Which of the following is the most crucial concept used to categorize an information system based on the NIST Risk Management Framework? (Wentz QOTD)
C. High watermark
D. System-specific risk assessment
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. High watermark.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
According to the NIST RMF, the “Prepare” phase goes first, then followed by “Categorize System” and “Select Controls.”
- Organization-level and system-specific risk assessments should be conducted in the “Prepare” phase.
- “Categorize System” means determine the impact level of an information system based the highest level of impact upon confidentiality, integrity, and availability of information types it processes, also known as the concept of the high watermark.
- “Select Controls” is the process of selecting baseline controls as the initial scope from the RMF (NIST SP 800-53) and tailoring the baseline based on the result of system-specific risk assessment to determine the final scope of security controls to be implemented.
以下哪一項是用於根據 NIST 風險管理框架對信息系統進行分類的最關鍵概念？ (Wentz QOTD)
A. 範圍界定 (scoping)
B. 剪裁 (tailoring)
C. 高水印 (high watermark)