An information system is categorized as a high-impact level system. Which of the following actions should be taken next?
A. Develop the business case
B. Implement security controls
C. Determine the scope of safeguards
D. Apply emergent patches to fix high-priority vulnerabilities.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Determine the scope of safeguards.
System categorization is conducted after a project is initiated; it implies a business case has been developed, and an alternative is selected, accepted, approved, and turned into a project.
The Implementation of security controls depends on the determination of safeguards or security controls. A security control framework (SCM), e.g., NIST SP 800-53, provides the initial scope of security controls, which can then be tailored or modified. Scoping and tailoring is the core concept of the step, Select Controls, in the NIST RMF, followed by the step, Implement Controls.
Applying emergent patches to fix high-priority vulnerabilities implies the system is authorized to operate. However, system categorization is conducted in the initiation phase of the system development life cycle (SDLC).
Scoping refers to reviewing baseline security controls and selecting only those controls that apply to the IT system you’re trying to protect. For example, if a system doesn’t allow any two people to log on to it at the same time, there’s no need to apply a concurrent session control.
Stewart, James M.. CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide. Wiley.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
A. 撰寫營運企畫案(business case)
Hi Wentz Wu, during the process of data classification, criteria for cateogrizing the systems and baselines to be implemented for each classification level would be defined. In SDLC as a new system is developed and categorized would we not simply implement the controls per classification policy? Why would we want to scope/tailor them again?
I meant to ask why are we bringing in SDLC. The question just says ‘An information system is categorized as a high-impact level system’. Once a system is categorized by the owner we can implement the security controls that have already been selected during classification process (Data classification Policy)
Categorizing a “system” and classifying “data” are different. A system may process many types of data. A system has a system owner, while each data type has its data owner. We categorize a system to determine security controls to protect it when we are engineering a new system.
Please refer to FIPS 199 and NIST SP 800-60 for more information about “Categorize System.”
Pingback: NIST SDLC和RMF(續)-PartII – Choson資安大小事