GRC WEEK 2 CHAPTERS 3 & 4 Flashcards

1
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the objective of the PREPARE step in the RMF process?

A

To understand how to prepare for the RMF process and manage security and privacy risks

This includes conducting essential activities at the organization, mission, business process, and information system levels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is TASK P-1 in the PREPARE phase?

A

Risk Management Roles

Individuals are identified and assigned key roles for executing the Risk Management Framework.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What does TASK P-2 involve?

A

Risk Management Strategy

Establishing a risk management strategy that includes a determination and expression of organizational risk tolerance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the purpose of TASK P-3?

A

Risk Assessment—Organization

Completing or updating an organization-wide risk assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is defined in TASK P-4?

A

Organizationally-tailored Control Baselines and Cybersecurity Framework Profiles

Establishment of tailored control baselines and/or profiles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does TASK P-5 focus on?

A

Common Control Identification

Identifying, documenting, and publishing common controls available for inheritance by organizational systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the focus of TASK P-6?

A

Impact-Level Prioritization

Conducting a prioritization of organizational systems with the same impact level (optional).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is developed in TASK P-7?

A

Continuous Monitoring Strategy—Organization

Developing and implementing an organization-wide strategy for monitoring control effectiveness.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the objective of the CATEGORIZATION step?

A

To understand how to categorize information and determine an information system’s high water mark.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Who is responsible for the categorization of the information system?

A

Information System Owner and Information Owner/Steward.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What guidance documents are referenced for the categorization process?

A

FIPS-199, NIST SP 800-18, 800-30, 800-39, 800-60, CNSS-1253.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Fill in the blank: Sensitivity is a measure of the _______ assigned to information by its owner for protection.

A

importance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Fill in the blank: Criticality is a measure of the degree to which an organization depends on the information for the success of a _______.

A

mission or business function

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

True or False: Information loses its sensitivity over time.

A

True

Example: Economic/commodity projections after they’ve been published.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the three levels of potential impact defined by FIPS 199?

A
  • Low
  • Moderate
  • High
17
Q

What does a loss of confidentiality prevent?

A

Disclosure of information to unauthorized individuals or systems.

18
Q

What is the definition of Integrity in the context of security objectives?

A

Prevents the unauthorized modification or destruction of information.

19
Q

What does Availability ensure?

A

Timely and reliable access to and use of information.

20
Q

What is the purpose of the High Water Mark concept?

A

To determine the highest potential impact value assigned to each Security Objective for all Security Categories resident on the system.

21
Q

What is included in the System Security Plan?

A
  • System Description
  • Categorization
  • Description of Controls
  • System Security Roles and Responsibilities
  • System Operational Status
  • System Environment
  • System Interconnections
  • Rules of Behavior
22
Q

What is a key responsibility of the System Owner regarding the System Security Plan?

A

To construct and approve the initial system security plan.

23
Q

What must be maintained in the System Security Plan?

A

It should be a living document and kept up to date.

24
Q

What is the first step in the registration process of an information system?

A

Identifying the information system in the organization’s system inventory.

25
Q

What are the inputs to the categorize process?

A
  • System description
  • Enterprise architecture
  • Information types
26
Q

What does the outputs of the categorize process include?

A
  • Security category for each information type
  • Information system’s security category and high water mark
27
Q

What is NIST SP 800-60?

A

Guide for Mapping Types of Information and Information Systems to Security Categories.

28
Q

What is the significance of changes in criticality and sensitivity?

A

They must be managed as they affect pre-existing controls.