nerdexam
ExamsCAS-002Questions#342
CompTIA

CAS-002 · Question #342

CAS-002 Question #342: Real Exam Question with Answer & Explanation

The correct answer is B: Database server = {(Confidentiality HIGH),(Integrity Moderate),(Availability Moderate)}. FIPS 199 requires using the high-water mark across all information types for each security objective independently to derive the aggregate system categorization.

Question

An administrator is trying to categorize the security impact of a database server in the case of a security event. There are three databases on the server. Current Financial Data = High level of damage if data is disclosed. Moderate damage if the system goes offline Archived Financial Data = No need for the database to be online. Low damage for integrity loss Public Website Data = Low damage if the site goes down. Moderate damage if the data is corrupted Given these security categorizations of each database, which of the following is the aggregate security categorization of the database server?

Options

  • ADatabase server = {(Confidentiality HIGH),(Integrity High),(Availability High)}
  • BDatabase server = {(Confidentiality HIGH),(Integrity Moderate),(Availability Moderate)}
  • CDatabase server = {(Confidentiality HIGH),(Integrity Moderate),(Availability Low)}
  • DDatabase server = {(Confidentiality Moderate),(Integrity Moderate),(Availability Moderate)}

Explanation

FIPS 199 requires using the high-water mark across all information types for each security objective independently to derive the aggregate system categorization.

Common mistakes.

  • A. No individual database has a High availability impact - the highest availability rating is Moderate for Current Financial Data, so the aggregate cannot reach High.
  • C. Availability cannot be Low because Current Financial Data carries a Moderate availability impact, which sets the high-water mark above Low.
  • D. Confidentiality must be HIGH, not Moderate, because Current Financial Data is explicitly assigned a High confidentiality impact that propagates to the aggregate.

Concept tested. FIPS 199 aggregate security categorization high-water mark

Reference. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-002 Practice