Based on scenario 3. EsteeMed’s inventory of assets included detailed information on the type of assets, their size, location, owner, and backup information. Is this a good practice to follow?

Scenario 3: EsteeMed is a cardiovascular institute located in Orlando. Florida H Is known for tis exceptional cardiovascular and thoracic services and offers a range of advanced procedures, including vascular surgery, heart valve surgery, arrhythmia and ablation, and lead extraction. With a dedicated team of over 30 cardiologists and cardiovascular surgeons, supported by more than IUU specialized nurses and technicians, EsteeMed Is driven by a noble mission to save lives Every year. it provides its services to over 50,000 patients from across the globe.

As Its reputation continued to grow. EsteeMed recognized the importance of protecting Its critical assets. It Identified these assets and implemented the necessary measures to ensure their security Employing a widely adopted approach to Information security governance. EsteeMed established an organizational structure that connects the cybersecurity team with the information security sector under the IT Department.

Soon after these changes, there was an incident where an unauthorized employee transferred highly restricted patient data to the cloud The Incident was detected by Tony, the IT specialist. As no specific guidelines were in place to address such unlikely scenarios, Tony promptly reported the incident to his colleagues and, together. they alerted the board of managers Following that, the management of EsteeMed arranged a meeting with their cloud provider to address the situation.

During the meeting, the representatives of the cloud provider assured the management of the EsteeMed that the situation will be managed effectively. The cloud provider considered the existing security measures sufficient to ensure the confidentiality, Integrity, and availability of the transferred data Additionally, they proposed a premium cloud security package that could offer enhanced

protection for assets of this nature. Subsequently, EsteeMed’s management conducted an internal meeting following the discussion with the cloud provider.

After thorough discussions, the management determined that the associated costs of implementing further security measures outweigh the potential risks at the present lime Therefore, they decided to accept the actual risk level for the time being. The likelihood of a similar incident occurring in the future was considered low. Furthermore, the cloud provider had already implemented robust security protocols.

To ensure effective risk management. EsteeMed had documented and reported its risk management process and outcomes through appropriate mechanisms, it recognized that decisions about the creation, retention, and handling of documented information should consider various factors. These factors include aspects such as the intended use of the Information. Its sensitivity, and the external and internal context in which It operates.

Lastly. EsteeMed identified and recorded its assets in an inventory to ensure their protection. The inventory contained detailed information such as the type of assets, their size, location, owner, and backup information.

Based on the scenario above, answer the following question:

Based on scenario 3. EsteeMed’s inventory of assets included detailed information on the type of assets, their size, location, owner, and backup information. Is this a good practice to follow?
A . No, it is not necessary to include detailed information in the inventory as it should only specify the asset type and owner
B . No, the backup information should not be included in the inventory of assets
C . Yes, the inventory should contain information on the type of assets, their size, location, owner, and backup information

View Answer

Answer: C

Explanation:

Maintaining a detailed inventory of assets, including the type of assets, their size, location, owner, and backup information, is considered a best practice in information security management. This detailed information allows for better management and protection of assets by providing a clear understanding of what assets exist, their criticality, and how they are protected.

Reference: ISO/IEC 27001:2013 – Specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It includes requirements for the inventory of assets as part of the information security management process.

NIST SP 800-53 – Recommends security controls for federal information systems and organizations, including asset management and the importance of maintaining comprehensive asset inventories.