Which of the following is the primary target or fundamental unit that the NIST Risk Management Framework protects? (Wentz QOTD)
A. Common controls
B. Personal data and privacy
C. The information system in question
D. Data processed by the information system
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. The information system in question.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
NIST SP 800-37 R2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, is also known as the NIST RMF. It’s a risk management framework developed based on the FARM model (Frame, Assess, Respond, and Monitor) that addresses risk at the organization level, mission/business process level, and information system level.
The NIST RMF categorizes an information system based on the high watermark of information types it processes, provides baseline controls to mitigate common risks, and a consistent approach to access controls and authorize the system, and monitors the implemented security controls around the system life cycle.
以下哪一項是 NIST 風險管理框架(RMF)保護的主要目標或基本單位？ (Wentz QOTD)