As an information system owner, you are categorizing the system and collaborating with information owners to scope and tailor the security controls. Which of the following is the best source used to determine the control baseline that meets the minimum security requirements from the perspective of the National Institute of Standards and Technology (NIST)?
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Guidelines.
NIST SP 800-53 R4, a guideline, provides security control baselines in APPENDIX D
SECURITY CONTROL BASELINES – SUMMARY. It also reads in the Authority section:
This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in Circular A-130, Appendix III, Security of Federal Automated Information Resources.
NIST develops and maintains an extensive collection of standards, guidelines, recommendations, and research on the security and privacy of information and information systems. This includes various NIST technical publication series:
|FIPS||Federal Information Processing Standards||Security standards.|
|SP||NIST Special Publications||Guidelines, technical specifications, recommendations, and reference materials, comprising multiple sub-series:|
SP 800 Computer security
SP 1800 Cybersecurity practice guides
SP 500 Information technology (relevant documents)
|NISTIR||NIST Internal or Interagency Reports||Reports of research findings, including background information for FIPS and SPs.|
|ITL Bulletin||NIST Information Technology Laboratory (ITL) Bulletins||Monthly overviews of NIST’s security and privacy publications, programs and projects.|
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
作為資訊系統擁有者(owner)，您正在對系統進行分類(categorize)，並與資訊擁有者合作以確定範圍(scope)和定制(tailor)安全控制。 從NIST的角度來看，以下哪個是用來確定能滿足最低安全要求的基準控制措施(control baseline)之最佳來源？
A. 政策 (policies)
B. 標準 (standards)
C. 程序 (procedures)
D. 指引 (guidelines)