CISSP · Question #196
CISSP Question #196: Real Exam Question with Answer & Explanation
The correct answer is D: System security categorization. System security categorization is the formal NIST process of assigning impact values (low, moderate, high) to security objectives (confidentiality, integrity, availability) for information types and systems.
Question
What is the process called when impact values are assigned to the security objectives for information types?
Options
- AQualitative analysis
- BQuantitative analysis
- CRemediation
- DSystem security categorization
Explanation
System security categorization is the formal NIST process of assigning impact values (low, moderate, high) to security objectives (confidentiality, integrity, availability) for information types and systems.
Common mistakes.
- A. Qualitative analysis is a risk assessment method that uses descriptive scales and subjective judgment to evaluate risk, not a process specifically focused on assigning impact values to security objectives for information types.
- B. Quantitative analysis assigns numerical or monetary values to risks and assets for cost-benefit calculations, which is a broader risk assessment technique rather than the structured process of categorizing information types by security impact levels.
- C. Remediation refers to the process of fixing or mitigating identified vulnerabilities or security deficiencies, not the assignment of impact values to security objectives.
Concept tested. FIPS 199 system security categorization of information types
Reference. https://csrc.nist.gov/publications/detail/fips/199/final
Topics
Community Discussion
No community discussion yet for this question.