Based on the NIST Risk Management Framework (RMF), you are categorizing the Transportation Management System (TMS) that handles the information types of Ground Transportation and Air Transportation. Which of the following is the most possible outcome of the system categorization?
A. Public
B. Moderate
C. Confidential
D. Catastrophic

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Moderate.

This question looks irrelevant to the CISSP exam, but it is not true. I wrote this question to remind CISSP aspirants that three are various perspectives of “asset” classification or categorization. The Executive Order 12356 that mandates national security information shall be classified, in terms of confidentiality, as Top Secret, Secret, or Confidential is just one way to classify data.

Computers, software, networks, etc., are assets. They can be classified or categorized based on different criteria or perspectives. This question introduces the way required by FIPS 199. Generally speaking, assets can be classified or categorized based on “business value.” My book, The Effective CISSP: Security and Risk Management, has details.

If you look up the information types in question in NIST SP 800-60 V2 R1, it suggests the security category of the Air Transportation be “Low.” However, you can justify your evaluation and modify the recommended value. This Availability of Air Transportation rated Moderate in this post is for demonstration purpose only.

The “Categorize System” step in NIST RMF needs two documents: FIPS 199 and NIST SP 800-60.

• FIPS 199 defines the standard and procedure to determine the security category of an information system and the information types it handles.
• The high water mark of information types determines the system’s security category regarding confidentiality, integrity, and availability.

“Public” and “Confidential” are common data classification schemes in terms of confidentiality. It’s not the way adopted in FIPS 199 and RMF. “Catastrophic” is a factor used to evaluate the potential impact.

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

您正根據NIST RMF對運輸管理系統(TMS)進行分類(categorization)，該系統處理地面運輸和航空運輸等類型的資訊(information type)。 以下哪項是系統分類最可能的結果？
A. 公開 (public)
B. 適中 (moderate)
C. 機密 (confidential)
D. 災難性的 (catastrophic)