As an information system owner, you are categorizing the system and collaborating with information owners to scope and tailor the security controls. Which of the following is the best source used to determine the minimum security requirements from the perspective of the National Institute of Standards and Technology (NIST)?
A. Policies
B. Standards
C. Procedures
D. Guidelines
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Standards.
NIST Publications
NIST develops and maintains an extensive collection of standards, guidelines, recommendations, and research on the security and privacy of information and information systems. This includes various NIST technical publication series:
| FIPS | Federal Information Processing Standards | Security standards. |
| SP | NIST Special Publications | Guidelines, technical specifications, recommendations, and reference materials, comprising multiple sub-series: SP 800 Computer security SP 1800 Cybersecurity practice guides SP 500 Information technology (relevant documents) |
| NISTIR | NIST Internal or Interagency Reports | Reports of research findings, including background information for FIPS and SPs. |
| ITL Bulletin | NIST Information Technology Laboratory (ITL) Bulletins | Monthly overviews of NIST’s security and privacy publications, programs and projects. |
NIST RMF
The following is an excerpt from FIPS 200 about minimum security requirements:
MINIMUM SECURITY REQUIREMENTS
The minimum security requirements cover seventeen security-related areas with regard to protecting the confidentiality, integrity, and availability of federal information systems and the information processed, stored, and transmitted by those systems. The security-related areas include: (i) access control; (ii) awareness and training; (iii) audit and accountability; (iv) certification, accreditation, and security assessments; (v) configuration management; (vi) contingency planning; (vii) identification and authentication; (viii) incident response; (ix) maintenance; (x) media protection; (xi) physical and environmental protection; (xii) planning; (xiii) personnel security; (xiv) risk assessment; (xv) systems and services acquisition; (xvi) system and communications protection; and (xvii) system and information integrity. The seventeen areas represent a broad-based, balanced information security program that addresses the management, operational, and technical aspects of protecting federal information and information systems.
Policies and procedures play an important role in the effective implementation of enterprise-wide information security programs within the federal government and the success of the resulting security measures employed to protect federal information and information systems. Thus, organizations must develop and promulgate formal, documented policies and procedures governing the minimum security requirements set forth in this standard and must ensure their effective implementation.
Specifications for Minimum Security Requirements
Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.
Awareness and Training (AT): Organizations must: (i) ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems; and (ii) ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
Reference
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
作為資訊系統擁有者(owner),您正在對系統進行分類(categorize),並與資訊擁有者合作以確定範圍(scope)和定制(tailor)安全控制。 從NIST的角度來看,以下哪個是用來確定最低安全要求之最佳來源?
A. 政策 (policies)
B. 標準 (standards)
C. 程序 (procedures)
D. 指引 (guidelines)