CISSP PRACTICE QUESTIONS – 20210217

Effective CISSP Questions

Based on the NIST Risk Management Framework (RMF), you are categorizing the Transportation Management System (TMS) that handles the information types of Ground Transportation and Air Transportation. Which of the following is the most possible outcome of the system categorization?
A. Public
B. Moderate
C. Confidential
D. Catastrophic

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Moderate.

This question looks irrelevant to the CISSP exam, but it is not true. I wrote this question to remind CISSP aspirants that three are various perspectives of “asset” classification or categorization. The Executive Order 12356 that mandates national security information shall be classified, in terms of confidentiality, as Top Secret, Secret, or Confidential is just one way to classify data.

Computers, software, networks, etc., are assets. They can be classified or categorized based on different criteria or perspectives. This question introduces the way required by FIPS 199. Generally speaking, assets can be classified or categorized based on “business value.” My book, The Effective CISSP: Security and Risk Management, has details.

Categorize System
Categorize System

If you look up the information types in question in NIST SP 800-60 V2 R1, it suggests the security category of the Air Transportation be “Low.” However, you can justify your evaluation and modify the recommended value. This Availability of Air Transportation rated Moderate in this post is for demonstration purpose only.

The “Categorize System” step in NIST RMF needs two documents: FIPS 199 and NIST SP 800-60.

  • FIPS 199 defines the standard and procedure to determine the security category of an information system and the information types it handles.
  • The high water mark of information types determines the system’s security category regarding confidentiality, integrity, and availability.

“Public” and “Confidential” are common data classification schemes in terms of confidentiality. It’s not the way adopted in FIPS 199 and RMF. “Catastrophic” is a factor used to evaluate the potential impact.

NIST RMF - Risk Management Framework
NIST RMF – Risk Management Framework (NIST SP 800-12 R1)
Potential Impact Definitions for Security Objectives
Potential Impact Definitions for Security Objectives (Source: FIPS 199)
Security Categorization of Mission Information
Security Categorization of Mission Information (Source: NIST SP 800-60 V2 R1)

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

您正根據NIST RMF對運輸管理系統(TMS)進行分類(categorization),該系統處理地面運輸和航空運輸等類型的資訊(information type)。 以下哪項是系統分類最可能的結果?
A. 公開 (public)
B. 適中 (moderate)
C. 機密 (confidential)
D. 災難性的 (catastrophic)

1 thought on “CISSP PRACTICE QUESTIONS – 20210217

  1. Pingback: NIST風險管理框架(RMF)-系統分類 – Choson資安大小事

Leave a Reply