Misc.

Question 1

Assessment Object

Answer 1

AIMS

• Activity
• Individual
• Mechanism
• Specification

Question 2

Assessment Objective Methods

Answer 2

TIE

• Test
• Interview
• Examine

Question 3

Assessment Objective Security Control Classes

Answer 3

MOT

• Management
• Operations
• Technical

Question 4

An Information System containing what cannot have an confidentiality impact level below moderate?

Answer 4

• Privacy Information

- Trade Secrets

Question 5

6 Steps of the Tailoring Guidance

Answer 5

• Identifying and Designating Common Controls
• Applying Scoping Considerations
• Selecting Compensating Controls
• Assigning Security Control Parameter Values
• Supplementing Baseline Security Controls
• Providing Additional Specification Information for Implementation

Question 6

Tiered Roles

Answer 6

Tier 1:

• Organization (Governance)
• Head/CEO, CIO, SISO, RE

Tier 1/2:
- CCP, ISO, SCA

Tier 2:

• Mission/Business Process (Information Flow)
• AO, AODR

Tier 3:

• Information System (Environment of Operations)
• ISO, IO, ISSO, ISSE

Question 7

Organizational Risk Frame

determines Risk Assessment Model

Answer 7

• Risk Assumptions
• Risk Constraints
• Priorities and Tradeoffs
• Risk Tolerance
• Uncertainty

Question 8

NIST 800-60 Process

Answer 8

• Step 1: Identify Information Type
• Step 2: Select Provisional Impact Level
• Step 3: Review Provisional Impact Level and Adjust/Finalize Provisional Impact Level
• Step 4: Assign System Security Category
• Leads to Security Categorization and Security Control Selection

Low = Minor/Limited
Moderate = Serious
High = Severe/Catastrophic

Question 9

Risk Assessment Methodology

determined by Organizational Risk Frame

Answer 9

• Risk Assessment Process
• Risk Model
• Assessment Approach
• Analysis Approach

Question 10

Risk Management Process; what is it, where is it from?

Answer 10

• NIST SP 800-39
• Frame
• Assess
• Respond
• Monitor

Question 11

Risk Assessment Process; what is it, where is it from?

Answer 11

• NIST SP 800-39
• Prepare
• Conduct
• Communicating
• Maintaining

Question 12

What are the criteria for a National Security System? Where is it from?

Answer 12

• NIST SP 800-59
• Intelligence Activities
• Cryptographic Information
• Command and Control of Military Forces
• Weapon/ Weapon System
• Military or Intelligence Missions
• Processes Classified Information

Question 13

What is the standard wording for an effective control?

Answer 13

Implemented correctly, operating as intended and producing the desired outcome

Question 14

Risk = ?

Answer 14

Likelihood x Impact

Threat and Vulnerability feed into Likelihood and Impact

Threat Source - initiates - Threat Event - exploits - Vulnerability - causing - Adverse Impact - producing - Organizational Risk

Question 15

Enterprise Architechture

Answer 15

People
Process
Technology

Question 16

Architecture Description Inputs

Answer 16

• Architecture Reference Models
• Segment and Solution Architectures
• Mission and Business Processes
• Information System Boundaries

Question 17

Organization Inputs

Answer 17

• Laws, Directives, Policy Guidance
• Strategic Goals and Objectives
• Priorities and Resource Availability
• Supply Chain Considerations

Question 18

CIO

Answer 18

• Will use words like “ensure a program does…”
• Primarily administrative
• Makes sure the ISCM program exists
• Ensures resources are available to support
• High level
• Inherently government function

Question 19

SCA

Answer 19

• Will use words like “assessment” a lot
• Updates the SSP and SAR
• Submits the SAP for approval
• Has to be an engineer (technically competent)

Question 20

SISO

Answer 20

• Responsible for developing and implementing the ISCM program
• Looks at initial monitoring strategy put together by the ISO and CCP
• Tracks and analyzes POAMs

Question 21

CCP

Answer 21

• Only really involved a lot if some common controls need updating/remediation

Question 22

RE

Answer 22

• Oversees strategy and program
• Matrix position
• Collaborates and shares news with everyone
• Uses words like: Shared, Communicated, Collaborated
• Inherently government position

Question 23

AO

Answer 23

• Ensures security posture of the program is acceptable

- Makes authorization decisions

Question 24

ISO

Answer 24

• Does the grunt work
• Ensures operational impacts are being done
• Conducts assessments
• Reports back to AO/SCA
• Updates documentation
• Only one who registers anything

