Chapter 2

Question 1

Organisation-Wide Risk Management

Answer 1

Involve everyone in the organisation, from top leaders to regular employees.

Question 2

Multi-Level Risk Management Model

Answer 2

This model manages risks at three levels: organisation, mission/business process, and information system, ensuring that risks are addressed comprehensively.

Question 3

Level 1 and 2 Activities

Answer 3

These activities prepare the organisation for risk management by identifying roles, assets, threats, and risk assessments.

Question 4

Level 3 in Risk Management

Answer 4

Level 3 focuses on system-specific risks, guided by decisions at higher levels, and designates controls based on security/privacy requirements.

Question 5

Traceability of Controls

Answer 5

It ensures that security and privacy controls are linked to specific requirements throughout the system’s lifecycle.

Question 6

Consequences of Inadequate Organisational Preparation

Answer 6

Inadequate preparation can lead to costly and ineffective security measures, impacting the organisations efficiency and security.

Question 7

Risk Management Framework Steps (RMF)

Answer 7

RMF has seven steps, including preparation, categorisation, selection, implementation, assessment, authorisation, and monitoring.

Question 8

1. Prepare

Answer 8

Step 1 establishes priorities for security and privacy risk management.

Question 9

2. Categorise

Answer 9

In step 2, the impact of potential loss and system categorisation is analysed.

Question 10

3. Select

Answer 10

Step 3 involves selecting and tailoring controls based on a risk assessment.

Question 11

4. Implement

Answer 11

Step 4 is about putting selected controls into practice.

Question 12

5. Assess

Answer 12

Step 5 evaluates control implementation to ensure they meet requirements.

Question 13

6. Authorise

Answer 13

Step 6 grants system authorisation based on acceptable risk levels.

Question 14

7. Monitor

Answer 14

Step 7 involves continuous assessment of control effectiveness and reporting.

Question 15

Adaption of RMF Steps

Answer 15

RMF steps can be adjusted as needed, especially in agile development, where steps may need revisiting.

Question 16

Integration of Information Security and Privacy Programs

Answer 16

Information security and privacy programs work together to manage risks associated with personally identifiable information (PII) by selecting and monitoring controls.

Question 17

Privacy Controls vs Security Controls

Answer 17

Privacy controls focus on compliance and privacy risks, while security controls cover broader protection needs.

Question 18

Authorisation Boundaries

Answer 18

The authorisation boundary defines what the organisation commits to protect in an information system, involving people, processes, and technologies supporting the organisations mission.

Question 19

Systems and System Elements

Answer 19

Information systems consist of various elements, including technology, humans, physical components, and environmental factors, working together for specific goals.

Question 20

Authorisation Boundaries Review

Answer 20

The scope of the authorisation boundary is periodically reviewed as part of continuous monitoring, aligning with the organisations resources and flexibility.

Question 20

Interconnections in Systems

Answer 20

Systems’ interconnections enable them to interact and produce capabilities, operating within an influencing environment.

Question 20

External Systems

Answer 20

Other systems interact with the operational environment but may be outside the authorisation boundary, depending on context and organisational considerations.

Question 20

Enabling Systems

Answer 20

Enabling systems, although outside the authorisation boundary, may provide support during a system’s lifecycle by offering common controls or services.

Question 21

Establishing Authorisation Boundaries

Answer 21

Establishing meaningful authorisation boundaries involves coordinating with key participants, considering mission, business, security, privacy, and cost factors.

Question 21

Requirements and Controls Overview

Answer 21

Requirements signify protection needs, while controls outline safeguards. Requirements can be legal, policy-based, or from risk assessments, and controls are chosen and implemented to meet these needs.

Question 21

Categorising Requirements

Answer 21

Organisations may categorise requirements as capability, system, or statement of work requirements, depending on their role in the SDLC.

Question 21

Types of Controls

Answer 21

Controls cover technical, administrative, and physical aspects and are chosen and implemented to meet system requirements.

Question 21

Security and Privacy Posture Definition

Answer 21

The security and privacy posture reflects the organisations status in terms of resources and capabilities to protect information systems and comply with privacy requirements.

Question 21

Supply Chain Risk Management (SCRM)

Answer 21

Organisations increasingly rely on external providers for products and services, introducing significant risks. SCRM policies help address these supply chain risks.

Question 22

Responsibilities with External Providers

Answer 22

External providers handling federal information must meet security and privacy requirements equivalent to federal agencies, with the RMF serving as a tool for managing supply chain risk.

Question 22

Assurance in SCRM

Answer 22

Assurance in SCRM is based on contractual terms, evidence of control, effectiveness, and trust in the provider, and it determines the acceptability of risk from external providers.