Effective CISSP Questions

An information system is categorized as a high-impact level system. Which of the following actions should be taken next?
A. Develop the business case
B. Implement security controls
C. Determine the scope of safeguards
D. Apply emergent patches to fix high-priority vulnerabilities.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Determine the scope of safeguards.


System categorization is conducted after a project is initiated; it implies a business case has been developed, and an alternative is selected, accepted, approved, and turned into a project.

The Implementation of security controls depends on the determination of safeguards or security controls. A security control framework (SCM), e.g., NIST SP 800-53, provides the initial scope of security controls, which can then be tailored or modified. Scoping and tailoring is the core concept of the step, Select Controls, in the NIST RMF, followed by the step, Implement Controls.

Applying emergent patches to fix high-priority vulnerabilities implies the system is authorized to operate. However, system categorization is conducted in the initiation phase of the system development life cycle (SDLC).

Scoping refers to reviewing baseline security controls and selecting only those controls that apply to the IT system you’re trying to protect. For example, if a system doesn’t allow any two people to log on to it at the same time, there’s no need to apply a concurrent session control.

Stewart, James M.. CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide. Wiley.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

資訊系統被分類(categorize)為高衝擊等級(high-impact level)的系統後,接下來應採取以下哪項行動?
A. 撰寫營運企畫案(business case)
B. 實施安全控制
C. 確定保障措施的範圍
D. 應用緊急補丁修復高優先級漏洞。

4 thoughts on “CISSP PRACTICE QUESTIONS – 20210314

  1. Hi Wentz Wu, during the process of data classification, criteria for cateogrizing the systems and baselines to be implemented for each classification level would be defined. In SDLC as a new system is developed and categorized would we not simply implement the controls per classification policy? Why would we want to scope/tailor them again?

  2. I meant to ask why are we bringing in SDLC. The question just says ‘An information system is categorized as a high-impact level system’. Once a system is categorized by the owner we can implement the security controls that have already been selected during classification process (Data classification Policy)

    • Categorizing a “system” and classifying “data” are different. A system may process many types of data. A system has a system owner, while each data type has its data owner. We categorize a system to determine security controls to protect it when we are engineering a new system.
      Please refer to FIPS 199 and NIST SP 800-60 for more information about “Categorize System.”

  3. Pingback: NIST SDLC和RMF(續)-PartII – Choson資安大小事

Leave a Reply