Exam SY0-601 topic 1 question 321 discussion

C. NIST Risk Management Framework is the framework the CISO is using to evaluate the environment for this new ERP system. The NIST Risk Management Framework (RMF) is a structured approach to managing information security risk that is used by organizations to ensure the confidentiality, integrity, and availability of their information systems and data. The CISO's actions of categorizing the system, selecting the controls that apply to the system, implementing the controls, and then assessing the success of the controls before authorizing the system to align with the six steps of the NIST RMF: 1. Categorize information systems 2. Select security controls 3. Implement security controls 4. Assess security controls 5. Authorize information systems 6. Monitor security controls By using the NIST RMF, the CISO can ensure that a comprehensive and systematic approach to information security is taken when evaluating the new ERP system and can reduce the risk of potential security incidents or breaches

I believe the correct answer here is C. NIST RMF has a simple 7 step process: 1. Essential activities to prepare the organization to manage security and privacy risks  2. Categorize the system and information processed, stored, and transmitted based on an impact analysis 3. Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s) 4. Implement the controls and document how controls are deployed 5. Assess to determine if the controls are in place, operating as intended, and producing the desired results 6. Senior official makes a risk-based decision to authorize the system (to operate) 7. Continuously monitor control implementation and risks to the system. The actions of the CISO correspond to that process. This is why I will select C.

So without a doubt the correct answer is C. NIST SP 800-37, “Risk Management Framework for Information Systems and Organizations,” covers the Risk Management Framework (RMF). While U.S. federal government agencies must adopt the RMF, many private sector organizations adopt it as well. RMF provides organizations with a seven-step process to identify and mitigate risks. The seven steps are: - Select security controls. Personnel select and tailor the controls necessary to protect their operations and assets. They typically start with baselines and then tailor the baselines as needed. -Implement security controls. In this step, personnel implement the selected controls. If changes are required, personnel document them. -Assess security controls. Next, personnel assess the controls to see if they are producing the desired outcome. This includes verifying they are implemented correctly and operating as expected.

ISO 27001 regards data security, CIS - cybersecurity. ERP (Enterprise Resource Planning) relates to neither. NIST seems to fit best, although it's only relevant in US, while ISO is international.

The NIST Risk Management Framework (RMF) is a widely recognized framework developed by the National Institute of Standards and Technology (NIST) for assessing and managing risks within an organization's information systems. It provides a structured and systematic approach to risk management.

https://csrc.nist.gov/projects/risk-management/about-rmf

C is the right answer

Why is not C then ?

I think D. From ISO 27002 Information security is achieved by implementing a suitable set of controls, including policies, rules, processes, procedures, organizational structures and software and hardware functions. To meet its specific security and business objectives, the organization should define, implement, monitor, review and improve these controls where necessary.

D is the Right Answer