An information system is categorized as a high-impact level system. Which of the following actions should be taken next?
A. Develop the business case
B. Implement security controls
C. Determine the scope of safeguards
D. Apply emergent patches to fix high-priority vulnerabilities.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Determine the scope of safeguards.
System categorization is conducted after a project is initiated; it implies a business case has been developed, and an alternative is selected, accepted, approved, and turned into a project.
The Implementation of security controls depends on the determination of safeguards or security controls. A security control framework (SCM), e.g., NIST SP 800-53, provides the initial scope of security controls, which can then be tailored or modified. Scoping and tailoring is the core concept of the step, Select Controls, in the NIST RMF, followed by the step, Implement Controls.
Applying emergent patches to fix high-priority vulnerabilities implies the system is authorized to operate. However, system categorization is conducted in the initiation phase of the system development life cycle (SDLC).
Scoping refers to reviewing baseline security controls and selecting only those controls that apply to the IT system you’re trying to protect. For example, if a system doesn’t allow any two people to log on to it at the same time, there’s no need to apply a concurrent session control.
Stewart, James M.. CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide. Wiley.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
A. 撰寫營運企畫案(business case)