You are the system owner of the ERP system and have selected baseline controls from a security control framework. A security control specified in the baseline needs to be modified based on system-specific requirements. Which of the following is the best means to justify the adjustment? (Wentz QOTD)
A. Information security policy
B. The result of risk assessment
C. The impact level of the system
D. The high watermark of the information types processed by the system
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. The result of risk assessment.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
The first step in the NIST RMF, Categorize System, determines the impact level of the system by evaluating the high watermark of the information types processed by the system so that a set of baseline controls is selected and tailored or modified based on system-specific requirements, as a result of risk assessment.
Information security policy is crucial and high-level. It doesn’t have detailed or specific requirements that direct tailoring security controls.
您是 ERP 系統的系統所有者(system owner)，並從安全控制框架(framework)中選擇了基線控制(baseline control)。 一個基線中的安全控制需要根據系統特定的要求進行修改。 以下哪項是證明該調整合理的最佳方法？ (Wentz QOTD)