As the system owner, you are categorizing an information system to determine baseline security controls. Which of the following criteria is the best for system categorization? (Wentz QOTD)
A. Resilience of the information system
B. Availability of information and information system
C. The safety and experience of system users
D. Security properties of information types processed by the system
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Security properties of information types processed by the system.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
Even though the safety and experience of system users is the first priority and golden rule in information security, this question assumes the context of the NIST Risk Management Framework. When categorizing a system, we determine the impact of the system by the high watermark of confidentiality, integrity, and availability of information types processed by the system.
作為系統所有者，您正在對信息系統進行分類以決定基準安全控制。 以下哪個標準最適合系統分類？(Wentz QOTD)