Which of the following should be identified or determined first when implementing the NIST Risk Management Framework? (Wentz QOTD)
A. The system-specific risks
B. The assessor or assessment team
C. The impact of the information system in question
D. The high watermark of the impact of Information types
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. The system-specific risks.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
When implementing the RMF, the first step is to “prepare” to execute the RMF from an organization- and a system-level perspective by establishing a context and priorities for managing security and privacy risk.
- The task, A system-level risk assessment is completed or an existing risk assessment is updated, is one at the system-level that should be done in the “prepare” step.
- The determination of the high watermark of the impact of Information types and the impact of the information system in question is done in the “Categorize System” step.
- The assessor or assessment team is determined in the “Assess Controls” step.
在實施 NIST 風險管理框架(RMF)時，應首先確定以下哪一項？ (Wentz QOTD)