Ch. 1 - Prepare Flashcards

1
Q

Definition

Security protection commensurate with the risk resulting from the unauthorized access, use, disclosure, disruption, modification or destruction of information. This includes ensuring that information hosted on behalf of an agency and information systems and applications used by the agency operate effectively and provide appropriate confidentiality, ingegrity and availability protections through the application of cost-effective security controls.

A. Security Category
B. Information Security
C. Adequiate Security
D. Security Controls

A

C. Adequate Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Definition

The process an organization employs to assign security or privacy requirements to an information system or its environment of operation; or to assign controls to specific system elements responsible for providing a security or privacy capability (Ex: router, server, remote sensor).

A. Allocation
B. Authorization Boundary
C. Organization
D. Confidentiality

A

A. Allocation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Definition

The individual, group or organization responsible for conducting a security or privacy assessment.

A. Adequiate Security
B. Assessor
C. Confidentiality
D. Privacy Architect

A

B. Assessor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Definition

System and subsystem components that must be protected, including but not limited to: all hardware, software, data, personnel, supporting physical environment and environmental systems, administrative support and supplies.

A. Authorization Boundary
B. Asset
C. Enterprise
D. Risk

A

B. Asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

All components of an information system to be authorized for operation by an authorizing official. This excludes separately authorized systems to which the information system is connected.

A. Authorization Boundary
B. System Component
C. Authorizing Official (AO)
D. System Boundary

A

A. Authorization Boundary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A senior federal official or executive with the authority to authorize (assume responsibility for) the operation of an information system or the use of a designated set of common controls at an acceptable level of risk to agency operations (including mission, functions, image or reputation), agency assets, individuals, other organizations and the nation.

A. Authorizing Official
B. Organization
C. Risk Executive (Function)
D. Authorizing Official Designated Representative (AO DR)

A

A. Authorizing Official (AO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

An organizational official acting on behalf of an authorizing official in carrying out and coordinating the required activities associated with the authorization process.

A. Authorizing Official (AO)
B. Authorizing Official Designated Representative (AO DR)
C. system Boundary
D. Either the AO or the AO DR

A

A. Authorizing Official Designated Representative (AO DR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Definition

A combination of mutually reinforcing controls implemented by technical means, physical means and procedural means. Such controls are typically selected to achieve a common information security or privacy purpose.

A. Vulnerability
B. Capability
C. Integrity
D. Availability

A

B. Capability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The senior official that provides advice and other assistance to the head of the agency and other senior management personnel of the agency to ensure that IT is acquired and information resources are managed for the agency in a manner that achieves the agency’s strategic goals and information resources management goals; and is responsible for ensuring agency compliance with, and prompt, efficient, and effective implementation of, the information policies and information resources management responsibilities including the reduction of information collection burdens on the public.

A. Senior Agency Official for Privacy
B. Authorizing Official (AO)
C. Project Manager
D. Chief Information Officer (CIO)

A

D. Chief Information Officer (CIO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Definition

A software program hosted by an information system.

A. Application
B. Information
C. Enterprise
D. Organization

A

A. Application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Definition

Ensuring timely and reliable access to and use of information.

A. Confidentiality
B. Integrity
C. Assessor
D. Availability

A

D. Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

See Senior Agency Information Security Officer.

A. System Boundary
B. Chief Information Security Officer (CISO)
C. Designated Approval Authority (DAA)
D. Senior Agency Official for Privacy

A

B. Chief Information Security Officer (CISO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A security or privacy control that is inherited by multiple information systems or programs.

A. Continuous Monitoring
B. Common Control (CC)
C. Information Owner or Steward
D. Residual Risk

A

B. Common Control (CC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

An organizational official responsible for the development, implementation, assessment and monitoring of common controls (i.e., controls inheritable by organizational systems).

A. Information Owner
B. Control Assessor
C. Risk Executive (Function)
D. Common Control Provider (CCP)

A

D. Common Control Provider (CCP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

A. Confidentiality
B. Allocation
C. Availability
D. Integrity

A

A. Confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Maintaining ongoing awareness to support organizational risk decisions.

A. Risk Mitigation
B. Continuous Monitoring
C. Residual Risk
D. Security Certification

A

B. Continuous Monitoring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A program established to collect information in accordance with preestablished metrics, utilizing information readily available in part through implemented security controls. Note: Privacy and security continuous monitoring strategies and programs can be the same or different strategies and programs.

