Effective CISSP Questions

As a system owner, you are selecting controls for the information system and the environment of operation based on the NIST Risk Management Framework (RMF). Which of the following is least likely to be an input of selecting controls? (Wentz QOTD)
A. Security and privacy plan
B. Cybersecurity Framework (CSF) profiles
C. Controls selected by the organization’s own selection process
D. Pre-defined security control baselines or pre-approved overlays

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Security and privacy plan.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

NIST Risk Management Framework (RMF)
NIST Risk Management Framework (Source OpenControl)

The explanation in this post is a compilation of NIST guidelines, such as NIST SP 800-18 R1, NIST SP 800-37 R2, NIST SP 800-53 R5, NIST SP 800-53B, and NIST SP 800-53A.

  • NIST SP 800-53 Rev 5.1 (all controls) and NIST SP 800-53B (baselines only) are the latest versions. They provide both security and privacy controls, while the older version (e.g., NIST SP 800-53 R4) contains security controls only.
  • NIST SP 800-53A R4 provides guidelines for assessing security and privacy controls.

Select Controls

There are two approaches that can be used for the initial selection of controls: a baseline control selection approach, or an organization-generated control selection approach.

  • The baseline control selection approach uses control baselines, which are pre-defined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest.
  • The organization-generated control selection approach differs from the baseline selection approach because the organization does not start with a pre-defined set of controls. Rather, the organization uses its own selection process to select controls. This may be necessary when the system is highly specialized (e.g., a weapons system or a medical device) or has limited purpose or scope (e.g., a smart meter). In these situations, it may be more efficient and cost-effective for an organization to select a specific set of controls for the system (i.e., a bottom-up approach) instead of starting with a pre-defined set of controls from a broad-based control baseline and subsequently eliminating controls through the tailoring process (i.e., top-down approach).

System Security Plan

The controls selected or planned must be documented in a system security plan.

The system security plan 1) provides a summary of the security requirements for the information system and 2) describes the security controls in place or planned for meeting those requirements. It is the output of the “Select Controls” step of the NIST Risk Management Framework (RMF) and is informed by various inputs.

The plan also may reference other key security-related documents for the information system such as a risk assessment, plan of action and milestones, accreditation decision letter, privacy impact assessment, contingency plan, configuration management plan, security configuration checklists, and system interconnection agreements as appropriate.

Security Planning Process Inputs/Outputs
Security Planning Process Inputs/Outputs (Source: NIST SP 800-18 R1)

Security Controls

Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the protection needs of organizational stakeholders. Controls are selected and implemented by the organization in order to satisfy the system requirements.

Controls can include administrative, technical, and physical aspects. NIST SP 800-53 contains the management, operational, and technical safeguards or countermeasures prescribed for an information system.

Of the 20 control families in NIST SP 800-53, 17 are aligned with the minimum security requirements in [FIPS 200]. The Program Management (PM), PII Processing and Transparency (PT), and Supply Chain Risk Management (SR) families address enterprise-level program management, privacy, and supply chain risk considerations pertaining to federal mandates emergent since [FIPS 200].

Security and Privacy Control Families
Security and Privacy Control Families (Source: NIST SP 800-53 R5)

Control Structure

In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for particular controls within the SDLC.

Control Structure
Control Structure (Source: NIST SP 800-53 R5)

Tailoring Process defined in the NIST RMF

Tailoring refers to “the process by which security and privacy control baselines are modified by 1) identifying and designating common controls, 2) applying scoping considerations on the applicability and implementation of baseline controls, 3) selecting compensating controls, 4) assigning specific values to organization-defined control parameters, 5) supplementing baselines with additional controls or control enhancements, and 6) providing additional specification information for control implementation.”

Tailored control baselines may also be referred to as overlays. An organizationally-tailored control baseline is analogous to an organization-wide overlay since an overlay is a tailored baseline that services a community of interest, in this case, the organization.

  • Common controls are controls that may be inherited by one or more organizational systems. If a system inherits a common control provided by another entity (internal or external), there is no need to implement the control within that system. 
  • System security control is “a security or privacy control for an information system that is implemented at the system level and is not inherited by any other information system.”
  • Hybrid control is “a security or privacy control that is implemented for an information system, in part as a common control and in part as a system-specific control.”
Security Control Selection Process
Security Control Selection Process (Source: NIST SP 800-53 R4)


身為系統擁有者(owner), 您正在根據NIST的風險管理框架(RMF)為信息系統和操作環境選擇控制。 以下哪一項最不可能是選擇控制的輸入? (Wentz QOTD)
A. 安全和隱私計晝
B. 網絡安全框架 (CSF) 配置文件(profiles)
C. 根據組織自己的選擇程序所選定的控制
D. 預定義的安全控制基線(baselines)或預先批准的覆蓋(overlays)

Leave a Reply