Finals 2

Question 1

This is responsible for ensuring that the IAP is developed and implemented in accordance with regulatory and business requirements; allocates resources and foster commitment to the IAP

Answer 1

Chief Executive Officer (CEO)

Question 2

This is responsible for the execution of overall IT program and delegate authority to the CISO for the management of the IAP

Answer 2

Chief Information Officer (CIO)

Question 3

This is the focal point for IT management and governance of IT portfolios

Answer 3

Chief Information Officer (CIO)

Question 4

Responsibilities of a Chief Information Officer (CIO)

Answer 4

1. It’s responsible for: Ensuring information security management processes are integrated with
   strategic and operational planning processes.
2. This is responsible for ensuring trained personnel is sufficient to assist in complying with the information assurance requirements in related legislation, policies, directives, instructions, standards, and guidelines
3. This is responsible for coordinating with senior management to report annually to the head of the federal agency on the overall effectiveness of IAP, including progress of remedial actions

Question 5

This carries out the CIO’s security and privacy responsibilities under FISMA and is responsible for managing the IAP

Answer 5

Chief Information Security Officer (CISO)

Question 6

Characteristics of a Chief Information Security Officer (CISO)

Answer 6

1. This possess professional qualifications, including training and experience, required to administer the IAP functions
2. This maintain information assurance duties as a primary responsibility
3. This heads an office with the mission and resources to assist the organization in achieving more secure information and information systems in accordance with FISMA and Privacy Act requirements

Question 7

What does FISMA mean

Answer 7

Federal Information Security Management Act

Question 8

Responsibilities of CISO

Answer 8

1. Develop an organization-wide IAP that provides adequate security for all information systems
2. Centralized reporting of information security-related activities
3. Develop and maintain information security and privacy policies
4. Define specific security requirements, tools, templates, and checklists to support the IAP
5. Ensure that personnel with significant system security responsibilities are trained
6. Assist senior management concerning security responsibilities
7. Ensure implementation of information privacy and security protections as required by the Privacy Act, FISMA, and memoranda
8. Monitor security incidents and provide assistance when required
9. Manage the Office of Information Technology (OIT) audits and program reviews; support Office of the Inspector General (OIG) investigations
10. Report to the CIO and other senior management on the effectiveness of IAP and developing and submitting the annual FISMA report

Question 9

This is appointed by the CEO and is granted the authority to formally assume responsibility for operating an information system at an acceptable level of risk

Answer 9

Authorizing Official

Question 10

True or false: The AO has budgetary oversight for an information system and is responsible for the mission/business operations supported by the system

Answer 10

True

Question 11

They approve systems security plans (SSPs), memorandums of agreement or understanding (MOA/MOU), and plans of action and milestones (POA & Ms).

Answer 11

Authorizing Official

Question 12

True or false: AOs can deny authorization to operate an information system if unacceptable risks exist

Answer 12

True

Question 13

True or False: It is possible that a particular information system may involve multiple AOs

Answer 13

True

Question 14

Responsibilities of the AO

Answer 14

1. Ensure the security posture of the Agency’s information systems is maintained
2. Reviewing security status reports and security documents and determining if the risk to the Agency of operating the system remains acceptable
3. Reauthorizing information systems when required
4. Assisting in response to security incidents and privacy breaches
5. Appointing, when required, a designated representative to coordinate and carry out system security responsibilities

Question 15

Appointed by the CEO and serves as the focal point for the information system and is the central point of contact during the security authorization process

Answer 15

Information System Owner (ISO)

Question 16

Responsibilities of the ISO

Answer 16

1. Coordinating data protection requirements with Information Owners (IOs) that have information stored and processed in the system
2. Deciding, in coordination with the IO and Information System Security Officer (ISSO), who has access to the system. Determining access privileges and rights to the system
3. Ensuring that system users and support personnel receive the required security training
4. Ensuring that the system is compliant with the required security controls
5. Appointing an ISSO for the information system to carry out the day-to-day security responsibilities
6. Reviewing system security documents
7. Ensuring that system-specific security training is provided to the users and administrators of the systems
8. Ensuring that remediation activities for the system are performed as needed to maintain the authorization status
9. Appointing an Information System Security Manager (ISSM) to coordinate system security task and provide oversight responsibilities to ensure security activities are performed

Question 17

This is an official with regulatory, management, or operational authority for specified information and is responsible for establishing the policies and procedures governing its generation, collection, processing, dissemination, and disposal.

