PrepAway - Latest Free Exam Questions & Answers

Which choice below is NOT one of NIST’s 33 IT security principles?

Which choice below is NOT one of NIST’s 33 IT security principles?

PrepAway - Latest Free Exam Questions & Answers

A.
Assume that external systems are insecure.

B.
Minimize the system elements to be trusted.

C.
Implement least privilege.

D.
Totally eliminate any level of risk.

Explanation:
Risk can never be totally eliminated. NIST IT security principle #4 states: Reduce risk to an acceptable
level. The National Institute of Standards and Technology’s (NIST) Information Technology
Laboratory (ITL) released NIST Special Publication (SP) 800-27, Engineering Principles for Information
Technology Security (EP-ITS) in June 2001 to assist in the secure design, development, deployment,
and life-cycle of information systems. It presents 33 security principles which start at the design
phase of the information system or application and continue until the system’s retirement and
secure disposal. Some of the other 33 principles are: Principle 1. Establish a sound security policy as
the foundation for design. Principle 2. Treat security as an integral part of the overall system design.
Principle 5. Assume that external systems are insecure. Principle 6. Identify potential trade-offs
between reducing risk and increased costs and decrease in other aspects of operational
effectiveness. Principle 7. Implement layered security (ensure no single point of vulnerability).
Principle 11. Minimize the system elements to be trusted. Principle 16. Isolate public access systems
from mission critical resources (e.g., data, processes, etc.). Principle 17. Use boundary mechanisms
to separate computing systems and network infrastructures. Principle 22. Authenticate users and
processes to ensure appropriate access control decisions both within and across domains. Principle
23. Use unique identities to ensure accountability. Principle 24. Implement least privilege. Source:
NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A
Baseline for Achieving Security), and Federal Systems Level Guidance for Securing Information
Systems, James Corrie, August 16, 2001 .


Leave a Reply