Due Thursday
Respond to the following in a minimum of 175 words:
Option 1
NIST SP 800-30 and ISO 27005, which you read about this week, both offer versions of a risk assessment model.
Describe the process a CISO would use to help the company decide which risk assessment model to use considering the February 2013 Executive Order 13636, Improving Critical Infrastructure Cybersecurity.
Option 2
A plan of action and milestones (POA&M) is a living, historical document that identifies tasks that need to be created to remediate security vulnerabilities. The goal of a POA&M should be to reduce the risk of the vulnerability identified.
Describe some of the common challenges with developing and maintaining a POA&M from the standpoint of a CISO versus a CIO.