Question 25

ISSO

Answer 25

• Assists the ISO

Question 26

Safeguards v Countermeasures

Answer 26

Safeguards are designed into a system to prevent risk

Countermeasures are reactive and added after the risk assessment

Question 27

RTO

Answer 27

Recovery Time Objective

Amount of time a system is allowable to be down; no impacts

Question 28

MTD

Answer 28

Maximum Tolerable Downtime

Maximum amount of time a system can be down

Question 29

RPO

Answer 29

Recovery Point Objective

Point to which you want to be able to restore to

Question 30

Boxes and Knowledge

Answer 30

• Basic (Black Box) - Zero Knowledge
• Focused (Grey Box) - Partial Knowledge
• Comprehensive (White Box) - Full Knowledge, Explicit and substantial

Question 31

Forms of Authorization

Answer 31

• Single Authorization
  - Traditional
  - One AO
• Joint Authorization
  - Multiple AOs (maybe different services)
  - Have to agree on everything
• Leveraged Authorization
  - Use an existing ATO and create your own ATO
  - Have to be willing to accept the risk or make changes (when able if it’s not your system)
  - ie: Cross service

Question 32

Cleaning v. Purging

Answer 32

Cleaning is erasing, but data can be recovered using forensic capabilities (overwriting)

Purging is erasing, but the data cannot be recovered using forensic capabilities (degaussing)

Purging: Rendering sanitized data unrecoverable by laboratory attack methods

Question 33

Continuous Monitoring Process

Answer 33

Define/Monitor
Establish
Implement
Analyze
Respond
Review

Question 34

Risk Assessment and Risk Determination, in order

Answer 34

Threats
Vulnerabilities
Probability
Impact

Question 35

Types of Assessment Approaches

Answer 35

Quantitative
Qualitative
Semi-Quantitative

Question 36

Information Type

Answer 36

A specific category of information, defined by an organization or a specific law

Question 37

Subsystems in a service-oriented architecture (SOA) or net-centric architecture are registered in RMF Task 1-3 by:

Answer 37

• Establishing a separate registration process
• As a subset of systems or registered separately as a dynamic subsystem
• Proper identification during system categorization

Question 38

What is an Overlay?

Answer 38

A specification that may be more or less stringent than the original criteria for security controls, control enhancements, supplemental guidance and other supporting information employed during the tailoring process, and is intended to complement (and further refine) security control baselines.

Question 39

What is Baseline Security?

Answer 39

The minimum security controls required for safeguarding an information technology system based on its identified impact levels for confidentiality, integrity and availability.

Question 40

What types of security are the two fundamental components that affect the trustworthiness of information systems?

Answer 40

Functionality-related (does it work?)

Assurance-related (can I prove it?)

(cited in NIST SP 800-53)

Question 41

What is a PIA?

Answer 41

Privacy Impact Assessment
Established by the E-Government Act of 2002

• Ensure handling conforms to applicable legal, regulatory and policy requirements regarding privacy
• Determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic IS
• Examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks

Question 42

Configuration Management has the following benefits:

Answer 42

• Reliance
• Quality Control
• Risk Control

Question 43

What is a hybrid control?

Answer 43

A control determined partly by the organization and partly system-specific

Question 44

Contingency Planning Process (per NIST 800-34)

Answer 44

1. Develop the contingency planning statement
2. Conduct the Business Impact Analysis (BIA)
3. Identify preventative controls
4. Create contingency strategies
5. Develop an information system contingency plan
6. Ensure plan test, training and exercise
7. Ensure plan maintenance

Question 45

Backup/Recovery Strategy for each Impact Level

Answer 45

Low

• Back up: Tape backup
• Strategy: Relocate or Cold site

Moderate

• Backup: Optical backup, WAN/LAN replication
• Strategy: Cold or Warm site

High

• Backup: Mirrored systems and disc replication
• Strategy: Hot site

Question 46

Partial assessments can be performed and are reusable if:

Answer 46

the assessor is deemed to be independent and technically competent. Additionally, the security control must be under configuration or version management.

Question 47

Logical flow for conducting security control assessments?

Answer 47

Assessment procedures, assessment objectives and assessment objects, all of which are evaluated using assessment methods

Question 48

RMF Step 4 primary documents

Answer 48

• NIST 800-37
• NIST 800- 53A
• NIST 800- 115

Question 49

Security control assessments provide:

Answer 49

• Evidence about the effectiveness of security controls
• Information about the strengths and weaknesses of IS which are supporting organizational and business functions
• An indication of the quality of the risk management process employed within the organization

Question 50

What documents form the Security Authorization Package?

