The main goal of a risk management strategy is to identify risks, then reduce those risks to levels that upper management can accept.
The phrase "determine the organization's risk appetite" is erroneous because, while crucial and necessary for a risk management program to operate correctly, determining risk appetite is not the fundamental goal of a risk management strategy. It is erroneous to say, "Identify credible risks and transfer them to an external entity," when many other potential outcomes for hazards can be discovered. It is erroneous to say "remove credible dangers," as risks can only be decreased to tolerable levels.
The frequency of improper user terminations is too frequent. The time required to increase the frequency of user access evaluations will be too great. The most excellent solution is to figure out how to make the user termination procedure better. Since there are 20% "misses," every step is assumed to be manual.
The user access review process is too time-consuming. Thus the statements "raise user access review process frequency to twice per week" and "increase user access review process frequency to weekly" are wrong. Since there are 20% "misses," every step is assumed to be manual. The statement, "No action is required since monthly user access review process is functional," is untrue because a "miss" rate of 20% would be considered excessive in most firms. A rate of less than 2% is acceptable.
Even if none of these methods is perfect, the best initial step is to run discovery scans across all networks. Even so, network engineers must be consulted to ensure that discovery scans in on-premises and IaaS systems scan all known networks. Interviewing system engineers to understand virtual machine management systems and collect inventory data from them are further helpful approaches.
It is erroneous to "get a list of all assets from the patch management platform," as patch management systems could not cover some assets in the organization's environment. It is erroneous to say, "Obtain a list of all assets from the patch management platform," as not all assets in the organization's environment may send log data to the SIEM. Because the company uses virtualization technology and IaaS-based platforms, counting servers in an on-premises data center will miss both virtual and IaaS-based assets; therefore, the instruction to "count all of the servers in each data center" is wrong.
The best course of action is to establish a chartered information security steering group with representatives from business, IT, and security leaders. Business executives need to get involved and participate in discussions and decisions if security governance is to be successful.
It is false to say that you should "develop a RACI matrix that outlines executive roles and responsibilities" since, while vital, a RACI matrix is only a small component of a formalized information security steering committee. It is erroneous to say, "Charter a security steering group made up of leaders in IT and cybersecurity." A security steering committee must also have business leaders on it. Because security governance, which is more than risk management, is the topic of this question, it is erroneous to say that you should "develop a risk management process comparable to what is found in ISO/IEC 27001."
Establishing an audit context is essential, according to ISO/IEC 27005 and other risk management standards. This entails choosing the audit's scope or the areas of the company that will be examined. Determining the risk assessment's goal, such as control coverage, control efficacy, or business process effectiveness, is also crucial. The criteria for the audit must then be decided.
Since any confirmation of qualifications would be made previous to this point, the phrases "Determine the qualifications of the firm that will execute the audit" and "Determine the qualifications of the person(s) who will perform the audit" are erroneous. It is erroneous to say, "Determine scope, application, and purpose for the audit," as an audit that was not necessary should not be carried out.
Despite being dubious, removing a risk finding from a report implies risk acceptance. However, it may go further than that, and in some professions, this is regarded as carelessness and negligence. Usually, a risk manager would oppose such a move and might think about documenting the situation or possibly making a formal protest.
The term "gerrymandering" is erroneous because it refers to the process of drawing election boundaries for governmental purposes. Internal politics is not the ideal response, even though the circumstance may illustrate internal politics. The term "risk avoidance" is erroneous because it refers to ceasing to engage in an activity that poses a risk.
The most difficult challenge associated with implementing a data classification program is ensuring that workers understand and are willing to comply with data handling procedures. By comparison, automation is simpler primarily because it is deterministic.
"Difficulty with industry regulators" is incorrect because regulators are not typically as concerned with data classification as they are with the protection of relevant information. "Understanding the types of data in use" is incorrect because, although it can be a challenge understanding the data in use in an organization, user compliance is typically the biggest challenge. "Implementing and tuning DLP agents on servers and endpoints" is incorrect because implementing and tuning agents are not usually as challenging as end user behavior training.