You are the CISO working for a direct bank based in Taiwan that relies entirely on internet banking. You are referencing the NIST Risk Management Framework (RMF) to determine security controls for the core banking system. Which of the following best describes the criteria on which the control selection process depends?
A. The impact level of the system
B. Information types the system processes
C. The sensitivity of information the system processes
D. The value of the information the system processes

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. The impact level of the system.

Even though NIST guidelines are primarily applicable to the US government departments or agencies, they are good references for enterprises. The control selection process is the second step.

The first step, Categorize System, determines the information system impact level based on the impact level of information types it handles in terms of confidentiality, integrity, and availability. FIPS 199 and NIST SP 800-60 have the details.

The second step, Select Controls, selects controls from the security control framework, NIST SP 800-53 R4, based on the overall information system impact level, the result of the first step.