Answer 50

• SSP for the system to be authorized
• SAR for the system to be authorized
• POAMs for the system to be authorized
• Same documents for all common control systems that are used to mitigate risks

Question 51

Sanitization

Answer 51

Process to remove information from media such that information recovery is not possible. Includes removing all labels, markings and activity logs.

Question 52

The security control analysis results and recommended changes are contained in the:

Answer 52

Security Assessment Report (SAR)

Question 53

The structure for POAMs is determined by:

Answer 53

The Office of Management and Budget (OMB)

Question 54

The pillars of continuous monitoring are:

Answer 54

• Ongoing authorization

- Near real-time risk management

Question 55

Continuous Monitoring Strategy ensures that:

Answer 55

1. Items on the POAM receive adequate oversight
2. Controls with greater volatility or importance are assessed more frequently
3. Control implementations that have changed since the last assessment are reevaluated

Question 56

Primary reference documents for RMF Step 6?

Answer 56

NIST SP 800-37

NIST SP 800-53A

Question 57

Before a rescission letter, the AO consults with:

Answer 57

SISO and RE

Question 58

Per NIST 800-55, performance management criteria translate into KPI using what evaluation criteria?

Answer 58

• Measures of effectiveness
• Measures of efficiency
• Impact measures

Question 59

Compliance Management is:

Answer 59

A collection of processes employed to ensure that an agency conforms to the legal, policy and associated regulatory mandates that apply to a system

Question 60

Adequate security

Answer 60

Security commensurate with the risk and magnitude of harm resulting from the loss, misuse or unauthorized access to or modification of information

Question 61

Baseline security

Answer 61

The minimum security controls required for safeguarding an information technology system based on its identified impact levels for Confidentiality, Integrity and Availability

Question 62

System of Records Notice

Answer 62

An official notice of an organization’s system(s) of records, as required by the Privacy Act of 1974 that identifies:

• the purpose for the system of records
• the individuals covered by information in the system of records
• the categories of records maintained about individuals
• the ways in which the information is shared

Question 63

Information System

Answer 63

A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of information

Question 64

Threat Source

Answer 64

The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability

Question 65

Threat Scenario

Answer 65

A set of discrete threat events, associated with a specific threat source or multiple threat sources, partially ordered in time

Question 66

Threat Event

Answer 66

An event or situation that has the potential for causing undesirable consequences or impact

Question 67

NIST 800-37 Steps

Answer 67

1. Categorize the IS
2. Select Security Controls
3. Implement Security Controls
4. Assess Security Controls
5. Authorize the IS
6. Monitor Security Controls

Question 68

Organizational Risk Management Strategy includes

Answer 68

• SORN
• Strategic Goals and Objectives
• Organizational Culture and Infrastructure
• Investment Strategies?

Question 69

Risk Response options:

Answer 69

Risk Acceptance
Risk Avoidance
Risk Transfer/Sharing
Risk Mitigation

Combination of above

Question 70

Interconnecting system phases

Answer 70

From NIST SP 800-47

Plan
Establish
Maintain
Disconnect

Question 71

Incident Response Phases

Answer 71

• Prepare
• Detect and Analyze
• Containment, Eradication and Recovery
• Post-Incidence Activity

Question 72

Security Configuration Management Process

Answer 72

• Planning
• Identifying and Implementing Configurations
• Controlling Configuration Changes
• Monitor

Question 73

Inherently government roles

Answer 73

• CIO
• RE
• SISO
• AO/DR
• IO/Steward
• CEO (no primary roles)

Question 74

Depth means ?

Coverage means ?

Answer 74

Depth = Rigor
Coverage = Scope

Question 75

Risk assessment incorporates

Answer 75

threat and vulnerability analysis and considers mitigations

Question 76

NIST 800-60 Exceptions/Key Statements

Answer 76

• Aggregation
• Privacy and Trade Secrets require minimum Moderate Confidentiality impact value
• PIA must exist before developing systems with PII
• The system categorization process, including determination of impact values, is reused during development of a BIA
• System categorization contributes and provides inputs into capital planning and investments processes
• Info sharing and system interconnection agreements should use aggregated and individual security categorization when assessing interconnection agreements
• Specific guidance is provided related to critical infrastructure programs (CIP) and the relationship to Homeland Security Presidential Directive 7

Question 77

Defense-in-Depth

Defense-in-Breadth

Answer 77

Defense-in-Depth:
Strategy to establish visible barriers across multiple layers and dimensions

Defense-in-Breadth:
Set of activities that seeks to identify, manage and reduce risk of exploitable vulnerabilities at every stage of the system