GRC CHAPTER 1 & 2 WEEK 1

Question 1

What is the purpose of Appendix III to OMB Circular No. A-130?

Answer 1

Establishes a minimum set of controls for Federal automated information security programs

Assigns Federal agency responsibilities for the security of automated information and links agency automated information security programs with agency management control systems.

Question 2

Define ‘Application’ in the context of information resources.

Answer 2

Use of information resources to satisfy a specific set of user requirements

Question 3

What is a ‘General Support System’?

Answer 3

An interconnected set of information resources under the same direct management control sharing common functionality

Question 4

What distinguishes a ‘Major Application’?

Answer 4

Requires special attention to security due to risk and magnitude of harm from loss, misuse, or unauthorized access

Question 5

List the basic requirements for deploying risk-based IT systems.

Answer 5

• System Risk
• Potential Impact
• Security Control
• Data Classification
• Adequate Security
• System Development Life Cycle (SDLC)
• Risk Management
• Relevant Standards & Regulations
• Roles & Responsibilities

Question 6

What is an ‘Asset’ in information security?

Answer 6

People, property, and information that we are trying to protect

Question 7

Define ‘Threat’ in the context of information security.

Answer 7

Anything that can exploit a vulnerability and obtain, damage, or destroy an asset

Question 8

What does ‘Vulnerability’ refer to?

Answer 8

Weaknesses or gaps in a security program that can be exploited by threats

Question 9

Define ‘Likelihood’ in information security.

Answer 9

Probability that a potential vulnerability may be exploited in the associated threat environment

Question 10

What is ‘Risk’ in information security?

Answer 10

Potential for loss, damage, or destruction of an asset due to a threat exploiting a vulnerability

Question 11

What is the Risk Formula?

Answer 11

R = V + A + T

Question 12

True or False: Risk is the intersection of assets, threats, and vulnerabilities.

Answer 12

True

Question 13

Fill in the blank: A _______ is a weakness or gap in our protection efforts.

Answer 13

Vulnerability

Question 15

What is the definition of Impact in InfoSec?

Answer 15

The magnitude of harm from unauthorized disclosure, modification, destruction of information, or loss of system availability.

Impact is governed by potential mission impacts and produces a relative value for affected IT assets.

Question 16

What are the basic requirements for Risk-Based IT Systems?

Answer 16

• Adequate Security & Risk
• Security Objectives
• Potential Impact
• Security Controls
• Data Classification

These requirements ensure a comprehensive approach to information security.

Question 17

What does Adequate Security mean?

Answer 17

Security commensurate with the risk and magnitude of harm from loss, misuse, or unauthorized access to information.

This is defined in OMB A130 Appendix III.

Question 18

How is Risk defined in InfoSec?

Answer 18

A measure of the extent to which an entity is threatened by a potential circumstance or event, based on likelihood and adverse impacts.

Risk assessment is crucial for determining security measures.

Question 19

What are the three main Security Objectives?

Answer 19

• Confidentiality
• Integrity
• Availability

These objectives are essential for maintaining the security of information systems.

Question 20

What does Confidentiality prevent?

Answer 20

The unauthorized disclosure of information.

Loss of confidentiality occurs when information is disclosed to unauthorized individuals or systems.

Question 21

What is the definition of Integrity in InfoSec?

Answer 21

Prevents the unauthorized modification or destruction of information.

Loss of integrity is characterized by unauthorized changes to information.

Question 22

What does Availability ensure?

Answer 22

Timely and reliable access to and use of information.

Loss of availability refers to the disruption of access to information or information systems.

Question 23

What are the three levels of Potential Impact in case of a security breach?

Answer 23

• Low
• Moderate
• High

Each level indicates the severity of the adverse effects on operations, assets, or individuals.

Question 24

What characterizes a Low level of impact?

Answer 24

Limited adverse effect on organizational operations, assets, or individuals.

Minor harm to individuals may occur.

Question 25

What characterizes a Moderate level of impact?

Answer 25

Serious adverse effect on organizational operations, assets, or individuals without loss of life. ## Footnote Significant impact but no serious injuries.

Question 26

What characterizes a High level of impact?

Answer 26

Severe or catastrophic adverse effect on operations, assets, or individuals, including loss of life. ## Footnote Major consequences may arise from such incidents.

Question 27

What are Security Controls?

Answer 27

Safeguards or countermeasures to avoid, counteract, or minimize security risks. ## Footnote They can be classified by the timing of their occurrence relative to a security incident.

Question 28

What are Preventive controls?

Answer 28

Controls intended to prevent an incident from occurring. ## Footnote Example: locking out unauthorized intruders.

Question 29

What are Detective controls?

Answer 29

Controls intended to identify and characterize an incident in progress. ## Footnote Example: sounding an alarm to alert security personnel.

Question 30

What are Corrective controls?

Answer 30

Controls intended to limit the extent of damage caused by an incident. ## Footnote Example: recovering the organization to normal operations as quickly as possible.

Question 31

What are Deterrent controls?

Answer 31

Controls that discourage security violations. ## Footnote Example: presence of security cameras may deter theft.

Question 32

What are Compensating controls?

Answer 32

Controls intended to reduce risk due to existing or potential control weaknesses. ## Footnote Often used in real-world situations where a control is missing.