Answer 17

Information Owner

Question 18

Responsibilities of Information Owner (IO)

Answer 18

• Providing input to ISOs regarding the security requirements and controls for
  the systems where the information is processed, stored, or transmitted.
• Retaining information in accordance with the National Archives and
  Records Administration (NARA) record schedule.
• Categorizing the sensitivity level5 of the information stored and
  processed in the system.
• Establishing rules for appropriate use and protection of the information.
• Coordinating with the ISO when security requirements change.
• Assisting in the response to security incidents.
• Ensuring that the PII inventory is updated.

Question 19

Appointed by the ISO and works closely with the ISO or ISSM to ensure that the appropriate security posture is maintained for the information system

Answer 19

Information System Security Officer

Question 20

True or False: The Information System Security Officer (ISSO) serves as a principal advisor on all the security related issues of an information system

Answer 20

True

Question 21

This supports activities at the system level and includes physical and environmental protection, personnel security, incident handling, and security training and awareness

Answer 21

Information System Security Officer (ISSO)

Question 22

Responsibilities of the Information System Security Officer (ISSO)

Answer 22

• Ensuring system compliance with security policies and procedures.
• Managing and controlling changes to the system.
• Assessing the security impact of any changes.
• Monitoring the system and its environment.
• Developing and updating the SSP.
• Coordinating with and supporting the ISO with security responsibilities.
• Preparing or overseeing the preparation of system security documents7 and
  security activities.
• Developing security policies and procedures that are consistent with IA policies.
• Performing or overseeing remediation activities to maintain the authorization status.
• Assisting the ISO assemble the security authorization package for submission to
  the AO.
• Assisting in the investigation of security incidents.

Question 23

This serves as the primary liaison for the CISO to individuals with security and privacy responsibilities and supports activities at the IAP level

Answer 23

Information Assurance Manager (IAM)

Question 24

Responsibilities of the Information Assurance Manager (IAM)

Answer 24

• Monitoring compliance with Federal requirement and IA policies.
• Providing guidance on the implementation of IA policies.
• Providing security and privacy training.
• Investigating system security and privacy incidents.
• Providing support for audits and reviews.
• Managing the vulnerability management program.

Question 25

This coordinates system security task and provide oversight responsibilities to ensure security activities are performed and serves as the liaison between the Information System Security Officer (ISSO) and the Information System Owner (ISO)

The ISSO (contractor) coordinates directly with the ____ for all system security related issues

Answer 25

Information System Security Manager (ISSM)

Question 26

Responsibilities of the Information System Security Manager (ISSM)

Answer 26

Providing oversight of system security activities performed by the ISSO.
* Acting as the liaison between the IAM and the ISSO.
* Monitoring system compliance with Information Assurance policies and federal
guidance.

Question 27

This is nominated by the Agency and assists the Contracting Officer (CO) by

Acting as a technical liaison between the CO and the contractor.
* Providing technical assistance.
* Performing onboarding and off boarding activities for the contractors assigned to the
contract.
* Ensuring that contractors have the proper background investigations before
accessing information or systems.
* Ensuring that contractors properly maintain information and information systems in
accordance with the IAP.

Answer 27

Contracting Officer’s Representative (COR)

Question 28

This conducts assessments of the security controls employed within or inherited by an information system to determine the overall effectiveness of the controls (i.e., the extent to which the controls are implemented
correctly, operating as intended, and producing the desired outcome with
respect to meeting the security requirements for the system).

