Your company is engineering an information system (the system) to support the new business of selling toys online. As a security professional, you are a member of the engineering project team and responsible for ensuring the security needs are addressed properly and the information system is compliant with the security policies in your company. The project was kicked off last week. Which of the following should be determined first?
A. Categorize the system based on the impact if it is compromised
B. Select appropriate security controls from certain control frameworks
C. Scope and tailor the security controls based on business requirements
D. Evaluate the value of the data processed by the system and the impact in case the data is breached
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Evaluate the value of the data processed by the system and the impact in case the data is breached.
Risk Management Framework
This question is designed based on the Risk Management Framework (NIST SP 800-37R2) to verify your understanding of the “Categorize” step.
The impact level of the information system is determined by the information type processed by the system. Please refer to NIST SP 800-60 for information types and FISP 199 for system categorization.
An information system is protected by security controls, which are selected or determined based on the impact level of the information system.
Scoping and Tailoring
Selecting security control based on the impact level of the information system to build the security baseline is called “scoping” while customizing the security baseline based on business or organization requirements is called “tailoring”.
The Question Behind The Question
By the book, the first step is “Categorize System”, but you have to understand the basic idea behind this step. The question behind the question is asking you “how do you categorize a system?“. You need to have some idea of the “high water mark” of information types to determine the impact level of the information system, so that you can select security controls (do the scoping and tailoring jobs) based on the impact level to protect your information system.
You have to finish “Answer D” to proceed to “Answer A”.