Finals Lesson 2 Part 1

Question 1

This position is responsible for ensuring that the IAP is developed and implemented in accordance with regulatory and business requirements. The _____ plays a crucial role in allocating resources and fostering commitment to the IAP.

Answer 1

Chief Executive Officer (CEO)

Question 2

In support of the IAP, the ______ ensures that the CIO and CISO positions are filled and appoints an Authorizing Official (AO) and Information System Owner (ISO) for each information system.

Answer 2

Chief Executive Officer (CEO)

Question 3

The ______ is responsible for the execution of overall IT program and delegate authority to the CISO for the management of the IAP.

Answer 3

Chief Information Officer (CIO)

Question 4

The ______ is the focal point for IT management and governance of IT portfolios and is responsible for:
* Ensuring information security management processes are integrated with strategic and operational planning processes.
* Ensuring trained personnel sufficient to assist in complying with the information assurance requirements in related legislation, policies, directives, instructions, standards, and guidelines.
* Coordinating with senior management to report annually to the head of the federal agency on the overall effectiveness of IAP, including progress of remedial actions.

Answer 4

Chief Information Officer (CIO)

Question 5

The ______ carries out the CIO’s security and privacy responsibilities under FISMA and is responsible for managing the IAP.

Answer 5

Chief Information Security Officer (CISO)

Question 6

The _______ must:

(i) possess professional qualifications, including training and experience, required to administer the IAP functions;
(ii) maintain information assurance duties as a primary responsibility; and
(iii) head an office with the mission and resources to assist the organization in achieving more secure information and information systems in accordance with FISMA (Federal Information Security Management Act) and Privacy Act requirements.

Answer 6

CISO

Question 7

The ______ is responsible for:

• Developing an organization-wide IAP that provides adequate security for all information and information systems.
• Centralized reporting of information security-related activities.
• Developing and maintaining information security and privacy policies.
• Defining specific security requirements, tools, templates, and checklists to support the IAP.
• Ensuring that personnel with significant system security responsibilities are adequately trained.

Answer 7

CISO

Question 8

The ______ is responsible for:

• Assisting senior management concerning their security responsibilities.
• Ensuring the implementation of information privacy and security protections as required by the Privacy Act, FISMA, and memoranda.
• Monitoring security incidents and providing assistance when required.
• Managing the Office of Information and Technology (OIT) audits and program reviews and supporting Office of the Inspector General (OIG) investigations.
• Reporting to the CIO and other senior management on the effectiveness of IAP and developing and submitting the annual FISMA report.

Answer 8

CISO

Question 9

The _______ is appointed by the CEO and is granted the authority to formally assume responsibility for operating an information system at an acceptable level of risk.

Answer 9

Authorizing Official (AO)

Question 10

The _____ has budgetary oversight for an information system and is responsible for the mission/business operations supported by the system. They approve systems security plans (SSPs), memorandums of agreement or understanding (MOA/MOU), and plans of action and milestones (POA&Ms).

Answer 10

Authorizing Official (AO)

Question 11

True or False:
AOs can deny authorization to operate an information system or if the system is operational, halt operations, if unacceptable risks exist. It is possible that a particular information system may involve multiple AOs. If so, agreements are established among the AOs and documented in the SSP.

Answer 11

True

Question 12

The ______ is responsible for:
* Ensuring the security posture of the Agency’s information systems is maintained.
* Reviewing security status reports and security documents and determining if the risk to the Agency of operating the system remains acceptable.
* Reauthorizing information systems when required.
* Assisting in response to security incidents and privacy breaches.
* Appointing, when required, a designated representative to coordinate and carry out system security responsibilities

Answer 12

AO

Question 13

The _______ is appointed by the CEO and serves as the focal point for the information system and is the central point of contact during the security authorization process.

Answer 13

Information System Owner (ISO)

Question 14

The ______ is responsible for:
* Coordinating data protection requirements with Information Owners (IOs) that have information stored and processed in the system.
* Deciding, in coordination with the IO and Information System Security Officer
(ISSO), who has access to the system. Determining access privileges and rights to the system.
* Ensuring that system users and support personnel receive the required security training
(e.g., instruction in the Rules of Behavior).
* Ensuring that the system is compliant with the required security controls.

Answer 14

Information System Owner (ISO)

Question 15

The ______ is responsible for:
* Appointing an ISSO for the information system to carry out the day-to-day security responsibilities.
* Reviewing system security documents (e.g., SSP, POA&M, etc.).
* Ensuring that system-specific security training is provided to the users and administrators of the systems.
* Ensuring that remediation activities for the system are performed as needed to maintain the authorization status.
* Appointing an Information System Security Manager (ISSM) to coordinate system security task and provide oversight responsibilities to ensure security activities are performed.

