What is "Security Management Life Cycle"?
-
I got the following question from the Kaplan quiz tool.
You are performing asset identification and change control blueprints. In which phase of the security management life cycle are you engaged?
A) Plan and Organize
B) Operate and Maintain
C) Implement
D) Monitor and EvaluateThe given answer is "C". I would have thought it was "A) Plan and Organize" but given that they don't say what model they are using and I can find no reference that matches the model the reference in their explanation below, I can't even figure out if their response makes sense!
The explanation they give is:
"
You are engaged in the Implement phase of the security management life cycle. This phase includes the following components:- Assign roles and responsibilities.
- Develop and implement security policies, procedures, standards, baselines, and guidelines.
- Identify sensitive data.
- Implement the following blueprints:
- Asset identification and management
- Risk management
- Vulnerability management
- Compliance
- Identity management and access control
- Change control
- Software development life cycle
- Business continuity planning
- Awareness and training
- Physical security
- Incident response
- Implement solutions.
- Develop auditing and monitoring solutions.
- Establish goals, service level agreements (SLAs), and metrics.
Implementing asset identification and change control blueprints is not part of any of the other phases.
" -
I found the following article: https://www.techtarget.com/searchsecurity/tip/Steps-in-the-information-security-program-life-cycle
It doesn't reference what model is being used but it is aligned with this question. Would love to know whether I need to know this information for the CISSP exam.