Effective CISSP Questions

As an information system owner, you are categorizing the system and collaborating with information owners to scope and tailor the security controls. Which of the following is the best source used to determine the control baseline that meets the minimum security requirements from the perspective of the National Institute of Standards and Technology (NIST)?
A. Policies
B. Standards
C. Procedures
D. Guidelines

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Guidelines.

NIST SP 800-53 R4, a guideline, provides security control baselines in APPENDIX D
SECURITY CONTROL BASELINES – SUMMARY. It also reads in the Authority section:

This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in Circular A-130, Appendix III, Security of Federal Automated Information Resources.

Security Control Baselines
Security Control Baselines (NIST SP 800-53 R4)

NIST Publications

NIST develops and maintains an extensive collection of standards, guidelines, recommendations, and research on the security and privacy of information and information systems. This includes various NIST technical publication series:

FIPSFederal Information Processing StandardsSecurity standards.
SPNIST Special PublicationsGuidelines, technical specifications, recommendations, and reference materials, comprising multiple sub-series:
SP 800 Computer security
SP 1800 Cybersecurity practice guides
SP 500 Information technology (relevant documents)
NISTIRNIST Internal or Interagency ReportsReports of research findings, including background information for FIPS and SPs.
ITL BulletinNIST Information Technology Laboratory (ITL) BulletinsMonthly overviews of NIST’s security and privacy publications, programs and projects.
Source: NIST Publications


NIST RMF - Risk Management Framework
NIST RMF – Risk Management Framework (NIST SP 800-12 R1)



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

作為資訊系統擁有者(owner),您正在對系統進行分類(categorize),並與資訊擁有者合作以確定範圍(scope)和定制(tailor)安全控制。 從NIST的角度來看,以下哪個是用來確定能滿足最低安全要求的基準控制措施(control baseline)之最佳來源?
A. 政策 (policies)
B. 標準 (standards)
C. 程序 (procedures)
D. 指引 (guidelines)

2 thoughts on “CISSP PRACTICE QUESTIONS – 20201224

Leave a Reply