Answer 28

Security Assessment Team

Question 29

Responsibilities of a Security Assessment Team (SAT)

Answer 29

• Developing a security assessment plan for each subset of security controls
  that will be assessed.
• Submitting the security assessment plan for approval prior to conducting the
  assessment.
• Conducting the assessment of security controls as defined in the
  security assessment plan.
• Providing an assessment of the severity of weaknesses or deficiencies
  discovered in the information system.
• Recommending corrective actions to address identified vulnerabilities.
• Preparing the final security assessment report containing the results
  and findings from the assessment

Question 30

This stipulates the constraints and practices that an employee using organizational IT assets must agree to in order to access to the corporate network or the internet

Answer 30

Acceptable Use Policy (AUP)

Question 31

True or False: Acceptable Use Policy (AUP) is standard on boarding policy for new employees. They are given an AUP to read and sign before being granted a network ID. An example of this can be found at SANS

Answer 31

True

Question 32

This outlines the access available to employees in regards to an organization’s data and information systems. An example of this policy is available at IAPP

Answer 32

Access Control Policy (ACP)

Question 33

Topics included in Access Control Policy

Answer 33

NIST’s Access Control, Implementation Guides, standards for user access, network access controls, operating system software controls, and the complexity of corporate passwords.

Question 34

This refers to a formal process for making changes to IT, software development, and security services/operations. The goal of this is to increase the awareness and understanding of proposed changes across an organization, and to ensure that all changes are conducted methodically. A good example of this is at SANS

Answer 34

Change Management Policy

Question 35

High-level policies that can never cover a large number of security controls. This is issued by the company to ensure that all employees who use information technology assets within the breadth of the organization comply with its stated rules and guidelines. This is designed for employees to hold them accountable with regard to the sensitivity of the corporate information and IT assets

Answer 35

Information Security Policy

Question 36

This is an organized approach to how the company will manage an incident and remediate the impact to operations. The goal of this policy is to describe the process of handling an incident with respect to limiting the damage to business operations, customers, and reducing recovery time costs

Answer 36

Incident Response (IR) Policy

Question 37

This is a document which outlines and defines acceptable methods of remotely connecting to an organization’s internal networks. This is a requirement for organizations with dispersed networks (i.e., local coffee house or unmanaged home networks). An example of this is available at SANS

Answer 37

Remote Access Policy

Question 38

A document that is used to formally outline how employees can use the business’ chosen electronic communication (email, blogs, social media, and chat technologies). The primary goal of this policy is to provide guidelines on what is considered acceptable and unacceptable use of any corporate communication technology. An example is available at SANS

Answer 38

Email/Communication Policy

Question 39

This include both cybersecurity and IT teams’ input and will be developed as part of the larger business continuity plan. An example of this is available at SANS

Answer 39

Disaster recovery policy

Question 40

This will coordinate efforts across the organization and will use the disaster recovery plan to restore hardware, applications, and date deemed essential

Answer 40

Business Continuity Plan (BCP_

Question 41

Everything related to IT security and the security of related physical assets

Answer 41

Information Assurance Policy

Question 42

Purpose of Information Assurance Policy

Answer 42

• Create an overall approach to information security.
• Detect and preempt information security breaches such as misuse of networks, data,
  applications, and computer systems.
• Maintain the reputation of the organization, and uphold ethical and legal responsibilities.
• Respect customer rights, including how to react to inquiries and complaints about non-
  compliance.

Question 43

You may also
specify which audiences are out of the scope of the information assurance policy (for example, staff in another
business unit which manages security separately may not be in the scope of the policy).

Answer 43

Audience of Information Assurance Policy

Question 44

Three main objectives of information assurance

Answer 44

Confidentiality, Integrity, Availability

Question 45

Only individuals with authorization can and should access data and information assets

Answer 45

Confidentiality

Question 46

Data should be intact, accurate and complete, and IT systems must be kept operational

Answer 46

Integrity

Question 47

Users should be able to access information or systems when needed

Answer 47

Availability

Question 48

What authority and access control policy?

A senior manager may have the authority to decide what data can be shared and with whom. The security policy may have different terms for a senior manager vs a junior employee. The policy should outline the level of authority over data and IT systems for each organizational role.

Answer 48

Hierarchical pattern

Question 49

Users are only able to access company networks and servers via unique logins that demand authentication, including passwords, biometrics, ID cards, or tokens

Answer 49

Network Security Policy

Question 50

The policy should classify data into categories, which may include “top secret, “secret” “confidential” and public

Answer 50

Data classification

Question 51

What are the objectives of data classification

Answer 51

• To ensure that sensitive data cannot be accessed by individuals with
  lower clearance levels.
• To protect highly important data, and avoid needless security
  measures for unimportant data.

