Chapter 4

Question 1

The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.

Answer 1

Authorization to Operate (ATO)

Question 2

Types include quantitative, qualitative, or semi-quantitative.

Answer 2

Assessment Approach

Question 3

Assessment results produced by the application of an assessment procedure to a security control or control enhancement to achieve an assessment objective; the execution of a determination statement within an assessment procedure by an assessor that results in either a satisfied or other than satisfied condition.

Answer 3

Assessment Findings

Question 4

One of three types of actions (i.e., examine, interview, test) taken by assessors in obtaining evidence during an assessment.

Answer 4

Assessment Method

Question 5

The item (i.e., specifications, mechanisms, activities, individuals) upon which an assessment method is applied during an assessment.

Answer 5

Assessment Object

Question 6

A set of determination statements that expresses the desired outcome for the assessment of a security control or control enhancement.

Answer 6

Assessment Objective

Question 7

A set of assessment objectives and an associated set of assessment methods and assessment objects.

Answer 7

Assessment Procedure

Question 8

Grounds for justified confidence that a claim has been or will be achieved.

Answer 8

Assurance

Question 9

A structured set of arguments and a body of evidence showing that an information system satisfies specific claims with respect to a given quality attribute.

Answer 9

Assurance Case

Question 10

Independent review and examination of records and activities to assess the adequacy of system controls and ensure compliance with established policies and operational procedures.

Answer 10

Audit

Question 11

Access privileges granted to a user, program, or process or the act of granting those privileges.

Answer 11

Authorization

Question 12

All components of an information system to be authorized for operation by an authorizing official; excluding separately authorized systems to which the information system is connected.

Answer 12

Authorization Boundary

Question 13

A senior (federal) official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the nation.

Answer 13

Authorization Official

Question 14

A test methodology that assumes no knowledge of the internal structure and implementation detail of the assessment object.

Answer 14

Black Box Testing

Question 15

The set of data that documents the information system’s adherence to the security controls applied.

Answer 15

Body of Evidence

Question 16

The totality of evidence used to substantiate trust, trustworthiness, and risk relative to the system.

Answer 16

Body of Evidence

Question 17

The act of reverse-engineering the malicious program to understand the code that implements the software behavior.

Answer 17

Code Analysis

Question 18

Attempts to recreate the original source code of the program.

Answer 18

Disassembler

Question 19

Allows the analyst to step through the code, interacting with it, and observing the effects of its instructions to understand its purpose.

Answer 19

Debugger

Question 20

The technical basis for an international agreement which ensures that products can be evaluated by competent and independent licensed laboratories so as to determine the fulfilment of particular security properties, to a certain extent or assurance.

Answer 20

Common Criteria

Question 21

An attribute associated with an assessment method that addresses the rigor and level of detail associated with the application of the method.

Answer 21

Depth

Question 22

A type of assessment method that is characterized by the process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence, the results of which are used to support the determination of security control effectiveness over time.

Answer 22

Examine

Question 23

A test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object; known as gray box testing.

Answer 23

Focused Testing

Question 24

Segment of quality assurance testing in which advertised security mechanisms of an information system are tested against a specification.

Answer 24

Function Testing

Question 25

A test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object; known as focused testing.

Answer 25

Grey Box Testing

Question 26

A comprehensive review, analysis, and test (software and/or hardware) performed by an objective third party to confirm that the requirements are correctly defined, and to confirm that the system correctly implements the required functionality and security requirements.

Answer 26

Independent Verification and Validation

Question 27

A type of assessment method that is characterized by the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or lead to the location of evidence, the results of which are used to support the determination of security control effectiveness over time.

Answer 27

Interview

Question 28

A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of an information system.

Answer 28

Penetration Testing

Question 29

The testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Answer 29

Security Control Assessment

Question 30

The individual, group, or organization responsible for conducting a security control assessment.

Answer 30

Security Control Assessor

Question 31

The individual, group, or organization responsible for conducting an assessment.

Answer 31

Assessor

Question 32

The analysis conducted by an organizational official to determine the extent to which changes to the information system have affected the security state of the system.

Answer 32

Security Impact Analysis

Question 33

Any change to a system’s configuration, environment, information content, functionality, or users that has the potential to change the risk imposed upon its continued operations.

Answer 33

Security-relevant Change

Question 34

An implementation-dependent statement of security needs for a specific identified target of evaluation.

Answer 34

Security Target

Question 35

Examination and analysis of the safeguards required to protect an information system, as they have been applied in an operational environment, to determine the security posture of that system.

Answer 35

Security Test and Evaluation

Question 36

In accordance with Common Criteria, an information system, part of a system or product, and all associated documentation, which is the subject of a security evaluation.

Answer 36

Target of Evaluation

Question 37

An official authorization decision to employ identical copies of an information system or subsystem―including hardware, software, firmware, and/or applications―in specified environments of operation.

Answer 37

Type Authorization

Question 38

The certification acceptance of replica information systems based on the comprehensive evaluation of the technical and non-technical security features of an information system and other safeguards, made as part of and in support of the formal approval process, to establish the extent to which a particular design and implementation meet a specified set of security requirements.

Answer 38

Type Certification

Question 39

Confirmation through the provision of strong, sound, objective evidence that requirements for a specific intended use or application have been fulfilled.

Answer 39

Validation

Question 40

The group responsible for refereeing an engagement between a Red Team of mock attackers and a Blue Team of actual defenders of their enterprise’s use of information systems.

Answer 40

White Team

Question 41

Can refer to a small group of people who have prior knowledge of unannounced Red Team activities.

Answer 41

White Team

Question 42

Acts as the judges, enforces the rules of the exercise, observes the exercise, scores teams, resolves any problems that may arise, handles all requests for information or questions, and ensures that the competition runs fairly and does not cause operational problems for the defender’s mission.

Answer 42

White Team

Question 43

Helps to establish the rules of engagement, the metrics for assessing results and the procedures for providing operational security for the engagement.

Answer 43

White Team

Question 44

Has responsibility for deriving lessons learned, conducting the post-engagement assessment, and promulgating results.

Answer 44

White Team

Question 45

The intended results or indicator that the system is functioning correctly.

Answer 45

Criteria for Passing a Control or Requirement

Question 46

Consists of the security plan, a plan of action and milestones, and a security assessment report.

Answer 46

Authorization Package

Question 47

Provide guidance on how to securely configure common information technology items.

Answer 47

Security Technical Implementation Guides (STIGs)

Question 48

Verifies system and sub-system level performance.

Answer 48

Integration Testing

Question 49

Objective is to acquire, integrate, configure, test, document, and train.

Answer 49

Implement System SE Activity