A. Privacy Requirement
B. Information Life Cycle
C. Continuous Monitoring Program
D. Privacy Plan

A

C. Continuous Monitoring Program

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

An organizational official responsible for the development, implementation, assessment and monitoring of common controls (i.e., controls inheritable by organizational systems).

A. Risk Executive (Function)
B. Common Control Provider (CCP)
C. Information Owner
D. Control Assessor

A

B. Common Control Provider (CCP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

See security control and privacy control.

A. Vulnerability
B. Integrity
C. Security Objective
D. Control

A

D. Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

The individual, group or organization responsible for conducting a control assessment. See assessor.

A. System Security Officer
B. Privacy Control
C. Control Assessor
D. Security Risk

A

C. Control Assessor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

An organization with a defined mission/goal and a defined boundary, using systems to execute that mission, and with responsibility for managing its own risks and performance. An enterprise may consist of all or some of the following business aspects: acquisition, program management, human resources, financial management, security, as well as systems, information and mission management. See organization.

A. Management Information
B. Organization
C. Application
D. Enterprise

A

D. Enterprise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

A strategic information asset base, which defines the mission; the information necessary to perform the mission; the technologies necessary to perform the mission; and the transitional processes for implementing new technologies in response to changing mission needs; and includes a baseline architecture; a target architecture; and a sequencing plan.

A. Information Security Architecture
B. Allocation
C. Enterprise Architecture
D. Security Requirement

A

C. Enterprise Architecture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

The physical surroundings in which an information system processes, stores and transmits information.

A. Environment of Operation
B. Enterprise Architecture
C. Information
D. Security Controls

A

A. Environment of Operation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

A business-based framework for government-wide improvement developed by the Office of Management and Budget that is intended to facilitate efforts to transform the federal government to one that is citizen-centered, results-oriented and market-based.

A. System Boundary
B. Federal Information System
C. Federal Enterprise Architecture (FEA)
D. The Open Group Architecture Framework (TOGAF)

A

C. Federal Enterprise Architecture (FEA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.

A. Federal Information System
B. System Component
C. Information Owner
D. Information Security Management System (ISMS)

A

A. Federal Information System

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

With respect to security, the effect on organizational operations, organizational assets, individuals, other organizations or the nation (including the national security interests of the United States) of a loss of confidentiality, integrity, or availability of information or a system. With respect to privacy, the adverse effects that individuals could experience when an information system processes their PII.

A. Threat
B. Vulnerability
C. Impact
D. Risk

A

C. Impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Any communication or representation of knowledge such as facts, data or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, electronic or audiovisual forms.

A. Application
B. Information
C. Organization
D. Control

A

B. Information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

The stages through which information passes, typically characterized as creation or collection, processing, dissemination, use, storage and disposition, to include destruction and deletion. “Life cycle” typically appears as two words in NIST publications, but as one word in ISO standards.

A. Impact Assessment
B. Information Steward
C. Information Life Cycle
D. Term of Agreement

A

C. Information Life Cycle

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination and disposal.

A. Information Owner
B. Authorizing Official (AO)
C. Confidentiality
D. Senior Agency Official for Privacy

A

A. Information Owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

See Information Owner and Information Steward.

A. Information Owner or Steward
B. Information Security
C. Mission or Business Owner
D. Security or Privacy Architect

A

A. Information Owner or Steward

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

The protection of information and systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability.

A. Adequate Security
B. Security Controls
C. Information Security
D. Risk Management

A

C. Information Security

32
Q

An embedded, integral part of the enterprise architecture that describes the structure and behavior of the enterprise security processes, security systems, personnel and organizational subunits, showing their alignment with the enterprise’s mission and strategic plans. See security architecture.

A. Integrity
B. Information Type
C. Information Security Architecture
D. Privacy Architecture

A

C. Information Security Architecture

33
Q

Compilation of processes and management structure that preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.

A. System Development Life Cycle (SDLC)
B. Cyber Security Framework (CSF)
C. Security Architecture
D. Information Security Management System (ISMS)

A

D. Information Security Management System (ISMS)

The ISO 27001 standard defines the components of the ISMS.

34
Q

The risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations and the nation due to the potential for unauthorized access, use, disclosure, disruption, modification or destruction of information and/or systems.

A. Privacy Risk
B. Threat
C. Risk Management
D. Information Security Risk

A

D. Information Security Risk

35
Q

An agency official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination and disposal.

