Which choice below is NOT one of NIST’s 33 IT security principles?
A.
Assume that external systems are insecure.
B.
Minimize the system elements to be trusted.
C.
Implement least privilege.
D.
Totally eliminate any level of risk.
Explanation:
Risk can never be totally eliminated. NIST IT security principle #4
states: Reduce risk to an acceptable level. The National Institute of
Standards and Technology’s (NIST) Information Technology Laboratory
(ITL) released NIST Special Publication (SP) 800-27, Engineering
Principles for Information Technology Security (EP-ITS) in June
2001 to assist in the secure design, development, deployment, and
life-cycle of information systems. It presents 33 security principles
which start at the design phase of the information system or application
and continue until the system’s retirement and secure disposal.
Some of the other 33 principles are:
Principle 1. Establish a sound security policy as the foundation
for design.
Principle 2. Treat security as an integral part of the overall system
design.
Principle 5. Assume that external systems are insecure.
Principle 6. Identify potential trade-offs between reducing risk
and increased costs and decrease in other aspects of operational
effectiveness.
Principle 7. Implement layered security (ensure no single point of
vulnerability).
Principle 11. Minimize the system elements to be trusted.
Principle 16. Isolate public access systems from mission critical
resources (e.g., data, processes, etc.).
Principle 17. Use boundary mechanisms to separate computing
systems and network infrastructures.
Principle 22. Authenticate users and processes to ensure appropriate
access control decisions both within and across domains.
Principle 23. Use unique identities to ensure accountability.Principle 24. Implement least privilege.
Source: NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), and Federal
Systems Level Guidance for Securing Information Systems, James
Corrie, August 16, 2001 .