As the customer relationship management (CRM) system owner, you collaborate with data owners and other stakeholders to determine the scope of security controls. Which of the following actions should be taken first?
A. Select controls
B. Categorize the system
C. Assess risk to the system
D. Determine the impact of data
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Determine the impact of data.
According to FIPS 199, “determining the security category of an information system requires slightly more analysis and must consider the security categories of all information types resident on the information system.” Therefore, determining the impact of data should be completed before categorizing the information system (Step 1 of the RMF).
Reference
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
作為客戶關係管理(CRM)系統所有者(system owner),您可以與數據所有者(data owner)和其他利害關係人(stakeholder)協作以確定安全控制的範圍(scope)。 首先應採取以下哪些行動?
A. 選擇控制(control)
B. 對系統進行分類(categorize)
C. 評鑑系統風險
D. 確定數據的影響(impact)