A. Information Steward
B. Privacy Control
C. Data Steward
D. Information Security Architecture

A

A. Information Steward

36
Q

A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of information.

A. Application
B. System Component
C. Organization
D. Information System

A

D. Information System

37
Q

Any services, equipment, or interconnected system(s) or subsystem(s) of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data or information by the agency. For purposes of this definition, such services or equipment if used by the agency directly or if used by a contractor under a contract with the agency that requires its use; or to a significant extent, its use in the performance of a service or the furnishing of a product. Information technology includes computers, ancillary equipment (including imaging peripherals, input, output and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including cloud computing and help-desk services or other professional services which support any point of the life cycle of the equipment or service) and related resources. Information technology does not include any equipment that is acquired by a contractor incidental to a contract which does not require its use.

A. Running your application at your site
B. Information Technology (IT)
C. Information Systems (IS)
D. Payroll

A

B. Information Technology (IT)

38
Q

A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor-sensitive, security management) defined by an organization or in some instances, by a specific law, executive order, directive, policy or regulation.

A. Categorization
B. Information Type
C. Capability
D. Confidentiality

A

B. Information Type

39
Q

Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.

A. Information Security
B. Confidentiality
C. Availability
D. Integrity

A

D. Integrity

40
Q

An entity of any size, complexity, or positioning within an organizational structure (e.g., federal agencies, private enterprises, academic institutions, state, local, or tribal governments or, as appropriate, any of their operational elements).

A. Enterprise
B. Information
C. Organization
D. Application

A

C. Organization

41
Q

Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.

A. General Data Protection Regulation (GDPR)
B. Personally Identifiable Information (PII)
C. Social Security Number (SSN)
D. Identification

A

B. Personally Identifiable Information (PII)

42
Q

Individual, group or organization responsible for ensuring that the system privacy requirements necessary to protect individuals’ privacy are adequately addressed in all aspects of enterprise architecture including reference models, segment and solution architectures, and information systems processing PII.

A. Control Assessor
B. Privacy Architect
C. System Privacy Officer
D. Security Architect

A

B. Privacy Architect

43
Q

An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s privacy protection processes, technical measures, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans.

A. Privacy Architecture
B. Privacy Requirement
C. Security Architecture
D. Information Security Architecture

A

A. Privacy Architecture

44
Q

The administrative, technical, and physical safeguards employed within an agency to ensure compliance with applicable privacy requirements and manage privacy risks. Note: Controls can be selected to achieve multiple objectives; those controls that are selected to achieve both security and privacy objectives require a degree of collaboration between the organization’s information security program and privacy program.

A. Privacy Requirement
B. Privacy Control
C. Safety Control
D. Security Controls

A

B. Privacy Control

45
Q

Information that describes the privacy posture of an information system or organization.

A. Sensitive Information
B. Privacy Requirement
C. Security Objective
D. Privacy Information

A

D. Privacy Information

46
Q

A formal document that details the privacy controls selected for an information system or environment of operation that are in place or planned, to meet applicable privacy requirements and manage privacy risks, details how the controls have been implemented, and describes the methodologies and metrics that will be used to assess the controls.

A. Privacy Plan
B. Disaster-Recovery Plan
C. Privacy Requirement
D. Security Plan

A

A. Privacy Plan

47
Q

A requirement that applies to an information system or an organization that is derived from applicable laws, executive orders, directives, policies, standards, regulations, procedures and/or mission/business needs with respect to privacy. Note: The term privacy requirement can be used in a variety of contexts from high-level policy activities to low-level implementation activities in system development and engineering disciplines.

A. Privacy Control
B. Privacy Requirement
C. Privacy Architecture
D. Security Requirement

A

B. Privacy Requirement

The term privacy requirement can be used in a variety of contexts from high-level policy activities to low-level implementation activities in system development and engineering disciplines.

48
Q

Risk to an individual or individuals associated with the agency’s creation, collection, use, processing, storage, maintenance, dissemination, disclosure and disposal of their PII. See risk.

A. Residual Risk
B. Privacy Risk
C. Security Risk
D. Integrity Risk

A

B. Privacy Risk

49
Q

Portion of risk remaining after security measures have been applied.

A. Vulnerability
B. Risk Assessment
C. Inherent Risk
D. Residual Risk

A

D. Residual Risk

50
Q

A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically is a function of: (i) the adverse impact, or magnitude of harm, that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.

