CISSP PRACTICE QUESTIONS – 20210117

As the customer relationship management (CRM) system owner, you collaborate with data owners and other stakeholders to determine the scope of security controls. Which of the following actions should be taken first?
A. Select controls
B. Categorize the system
C. Assess risk to the system
D. Determine the impact of data

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Determine the impact of data.

According to FIPS 199, “determining the security category of an information system requires slightly more analysis and must consider the security categories of all information types resident on the information system.” Therefore, determining the impact of data should be completed before categorizing the information system (Step 1 of the RMF).

System Categorization
NIST SDLC and RMF

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

作為客戶關係管理(CRM)系統所有者(system owner),您可以與數據所有者(data owner)和其他利害關係人(stakeholder)協作以確定安全控制的範圍(scope)。 首先應採取以下哪些行動?
A. 選擇控制(control)
B. 對系統進行分類(categorize)
C. 評鑑系統風險
D. 確定數據的影響(impact)

Leave a Reply