Security awareness and training will give you CIA (option "C"). This training will/shall also cover the concepts of need-to-know and least privilege (option "A"). Therefore option "B" is the most appropriate.
I agree with you. Security Policy can include many points other than user training, and it should provide enough/complete security to protect vital information assets.
did you even read the question? This is one of those questions that will get you in trouble by auto selecting an answer just cuz it has a policy in it. For one thing, this states an information technology policy. That tends to not be people/process specific.
Secondly, yes there would be a policy in place. BUT a policy is not the way you PROVIDE users with the required information as the question asks
Yet another godawful phrasing here, but the key is "equip the workforce." You can ask users to sign and agree to a EULA all day, doesn't mean they read it, doesn't mean they know not to go on Facebook if it isn't explicitly blocked. Likewise an IT policy won't really help the "workforce" (at large) be aware of and avoid Phishing/Vishing/Malicious Links etc etc.
Terrible TERRIBLE question, but I'd have to say B.
The PRIMARY mechanism to equip the workforce with the knowledge to protect an organization’s vital information resources is through security awareness and training. This ensures:
Employees understand policies and how to apply them.
Staff are aware of current threats and social engineering tactics.
Personnel know how to respond to incidents or anomalies.
Not C. IT security policy defines rules and principles but alone does not provide active education or ensure that employees understand and can apply these rules.
Answer B) Incorporating security awareness and training as part of the overall information security program
Answer B includes C since it references an "overall information security program". C does not need to contain anything about end user training.
Also, is states it verbatim in NIST SP800 Ch4:
"Establishing and maintaining a robust and relevant information security awareness and training program as part of the overall information security program is the primary conduit for providing the workforce with the information and tools needed to protect an agency’s vital information resources."
B. Incorporating security awareness and training as part of the overall information security program
Incorporating security awareness and training as part of the overall information security program is the primary mechanism for providing the workforce with the information needed to protect an agency's vital information resources. Educating employees and users about security risks, best practices, policies, and procedures helps them understand their roles and responsibilities in safeguarding information resources.
While the other options (implementation of access provisioning process, IT security policy, periodic security assessments) are important components of an information security program, security awareness and training play a critical role in ensuring that the workforce is informed and capable of protecting information resources effectively.
B. "providing the workforce with the information" sounds like training of employees, hence B is the only match. C wouldn't work because it doesn't train and it is too specific. At my CISSP class the instructor cautioned against too specific of an answer, the strategy is to go with the most comprehensive since CISSP is about high level, not the details.
This section is not available anymore. Please use the main Exam Page.CISSP Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
WiDeBarulho
Highly Voted 3 years, 1 month agojackdryan
2 years, 6 months agoJay327
Highly Voted 3 years agooudmaster
2 years, 11 months agoap0ls
1 year, 8 months agoeboehm
1 year, 7 months agoTrap_D0_r
Most Recent 3 days, 3 hours agoa_kto_to
6 months, 4 weeks agoBigITGuy
7 months, 4 weeks ago8e1c45b
1 year, 4 months agoYesPlease
1 year, 11 months agoisaac592
2 years, 1 month agoisaac592
2 years, 1 month agoBoyBastos
2 years, 2 months agodark7ness
2 years, 4 months agoHughJassole
2 years, 5 months agoJohnyDal
2 years, 9 months agoDee83
2 years, 10 months agoDJOEK
2 years, 10 months agoIXone
3 years agopingundas
3 years, 1 month agofranbarpro
3 years, 1 month ago