You are selecting controls based on the NIST Risk Management Framework (RMF). Which of the following situations most likely requires tailoring the selected security control baseline? (Wentz QOTD)
A. Insider threats exist within organizations.
B. Organizational systems are multi-user (either serially or concurrently) in operation.
C. Organizations have the necessary structure, resources, and infrastructure to implement the controls.
D. Some information in organizational systems is not shareable with other users who have authorized access to the same systems.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Insider threats exist within organizations.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
When employing security control frameworks, we should be aware of the assumptions behind each framework as controls in a framework address common threats under certain assumptions.
When employing the NIST Risk Management Framework, which introduces a security control framework in NSIT SP 800-53 R5, we can select baseline controls from the framework as the initial scope and tailor it based on risk assessment against the system. It assumes:
- Organizational systems are multi-user (either serially or concurrently) in operation.
- Organizations have the necessary structure, resources, and infrastructure to implement the controls.
- Some information in organizational systems is not shareable with other users who have authorized access to the same systems.
However, it’s not considered in the framework that Insider threats exist within organizations as it’s context-specific and has diversified patterns.
Reference
您正在根據 NIST 風險管理框架(RMF)選擇控制措施。 以下哪種情況最有可能需要定制(tailoring)所選的安全控制基線(baseline)? (Wentz QOTD)
A. 組織內部存在內部威脅。
B. 組織系統是多用戶(串行或併發)運行的。
C. 組織擁有必要的結構、資源和基礎設施來實施控制。
D. 組織系統中的某些信息不能與其他有權訪問相同系統的用戶共享。