A. Asset
B. Threat
C. Risk
D. Vulnerability

A

C. Risk

51
Q

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations and the nation, resulting from the operation of a system.

A. Risk Assessment
B. Risk Analysis
C. Residual Risk
D. Risk Response

A

A. Risk Assessment

52
Q

An individual or group within an organization, led by the senior accountable official for risk management, that helps to ensure that security risk considerations for individual systems, to include the authorization decisions for those systems, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its missions and business functions; and managing risk from individual systems is consistent across the organization, reflects organizational risk tolerance and is considered along with other organizational risks affecting mission/business success.

A. Common Control Provider (CCP)
B. Risk Executive (Function)
C. Systems Security or Privacy Engineer
D. System Development Life Cycle (SDLC)

A

B. Risk Executive (Function)

53
Q

The program and supporting processes to manage risk to agency operations (including mission, functions, image, reputation), agency assets, individuals, other organizations and the nation, and includes establishing the context for risk-related activities; assessing risk; responding to risk once determined; and monitoring risk over time.

A. Information Owner
B. Risk Management
C. Risk Analysis
D. Risk Control

A

B. Risk Management

54
Q

Prioritizing, evaluating and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.

A. Security Requirement
B. Adequate Security
C. Risk Mitigation
D. Capability

A

C. Risk Mitigation

55
Q

Accepting, avoiding, mitigating, sharing or transferring risk to agency operations, agency assets, individuals, other organizations or the nation.

A. Risk Assessment
B. Security Requirement
C. Risk Response
D. Event Identification

A

C. Risk Response

56
Q

Individual, group or organization responsible for ensuring that the information security requirements necessary to protect the organization’s core missions and business processes are adequately addressed in all aspects of enterprise architecture including reference models, segment and solution architectures, and the resulting information systems supporting those missions and business processes.

A. Security Requirement
B. Security Architect
C. Privacy Architect
D. Information System Security Engineer

A

B. Security Architect

57
Q

An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s security processes, information security systems, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans. See information security architecture.

A. Security Architecture
B. Risk Assessment
C. Security Requirement
D. Security Controls

A

A. Security Architecture

58
Q

The management, operational and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity and availability of the system and its information.

A. Adequate Security
B. Security Requirement
C. Information System
D. Security Controls

A

D. Security Controls

59
Q

Confidentiality, integrity or availability.

A. Privacy Information
B. Security Controls
C. Security Objective
D. Security Requirement

A

C. Security Objective

60
Q

A requirement levied on an information system or an organization that is derived from applicable laws, executive orders, directives, policies, standards, instructions, regulations, procedures and/or mission/business needs to ensure the confidentiality, integrity and availability of information that is being processed, stored or transmitted. Note: Security requirements can be used in a variety of contexts from high-level policy activities to low-level implementation activities in system development and engineering disciplines.

A. Operational Requirement
B. Security Objective
C. Adequate Security
D. Security Requirement

A

D. Security Requirement

Security requirements can be used in a variety of contexts from high-level policy activities to low-level implementation activities in system development and engineering disciplines.

61
Q

Risk that arises through the loss of confidentiality, integrity, or availability of information or systems, and that considers impacts to the organization (including assets, mission, functions, image or reputation), individuals, other organizations and the nation.

A. Privacy Risk
B. Impact
C. Security Risk
D. Vulnerability

A

C. Security Risk

62
Q

The senior official, designated by the head of each agency, who has vision into all areas of the organization, and is responsible for alignment of information security management processes with strategic, operational and budgetary planning processes.

A. Senior Agency Official for Privacy
B. Chief Information Officer
C. Information Steward
D. Senior Accountable Official for Risk Management

A

D. Senior Accountable Official for Risk Management

63
Q

Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners and information system security officers.

A. Senior Agency Information Security Officer
B. Authorizing Official Designated Representative
C. Security Objective
D. Senior Agency Official for Privacy

A

A. Senior Agency Information Security Officer

64
Q

The senior official, designated by the head of each agency, who has agency-wide responsibility for privacy, including implementation of privacy protections; compliance with federal laws, regulations and policies relating to privacy; management of privacy risks at the agency; and a central policymaking role in the agency’s development and evaluation of legislative, regulatory and other policy proposals.

