Effective CISSP Questions

As an information system owner, you are categorizing the system and collaborating with information owners to scope and tailor the security controls. Which of the following is the best source used to determine the minimum security requirements from the perspective of the National Institute of Standards and Technology (NIST)?
A. Policies
B. Standards
C. Procedures
D. Guidelines

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Standards.

NIST Publications

NIST develops and maintains an extensive collection of standards, guidelines, recommendations, and research on the security and privacy of information and information systems. This includes various NIST technical publication series:

FIPSFederal Information Processing StandardsSecurity standards.
SPNIST Special PublicationsGuidelines, technical specifications, recommendations, and reference materials, comprising multiple sub-series:
SP 800 Computer security
SP 1800 Cybersecurity practice guides
SP 500 Information technology (relevant documents)
NISTIRNIST Internal or Interagency ReportsReports of research findings, including background information for FIPS and SPs.
ITL BulletinNIST Information Technology Laboratory (ITL) BulletinsMonthly overviews of NIST’s security and privacy publications, programs and projects.
Source: NIST Publications


NIST RMF - Risk Management Framework
NIST RMF – Risk Management Framework (NIST SP 800-12 R1)
FIPS 200
FIPS 200 – Minimum Security Requirements for Federal Information and Information Systems

The following is an excerpt from FIPS 200 about minimum security requirements:


The minimum security requirements cover seventeen security-related areas with regard to protecting the confidentiality, integrity, and availability of federal information systems and the information processed, stored, and transmitted by those systems. The security-related areas include: (i) access control; (ii) awareness and training; (iii) audit and accountability; (iv) certification, accreditation, and security assessments; (v) configuration management; (vi) contingency planning; (vii) identification and authentication; (viii) incident response; (ix) maintenance; (x) media protection; (xi) physical and environmental protection; (xii) planning; (xiii) personnel security; (xiv) risk assessment; (xv) systems and services acquisition; (xvi) system and communications protection; and (xvii) system and information integrity. The seventeen areas represent a broad-based, balanced information security program that addresses the management, operational, and technical aspects of protecting federal information and information systems.

Policies and procedures play an important role in the effective implementation of enterprise-wide information security programs within the federal government and the success of the resulting security measures employed to protect federal information and information systems. Thus, organizations must develop and promulgate formal, documented policies and procedures governing the minimum security requirements set forth in this standard and must ensure their effective implementation.

Specifications for Minimum Security Requirements

Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.

Awareness and Training (AT): Organizations must: (i) ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems; and (ii) ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

作為資訊系統擁有者(owner),您正在對系統進行分類(categorize),並與資訊擁有者合作以確定範圍(scope)和定制(tailor)安全控制。 從NIST的角度來看,以下哪個是用來確定最低安全要求之最佳來源?
A. 政策 (policies)
B. 標準 (standards)
C. 程序 (procedures)
D. 指引 (guidelines)

Leave a Reply