Question 52

What are different data support and operations

Answer 52

Data protection regulations, Data backup, Movement of Data

Question 53

systems that store personal data or other sensitive data must be protected according to organizational standards, best practices, industry compliance standards and relevant regulations (Encryption, Firewall, Anti-Malware Protection)

Answer 53

Data protection regulations

Question 54

Encrypt data backup according to industry best practices. Securely store backup media, or move backup to secure cloud storage

Answer 54

Data backup

Question 55

Only transfer data via secure protocols. Encrypt any information copied to portable devices or transmitted across a public network .

Answer 55

Movement of data

Question 56

Share IT security policies with staff. Conduct training sessions to inform employees of security procedures and mechanisms, including data protection measures, access protection measures, and sensitive data classification

Answer 56

Security awareness and behavior

Question 57

Examples of security awareness and behavior

Answer 57

Social Engineering, Clean Desk Policy, Acceptable Internet Usage Policy

Question 58

Place special emphasis on the dangers of social engineering attacks (such as phishing emails). Make employees responsible for noticing, preventing and reporting such attacks

Answer 58

Social Engineering

Question 59

Secure laptops with a cable lock. Shred documents that are no longer needed. Keep printer areas clean so documents do not fall into the wrong hands

Answer 59

Clean desk policy

Question 60

Define how the internet should be restricted. Block unwanted websites using a proxy

Answer 60

Acceptable Internet Usage Policy

Question 61

Appoint staff to carry out user access reviews, education, change management, incident management, implementation, and periodic updates of the security policy. Responsibilities should be clearly defined as part of the security policy

Answer 61

Responsibilities, rights, and duties of personnel

Question 62

What are the 9 best practices for drafting information security policies

Answer 62

1. Information and Data Classification
2. IT operations and Administration
3. Security Incident Response Plan
4. SaaS and cloud policy
5. Acceptable use Policies (AUPs)
6. Identity and Access Management (IAM)
7. Data Security Policy
8. Privacy Regulations
9. Personal and Mobile Devices

Question 63

Can make or break security program. Poor information and data classification may leave system open to attacks. Lack of inefficient management of resources might incur expenses. A clear classification policy helps organizations take control of the distribution of their security assets

Answer 63

Information and Data Classifcation

Question 64

Should work together to meet compliance and security requirements. Lack of cooperation may lead to configuration errors. Teams that work together can coordinate risk assessment and identification through all departments to reduce risks

Answer 64

IT operations and administration

Question 65

Helps initiate appropriate remediation actions during security incidents. A security incident strategy provides a guideline, which includes initial threat response, priorities identification, and appropriate fixes

Answer 65

Security incident response plan

Question 66

Provides the organization with clear cloud and SaaS adoption guidelines, which can provide the foundation for a unified cloud ecosystem. This policy can help mitigate ineffective complications and poor use of cloud resources

Answer 66

SaaS and cloud policy

Question 67

Helps prevent data breaches that occur through misuse of company resources. Transparent AUPs help keep all personnel in line with the proper use of company technology resources

Answer 67

Acceptable Use Policies

Question 68

Let IT admins authorize systems and applications to the right individuals and let employees know how to use and create passwords in a secure way. A simple password policy can reduce identity and access risks.

Answer 68

Identity and Access Management (IAM) regulations

Question 69

Outlines the technical operations of the organization and acceptable use standards in accordance with the Payment Card Industry Data Security Standard (PCI DSS) compliance

Answer 69

Data Security Policy

Question 70

Government-enforced regulations such as the General Data Protection Regulation (GDPR) protect the privacy of end users. Organizations that don’t protect the privacy of their users risk losing their authority and may be fined.

Answer 70

Privacy regulations

Question 71

Companies that encourage employees to access company software assets from any location, risk introducing vulnerabilities through personal devices such as laptops and smartphones. Creating a policy for proper security of personal devices can help prevent exposure to threats via employee-owned assets

Answer 71

Personal and mobile devices