Your organization is developing a new information system. Which of the following should be conducted first?
A. Assess risk to the system
B. Identify the data types processed by the system
C. Scope and tailor security controls
D. Prepare the authorization package

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Identify the data types processed by the system.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

Categorizing a system means identifying the data types it processes to determine its impact level by the high watermark of the impact level of the data types in terms of confidentiality, integrity, and availability.

A security control framework, e.g., NIST SP 800-53 R5, typically provides sets of security controls as baselines. Organizations can use a security control baseline as the initial scope and tailor them based on the security needs and requirements resulting from risk assessment.

The information system owner should prepare an authorization package that contains security and privacy plans, security and privacy assessment reports, and plans of action and milestones (for corrective actions and improvement) and submit it to the appropriate authority for the Authorization To Operate (ATO).

Reference

• NIST Risk Management Framework

---

您的組織正在開發一個新的信息系統。 應首先進行以下哪一項？
A. 評鑑系統風險
B. 識別系統處理的數據類型
C. 決定範圍和客製安全控制
D. 準備授權包(authorization package)