Register
A security analyst has been asked to create a list of external IT security concerns, which are applicable to the organization. The intent is to show the different types of external actors, their attack
149k views
4 votes
A security analyst has been asked to create a list of external IT security concerns, which are applicable to the organization. The intent is to show the different types of external actors, their attack vectors, and the types of vulnerabilities that would cause business impact. The Chief Information Security Officer (CISO) will then present this list to the board to request funding for controls in areas that have insufficient coverage.

Which of the following exercise types should the analyst perform?

A. Summarize the most recently disclosed vulnerabilities.
B. Research industry best practices and the latest RFCs.
C. Undertake an external vulnerability scan and penetration test.
D. Conduct a threat modeling exercise.

User Carl Norum
by
7.1k points

1 Answer

1 vote

Final answer:

The most effective approach for identifying external IT security concerns and where to focus resources is to conduct a threat modeling exercise. This helps in understanding the potential threats and presenting a comprehensive view to the CISO and the board for funding.

Step-by-step explanation:

Appropriate Exercise for External IT Security Concerns

For a security analyst tasked with creating a list of external IT security concerns that includes different types of external actors, attack vectors, and vulnerabilities, the most effective approach would be to conduct a threat modeling exercise. This task goes beyond summarizing vulnerabilities or scanning systems. Threat modeling involves understanding potential attackers, defining relevant assets, and identifying what can go wrong. This process helps prioritize where to allocate resources effectively. It enables the analyst to present a comprehensive overview of threats and helps the CISO to request funding by showing the board areas of insufficient coverage.

While vulnerability scans and penetration tests (option C) are also important, they are generally more technical exercises focused on identifying specific, exploitable vulnerabilities rather than the broader external threat landscape. Researching industry best practices and RFCs (option B) provides useful background information, but does not directly address the organization's unique threats.

User Winklerrr
by
7.5k points
Ask a Question
Welcome to QAmmunity.org, where you can ask questions and receive answers from other members of our community.

8.7m questions

11.3m answers

Other Questions

The book shows how to add and subtract binary and decimal numbers. However, other numbering systems are also very popular when dealing with computers. The octal (base 8) numbering system is one of these.
Please help me ! All you do is just put it it all in your own words ! Please this is for my reported card!i don't know how to put it in my own words because my English is not that good!
describe an advance in technology that makes life more enjoyable. what discoveries contribute to this technology?
Disadvantages of using animation in advertising? advantages and disadvantages of using animation for education? advantages and disadvantages of using animation in entertainment?
Explain why binary codes are used to represent characters, numbers and symbols :)
Link Copied!