ISC2 Governance, Risk and Compliance (CGRC) Practice Question

FIPS 199 assigns three potential impact levels-low, moderate, and high-based on the expected adverse effect of a loss of confidentiality, integrity, or availability. The standard requires that the system's overall security categorization be set to the highest impact level identified among the three objectives (the so-called high-water mark). In this scenario, availability (and arguably integrity of services) is rated as causing serious, but not catastrophic, adverse effects-language that maps to the Moderate impact definition in FIPS 199. Because confidentiality and integrity are only limited (Low), the highest rating is Moderate, so the overall impact level for the system is Moderate. Options citing Low are incorrect because they ignore the serious operational and financial consequences identified. A High rating would be appropriate only if the effects were expected to be catastrophic or cause loss of life, which is not indicated here.