Question 33

What is Data Classification?

Answer 33

The process of assigning a level of sensitivity to data. ## Footnote This determines the extent to which data needs to be controlled or secured.

Question 34

What are typical sensitivity levels in Data Classification?

Answer 34

* Top Secret * Secret (Highly Confidential) * Confidential (Proprietary) * Internal Use Only * Public ## Footnote Sensitivity levels indicate the data's value and required security measures.

Question 35

What are the five phases of the System Development Lifecycle (SDLC)?

Answer 35

* Initiation * Development/Acquisition * Implementation * Operation and Maintenance * Disposition/Disposal ## Footnote These phases outline the process for integrating security into system development.

Question 36

What is the purpose of the Initiation phase in the SDLC?

Answer 36

Need and Purpose (Business Case) ## Footnote This phase identifies the necessity and objectives for the system.

Question 37

What tasks are involved in the Development/Acquisition phase of the SDLC?

Answer 37

Design, Purchased, and Developed ## Footnote This phase focuses on creating or acquiring the system.

Question 38

What occurs during the Implementation phase of the SDLC?

Answer 38

Testing, Accept, and Install ## Footnote This phase ensures the system is tested and accepted before full deployment.

Question 39

What is the focus of the Operation and Maintenance phase in the SDLC?

Answer 39

Operate, Modify, and Maintain ## Footnote This phase involves ongoing operation and updates to the system.

Question 40

What does the Disposition/Disposal phase in the SDLC entail?

Answer 40

System or Parts Termination ## Footnote This phase deals with the proper termination or disposal of the system or its components.

Question 41

What are the benefits of integrating security into the SDLC?

Answer 41

* Early identification and mitigation of issues * Lower cost of control implementation * Maximize security program ROI * Awareness of potential challenges * Mandatory security requirements * Identification of common and inherited items * Shared security services * Reuse of security strategies and tools * Facilitation of executive decision making * Comprehensive, timely risk management ## Footnote These benefits enhance the overall security posture of the organization.

Question 42

What is the NIST Risk Management Framework (RMF)?

Answer 42

A framework that promotes ongoing authorization and risk management through continuous monitoring processes. ## Footnote It integrates security with Enterprise Architecture and SDLC.

Question 43

What are the RMF-Based Characteristics?

Answer 43

* Near real-time risk management and ongoing authorization * Use of automated support tools for decision making * Integrates security with Enterprise Architecture and SDLC * Equal emphasis on phases of the RMF * Links risk management to all organization levels * Establishes Responsibility and Accountability ## Footnote These characteristics ensure a comprehensive approach to risk management.

Question 44

What is the purpose of Tiers of Risk Management in NIST SP 800-39?

Answer 44

To implement multi-tier organization-wide risk management. ## Footnote This approach is tightly coupled to Enterprise Architecture and Information Security Architecture.

Question 45

What does Tier 1 of the Organization-wide Risk Management address?

Answer 45

Risk from the organizational perspective. ## Footnote It develops a comprehensive governance structure and enterprise-wide risk management strategy.

Question 46

What does Tier 2 of the Organization-wide Risk Management focus on?

Answer 46

Risk from a mission and business process perspective. ## Footnote It is guided by risk management decisions taken at Tier 1.

Question 47

What is the focus of Tier 3 in the Organization-wide Risk Management?

Answer 47

Risk from an information system perspective. ## Footnote It is guided by risk management decisions taken at Tier 2.

Question 48

What are the steps in the NIST Risk Management Framework?

Answer 48

* Step 0: Prepare * Step 1: Categorize Information Systems * Step 2: Select Security Controls * Step 3: Implement Security Controls * Step 4: Assess Security Controls * Step 5: Authorize Information Systems * Step 6: Monitor Security Controls ## Footnote These steps outline the entire RMF process.

Question 49

What is the purpose of Step 0 in the NIST RMF?

Answer 49

Preparing for the RMF process. ## Footnote This step sets the groundwork for effective risk management.

Question 50

What does Step 1 of the NIST RMF involve?

Answer 50

Categorizing the system and identifying security objectives. ## Footnote This step helps determine the necessary security controls based on the system's categorization.

Question 51

What is accomplished in Step 2 of the NIST RMF?

Answer 51

Select a baseline of security controls based on Security Categorization. ## Footnote This baseline is tailored and supplemented based on a risk assessment.

Question 52

What is the goal of Step 3 in the NIST RMF?

Answer 52

Implement and describe how the controls are used within the system. ## Footnote This step ensures that security measures are operational.

Question 53

What is assessed in Step 4 of the NIST RMF?

Answer 53

The extent to which security controls are implemented correctly, operating as intended, and producing the desired outcome. ## Footnote This assessment is crucial for understanding the effectiveness of the security measures.

Question 54

What does Step 5 in the NIST RMF involve?

Answer 54

Authorize the system based on the determination of acceptable risk to the organization. ## Footnote This step is critical for formal approval of the system's operation.

Question 55

What is monitored in Step 6 of the NIST RMF?

Answer 55

System controls assessing effectiveness, documenting changes, and reporting the security posture to officials. ## Footnote Continuous monitoring is essential for maintaining security compliance.