Answer 15

ISO

Question 16

The ______ is an official with regulatory, management, or operational authority for specified information and is responsible for establishing the policies and procedures governing its generation, collection, processing, dissemination, and disposal.

Answer 16

Information Owner (IO)

Question 17

The _____ is responsible for:
- Providing input to ISOs regarding the security requirements and controls for the systems where the information is processed, stored, or transmitted.
- Retaining information in accordance with the National Archives and Records Administration (NARA) record schedule.

Answer 17

IO

Question 18

The _____ is responsible for:
* Categorizing the sensitivity level5 of the information stored and processed in the system.
* Establishing rules for appropriate use and protection of the information.
* Coordinating with the ISO when security requirements change.
* Assisting in the response to security incidents.
* Ensuring that the PII inventory is updated.

Answer 18

IO

Question 19

The ______ is appointed by the ISO and works closely with the ISO or ISSM to ensure that the appropriate security posture is maintained for the information system.

Answer 19

Information System Security Officer (ISSO)

Question 20

The ______ serves as a principal advisor on all the security related issues of an information system.

Answer 20

The ISSO serves as a principal advisor on all the security related issues of an information system.

Question 21

The _____ must have the detailed knowledge and expertise required to manage the security aspects of an information system and is responsible for the day-to-day security operations of a system.

Answer 21

ISSO

Question 22

This _______ supports activities at the system level and includes, but is not limited to, physical and environmental protection, personnel security, incident handling, and security training and awareness.

Answer 22

ISSO

Question 23

The ______ is responsible for:
* Ensuring system compliance with security policies and procedures.
* Managing and controlling changes to the system.
* Assessing the security impact of any changes.
* Monitoring the system and its environment.
* Developing and updating the SSP.

Answer 23

ISSO

Question 24

The _____ is responsible for:
* Coordinating with and supporting the ISO with security responsibilities.
* Preparing or overseeing the preparation of system security documents7 and security activities.
* Developing security policies and procedures that are consistent with IA policies.

Answer 24

ISSO

Question 25

The ______ is responsible for:
* Performing or overseeing remediation activities to maintain the authorization status.
* Assisting the ISO assemble the security authorization package for submission to the AO.
* Assisting in the investigation of security incidents.

Answer 25

ISSO

Question 26

The ______ serves as the primary liaison for the CISO to individuals with security and privacy responsibilities and supports activities at the IAP level.

Answer 26

Information Assurance Manager (IAM)

Question 27

The ______ serves as the primary liaison for the CISO to individuals with security and privacy responsibilities and supports activities at the IAP level.

Answer 27

IAM

Question 28

The ______ (Federal employee) coordinates system security task and provide oversight responsibilities to ensure security activities are performed and serves as the liaison between the Information System Security Officer (ISSO) and the Information System Owner (ISO).

Answer 28

Information System Security Manager (ISSM)

Question 29

The ______ (contractor) coordinates directly with the ISSM for all system security related issues.

Answer 29

ISSO

Question 30

The ______ is responsible for:

• Providing oversight of system security activities performed by the ISSO.
• Acting as the liaison between the IAM and the ISSO.
• Monitoring system compliance with Information Assurance policies and federal guidance.

Answer 30

ISSM

Question 31

The _______ is nominated by the Agency and assists the Contracting Officer (CO) by performing the following functions:

• Acting as a technical liaison between the CO and the contractor.
• Providing technical assistance.
• Performing onboarding and off boarding activities for the contractors assigned to the contract.
• Ensuring that contractors have the proper background investigations before accessing information or systems.
• Ensuring that contractors properly maintain information and information systems in accordance with the IAP.

Answer 31

Contracting Officer’s Representative (COR)

Question 32

The _____ conducts assessments of the security controls employed within or inherited by an information system to determine the overall effectiveness of the controls (i.e., the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system).

Answer 32

Security Assessment Team (SAT)

Question 33

The _______ is responsible for:

• Developing a security assessment plan for each subset of security controls that will be assessed.
• Submitting the security assessment plan for approval prior to conducting the assessment.
• Conducting the assessment of security controls as defined in the security assessment plan.

Answer 33

SAT

Question 34

The _______ is responsible for:
* Providing an assessment of the severity of weaknesses or deficiencies discovered in the information system.
* Recommending corrective actions to address identified vulnerabilities.
* Preparing the final security assessment report containing the results and findings from the assessment

Answer 34

SAT

Question 35

Enumerate the 11 positions:

Answer 35

CEO
CIO
CISO
AO
ISO
IO
ISSO
IAM
ISSM
COR
SAT