Documents

Question 1

CNSSI 1253

Answer 1

Details what to do if you’re a National Security System (compared to FIPS 199); Gets rid of High-Water Mark

Question 2

E- Government Act of 2002

Answer 2

Improves the management and promotion of electronic government services and processes by establishing a Federal Chief Information Officer within OMB and by establishing a framework of measures for internet-based information technology

Established the requirement for a Privacy Impact Assessment (PIA) which is an analysis of how information is handled.

Question 3

Executive Order 13526

Answer 3

Relates to National Security information (along with EO 12958 and the Atomic Energy Act of 1954); Says you have to have a process for classified (though doesn’t spell out a process); how classified should be handled

Question 4

FISMA 2002

Answer 4

Spells out Information Systems: What is it? What is the framework? Definitions for Integrity, Confidentiality, Availability…

Question 5

FISMA 2014

Answer 5

Took FISMA 2002 and outlined who is responsible for what

Question 6

ICD 503

Answer 6

Intelligence Community’s way of doing things

Question 7

NIST FIPS 140-2

Answer 7

USG computer security standard used to approve cryptographic modules

Question 8

NIST FIPS 199

Answer 8

Details what to do if you’re NOT a National Security System (compared to CNSSI 1253); Confidentiality, Integrity, Availability (L, M, H)

Question 9

NIST FIPS 200

Answer 9

Addresses the specification of minimum security requirements for federal information and information systems.

Security Controls selection (along with NIST SP 800-53); Identifies 17 families of controls; Introduces the concept of the High-Water Mark and minimum-security requirements

Question 10

NIST FIPS 201-2

Answer 10

Specifies Personal Identity Verification (PIV) requirements for federal employees and contractors (i.e.: CAC)

Question 11

NIST SP 800-18

Answer 11

Old document; ignore outdated Roles and Responsibilities; Details making a system boundary and the approvals

Question 12

NIST SP 800-30

Answer 12

Provide guidance on conducting risk assessments of federal information systems

Question 13

NIST SP 800-34

Answer 13

General concepts of Business Continuity Management (BCM) and Disaster Recovery Planning (DRP) and integration with Incident Response Plans (IRP)

Question 14

NIST SP 800-37

Answer 14

Best info on the contents of the SP, SAR, POAM, etc…; Details the SAR and how to do it

Question 15

NIST SP 800-39

Answer 15

Looks at the whole process; Risk Management process: FARM (Frame, Assess, Respond, Monitor); Risk Assessment process: Prepare, Conduct, Communicating, Maintaining

Question 16

NIST SP 800-41

Answer 16

Overview of types of firewall technologies and recommendations on establishing policies for selecting, configuring, testing deploying and managing firewall solutions

Question 17

NIST SP 800-47

Answer 17

Important to know the level of the systems connecting (L, M, H) including any dynamic systems

Question 18

NIST SP 800-50

Answer 18

Building an Information Technology Security Awareness and Training Program

Awareness: What is it and how do you recognize it; Training is specific to what you need; Education is more in-depth

Question 19

NIST SP 800-53

Answer 19

Security Controls selection (along with FIPS 200); 17 Families of controls + PM Controls + 7 Privacy Controls; Only NIST document that is mandatory

Question 20

NIST SP 800-53A

Answer 20

Parallel to NIST SP 800-53, but for each control in 53, 53A lays out how to assess it

Question 21

NIST SP 800-55

Answer 21

Guidance on using metrics to ID the adequacy of in-place security controls, policies and procedures. Provide an approach to help management decide where to invest additional security protection resources and to ID and evaluate nonproductive controls.

Question 22

NIST SP 800-59

Answer 22

Defines the criteria for a National Security System; 6 criteria: intelligence activities, crypto, command and control of military forces, weapon/weapon system, military or intelligence missions, process classified?

Question 23

NIST SP 800-60

Answer 23

Information on properly assessing impact levels (L, M, H); Identify info type, Select provisional impact level, Review provisional impact level, Adjust provisional impact level, Assign system security category

Data Criticality and Data Sensitivity are ways to evaluate the security impact of an IS and are indicators of how impact level will be impacted.

Question 24

NIST SP 800-61

Answer 24

Guidelines on establishing an effective incident-response program; Preparation, Detection and Analysis, Containment Eradication & Recovery, Post-Incident Activity

Question 25

NIST SP 800-83

Answer 25

Talks about malware

Question 26

NIST SP 800-88

Answer 26

Media sanitation guide (clearing, purging, destruction, disposal)

Question 27

NIST SP 800-92

Answer 27

Practical guidance on developing, implementing and maintaining effective computer security log management practices throughout an enterprise

Question 28

NIST SP 800-115

Answer 28

Guidance and philosophy on assessment/testing; Guidelines on how to set up a test program (is it repeatable and can you test it)

Technical Guide to Information Security Testing and Assessment

Question 29

NIST SP 800-122

Answer 29

Talks about PII, what is it and what to do with it

Question 30

NIST SP 800-124

Answer 30

Talks about mobile devices, what is a mobile device and how do you protect it

Question 31

NIST SP 800-128

Answer 31

Relates to Configuration Management

Guide for Security Focused Configuration Management of Information Systems

Question 32

NIST SP 800-160

Answer 32

Engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical and human components that compose a system

Question 33

NIST SP 800-161

Answer 33

Guidance to federal agencies on identifying, assessing and mitigation supply chain risks at all levels of their organizations

Question 34

OMB Circular A-11

Answer 34

How to prepare a budget; Who, how, steps, assumptions, etc…

Question 35

OMB Circular A-108

Answer 35

Privacy Act; Keeping records; Agency responsibilities for implementing the review, reporting and publication requirements of the Privacy Act of 1974

Question 36

OMB Circular A-123

Answer 36

Be smart in how you spend money on controls; don’t spend more money on controls than the system is worth (with exceptions)

Question 37

OMB Circular A-130

Answer 37

Instructs to use security (Appendix I) and privacy (Appendix II) controls and how to verify; Mandates the need for Security and Privacy Controls Officers; Accounts for PII; Greater transparency and sharing; Continuous Monitoring Strategies for security and privacy controls

Question 38

Privacy Act 1974

Answer 38

Establishes a Code of Fair Information Practice that governs the collection, maintenance, use and dissemination of PII that is maintained in a system of records by federal agencies

Question 39

M-02-01

Answer 39

Memo relating to creating POAMs

Question 40

NIST SP 800-137

Answer 40

Continuous Monitoring for Federal Systems

Assist in the development of a continuous monitoring strategy, provide visibility into threats and vulnerabilities and visibility into the effectiveness of the security controls. Provides assurance that the security controls are in alignment with organizational risk tolerance.