation

The correct answer, C, emphasizes the importance of using a recognized framework of known controls as the foundation for an effective security assessment. Options A, B, and D, while relevant, do not provide the structured approach that a recognized framework offers, making them less suitable as the first step.