Which of the following should be considered FIRST when determining how to protect an organization's information assets?
A prioritized Inventory of IT assets
The organization's business model
Results of vulnerability assessments
The organization's risk reporting
When determining how to protect an organization's information assets, thefirst considerationshould be theorganization's business modelbecause:
Contextual Risk Management:The business model dictates thetypes of datathe organization processes, stores, and transmits.
Critical Asset Identification:Understanding how the business operates helps prioritizemission-critical systemsand data.
Security Strategy Alignment:Ensures that security measures align with business objectives and requirements.
Regulatory Compliance:Different industries have unique compliance needs (e.g., healthcare vs. finance).
Other options analysis:
A. Prioritized inventory:Important but less foundational than understanding the business context.
C. Vulnerability assessments:Relevant later, after identifying critical business functions.
D. Risk reporting:Informs decisions but doesn’t form the primary basis for protection strategies.
CCOA Official Review Manual, 1st Edition References:
Chapter 2: Risk Management and Business Impact:Emphasizes considering business objectives before implementing security controls.
Chapter 5: Strategic Security Planning:Discusses aligning security practices with business models.
