CISSP PRACTICE QUESTIONS – 20200411

According to the NIST SDLC, which of the following is the first security activity that should be conducted before authorizing an information system to operate??
A. Assess risk to the system
B. Assess business impact
C. Assess system security
D. Review operational readiness


Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Assess business impact.

Source: NIST SP 800-64R2

Reference

4 thoughts on “CISSP PRACTICE QUESTIONS – 20200411

  1. Hi Wentz
    Thank you for your selflessly sharing knowledge. The answer makes me a little confused…
    “authorizing an information system” = SDLC Phase 3 (4.authorizing the information system) ?

    It should be Phase 3 (3. Assess System Security) before “authorizing the information system” ?

    • Wentz Wu – Taiwan – Wentz is a co-founder of Amicliens, a company from Taiwan delivering business solutions. He enjoys applying IT technologies to solve business problems and has been working in the IT industry for over 20 years.
      Wentz Wu on said:

      There are many activities that should be done before authorizing an information system, but the question is asking about the “first,” not the one right before authorization. Pls don’t hesitate to let me know when in doubt. Thanks for your comment.

      • Thanks for creating such wonderful (often conceptual) Qs. This question seems to be presented in an over-complicated way. Answering this relies more on memory than understanding. Not something CISSP exam would actually do (just a thought).

      • Wentz Wu – Taiwan – Wentz is a co-founder of Amicliens, a company from Taiwan delivering business solutions. He enjoys applying IT technologies to solve business problems and has been working in the IT industry for over 20 years.
        Wentz Wu on said:

        Thanks for your feedback, Wangdi. I agree with you. Frankly, I designed questions primarily to invite thinking and research, but not to simulate the real exam. I hope the topics behind each question can be discovered and explored.

Leave a Reply