Which of the following is a standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system.
Click on the arrows to vote for the correct answer
A. B. C. D.B.
The correct answer to the question is C. FIPS.
FIPS (Federal Information Processing Standards) is a set of standards developed by the National Institute of Standards and Technology (NIST) in the United States. The FIPS standards are designed to establish uniform requirements for information technology resources that are used by the federal government.
FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems, sets out the basic requirements for assessing the effectiveness of computer security controls built into a computer system. The document provides a standardized approach to security categorization, security control selection, implementation, and assessment.
FIPS Publication 200 is used in conjunction with NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, which provides a catalog of security controls for federal information systems and organizations. Together, these publications establish a comprehensive framework for managing and securing federal information systems.
The other answer options are not related to basic requirements for assessing the effectiveness of computer security controls built into a computer system:
A. SSAA (System Security Authorization Agreement) is a document that outlines the security requirements and controls for a system, and provides the basis for a formal security authorization decision.
B. TCSEC (Trusted Computer System Evaluation Criteria), also known as the Orange Book, was a standard used to evaluate the security of computer systems, but it has been superseded by newer standards.
D. FITSAF (Federal Information Technology Security Assessment Framework) is a framework for assessing and managing the security of federal information technology systems. However, it does not set basic requirements for assessing the effectiveness of computer security controls built into a computer system.