After transforming stakeholder requirements into system requirements, you are selecting controls based upon system security requirements and allocating them to the security architecture. As a security architect, which of the following selection criteria is least likely used to select controls?
A. The attack surface
B. The result of risk assessment
C. The impact level of the system
D. The exploitability of vulnerabilities
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. The exploitability of vulnerabilities.
The first step of RMF is “Categorize Sytem” that determines the impact level of the system of interest. The second step is “Select Control” based on the impact level of the system.
The attack surface is the sum of attack vectors determined through threat modeling against the designs as part of the solution domain. Threat modeling is in essence one form of risk assessment in the context of software or system engineering.
The purpose of selecting controls is part of risk treatment, that follows risk assessment. A risk comprises three essential factors: uncertainty, impact, and objectives. The exploitability of vulnerabilities describes the likelihood or the uncertainty of risk. It’s not sufficient to support informed risk-based decisions. The impact of vulnerabilities should be evaluated to determine risk exposure and prioritize risks.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
A. 攻擊面 (attack surface)