nerdexam
(ISC)2

CAP · Question #296

Which of the following formulas was developed by FIPS 199 for categorization of an information system?

The correct answer is B. SC information system = {(confidentiality, impact), (integrity, impact),(availability, impact)}. FIPS 199 defines the security category of an information system using the same three CIA objectives as for an information type, each paired with an impact level (Low, Moderate, or High). The overall system security category is determined by taking the highest impact value across

Security and Privacy Governance, Risk Management, and Compliance Program

Question

Which of the following formulas was developed by FIPS 199 for categorization of an information system?

Options

  • ASC information system = {(confidentiality, impact), (integrity, controls), (availability, risk)}
  • BSC information system = {(confidentiality, impact), (integrity, impact),(availability, impact)}
  • CSC information system = {(confidentiality, controls), (integrity, controls), (availability,
  • DSC information system = {(confidentiality, risk), (integrity, impact), (availability, controls)}

How the community answered

(45 responses)
  • B
    93% (42)
  • C
    4% (2)
  • D
    2% (1)

Explanation

FIPS 199 defines the security category of an information system using the same three CIA objectives as for an information type, each paired with an impact level (Low, Moderate, or High). The overall system security category is determined by taking the highest impact value across all information types processed by the system (the 'high-water mark' principle). The correct formula is: SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)}. Options using 'controls' or 'risk' instead of 'impact' are incorrect.

Topics

#FIPS 199#Information System Categorization#Security Categorization#CIA Impact Levels

Community Discussion

No community discussion yet for this question.

Full CAP Practice