A. Information Owner
B. Senior Agency Information Security Officer
C. Privacy Requirement
D. Senior Agency Official for Privacy

A

D. Senior Agency Official for Privacy

65
Q

Any organized assembly of resources and procedures united and regulated by interaction or interdependence to accomplish a set of specific functions. See information system. Note: Systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems. Combination of interacting elements organized to achieve one or more stated purposes. Note 1: There are many types of systems. Examples include: general and special-purpose information systems; command, control and communication systems; crypto modules; central processing unit and graphics processor boards; industrial/process control systems; flight control systems; weapons, targeting and fire control systems; medical devices and treatment systems; financial, banking and merchandising transaction systems; and social networking systems. Note 2: The interacting elements in the definition of system include hardware, software, data, humans, processes, facilities, materials and naturally occurring physical entities. Note 3: System of systems is included in the definition of system.

A. System Element
B. Risk Executive (Function)
C. System Development Life Cycle (SDLC)
D. System

A

D. System

Note: Systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems. Combination of interacting elements organized to achieve one or more stated purposes.
Note 1: There are many types of systems. Examples include: general and special-purpose information systems; command, control and communication systems; crypto modules; central processing unit and graphics processor boards; industrial/process control systems; flight control systems; weapons, targeting and fire control systems; medical devices and treatment systems; financial, banking and merchandising transaction systems; and social networking systems. Note 2: The interacting elements in the definition of system include hardware, software, data, humans, processes, facilities, materials and naturally occurring physical entities.
Note 3: System of systems is included in the definition of system.

66
Q

See authorization boundary.

A. System Security Officer
B. System Boundary
C. Authorization Boundary
D. System Component

A

B. System Boundary

67
Q

A discrete identifiable information technology asset that represents a building block of a system and may include hardware, software and firmware.

A. Common Criteria
B. Information System
C. Environment
D. System Component

A

D. System Component

68
Q

The scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance and ultimately its disposal that instigates another system initiation.

A. System Development Life Cycle (SDLC)
B. System User
C. System Boundary
D. Information System

A

A. System Development Life Cycle (SDLC)

69
Q

Member of a set of elements that constitute a system.

A. System Security Officer
B. System Privacy Officer
C. System Element
D. System Boundary

A

C. System Element

Note 1: A system element can be a discrete component, product, service, subsystem, system, infrastructure or enterprise.
Note 2: Each element of the system is implemented to fulfill specified requirements.
Note 3: The recursive nature of the term allows the term system to apply equally when referring to a discrete component or to a large, complex, geographically distributed system-of-systems.
Note 4: System elements are implemented by: hardware, software and firmware that perform operations on data/information; physical structures, devices and components in the environment of operation; and the people, processes and procedures for operating, sustaining and supporting the system elements.
Note 5: System elements and information resources (as defined at 44 U.S.C. Sec. 3502 and in this document) are interchangeable terms as used in this document.

70
Q

Individual with assigned responsibility for maintaining the appropriate operational privacy posture for a system or program.

A. Systems Privacy Engineer
B. System Security Officer
C. System Privacy Officer
D. Senior Agency Official for Privacy

A

C. System Privacy Officer

71
Q

Individual with assigned responsibility for maintaining the appropriate operational security posture for an information system or program.

A. Systems Security Engineer
B. System Privacy Officer
C. System Security Officer
D. System Boundary

A

C. System Security Officer

72
Q

Individual, or (system) process acting on behalf of an individual, authorized to access a system.

A. Data Security Officer
B. System Component
C. Systems Analyst
D. System User

A

D. System User

73
Q

Individual assigned responsibility for conducting systems privacy engineering activities.

A. System Privacy Officer
B. Privacy Risk
C. Systems Privacy Engineer
D. Systems Security Engineer

A

C. Systems Privacy Engineer

74
Q

Individual assigned responsibility for conducting systems security engineering activities.

A. Control Assessor
B. System Security Officer
C. System Privacy Officer
D. Systems Security Engineer

A

D. Systems Security Engineer

75
Q

Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations or the nation through a system via unauthorized access, destruction, disclosure, modification of information and/or denial of service.

A. Risk
B. Impact
C. Vulnerability
D. Threat

A

D. Threat

76
Q

The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability.

A. Impact
B. Vulnerability
C. Threat Event
D. Threat Source

A

D. Threat Source

77
Q

Weakness in an information system, system security procedures, internal controls or implementation that could be exploited or triggered by a threat source.

A. Risk
B. Vulnerability
C. Availability
D. Assessor

A

B. Vulnerability

Note: The term weakness is synonymous with deficiency. Weakness may result in security and/or privacy risks.