A project manager is developing a developer portal and requests that the security manager assign a public IP address so that it can be accessed by in-house staff and by external consultants outside the organization's local area network (LAN)
What should the security manager do FIRST?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
The information security manager cannot make an informed decision about the request without first understanding the business requirements of the developer portal.
Performing a vulnerability assessment of developer portal and installing an intrusion detection system (IDS) are best practices but are subsequent to understanding the requirements.
Obtaining a signed nondisclosure agreement will not take care of the risks inherent in the organization's application.
The correct answer is A. Understand the business requirements of the developer portal.
Explanation: Before assigning a public IP address to the developer portal, the security manager should first understand the business requirements of the portal. Understanding the business requirements would help the security manager determine the appropriate security measures that need to be in place to protect the developer portal. The security manager needs to understand who will be accessing the portal, what data will be shared, and what level of security is required.
Once the security manager has a clear understanding of the business requirements, the security manager can then perform a risk assessment to identify the potential security risks and vulnerabilities associated with the developer portal. Based on the results of the risk assessment, the security manager can then determine the appropriate security controls that need to be implemented to mitigate the identified risks.
Performing a vulnerability assessment, as suggested in option B, is premature until the security manager has a clear understanding of the business requirements of the developer portal. A vulnerability assessment is a detailed analysis of the system or network to identify potential vulnerabilities that could be exploited by an attacker. Without a clear understanding of the business requirements, a vulnerability assessment may not accurately identify all potential vulnerabilities.
Installing an intrusion detection system (IDS), as suggested in option C, is also premature until the security manager has a clear understanding of the business requirements of the developer portal. An IDS is a security tool that monitors network traffic for suspicious activity and alerts security personnel when an attack is detected. However, without a clear understanding of the business requirements, an IDS may not be able to accurately detect all potential attacks.
Obtaining a signed nondisclosure agreement (NDA) from external consultants, as suggested in option D, is also an important step, but it should not be the first step. A signed NDA would help protect the organization's confidential information from being disclosed to unauthorized parties. However, before the security manager can determine what information needs to be protected, they need to have a clear understanding of the business requirements of the developer portal.