Practice Exam Flashcards

1
Q

Which of the following persons is responsible for testing and verifying whether the security policy is properly implemented and the derived security solutions are adequate or not?
A. Data owner

B. Data custodian

C. User

D. Auditor

A

D. Auditor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following professionals plays the role of a monitor and takes part in the organizations configuration management process?
A. Senior Agency Information Security Officer

B. Authorizing Official

C. Common Control Provider

D. Chief Information Officer

A

C. Common Control Provider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

FISMA charges which one of the following agencies with the responsibility of overseeing the security policies and practices of all agencies of the executive branch of the Federal government?
A. Office of Management and Budget (OMB)

B. National Institute of Standards and Technology (NIST)

C. National Security Agency (NSA)

D. Department of Justice

A

Office of Management and Budget (OMB)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The British Standard BS7799 was the basis for which of the following standards?
A. ISO/IEC 154508

B. ISO/IEC 17799

C. ICO/ICE 17799

D. Executive Order (E.O.) 13231

A

B. ISO/IEC 17799

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Subsequent to a security breach, which of the following techniques are used with the intention to limit the extent of damage caused by the incident?
A. Corrective controls

B. Preventive controls

C. Change controls

D. Incident controls

A

A. Corrective controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which role in the security authorization process is responsible for organizational information systems?
A. IS program manager

B. Designated authorizing official

C. Certification agent

D. User representative

A

B. Designated authorizing official

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following is not a standard phase in the System Authorization Process?
A. Pre certification

B. Post authorization

C. Post certification

D. Certification

A

C. Post certification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

This is a standard that sets essential requirements for assessing the effectiveness of computer security controls built into a computer system?
A. FITSAF

B. TCSEC

C. FIPS

D. SSAA

A

B. TCSEC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

An assessment procedure consists of a set of which things, each with an associated set of potential assessment methods and assessment objects?
A. Assessment objectives

B. Security controls

C. Operational requirements

D. Assessment objects
A. Assessment objectives

B. Security controls

C. Operational requirements

D. Assessment objects

A

A. Assessment objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following statements best describes the difference between the role of a data owner and the role of a data custodian?
A. The data owner implements the information classification scheme after the initial assignment by the custodian.

B. The custodian implements the information classification scheme after the initial assignment by the operations manager.

C. The data custodian implements the information classification scheme after the initial assignment by the data owner.

D. The custodian makes the initial information classification assignments and the operations manager implements the scheme.

A

C. The data custodian implements the information classification scheme after the initial assignment by the data owner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

NIST SP 800 53A defines three types of interview depending on the level of assessment conducted. Which of the following NIST SP 800 53A interviews consists of informal and ad hoc interviews?
A. Substantial

B. Abbreviated

C. Comprehensive

D. Significant

A

B. Abbreviated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

NIST SP 800 53A defines three types of interview depending on the level of assessment conducted. Which of the following NIST SP 800 53A interviews consists of informal and ad hoc interviews?
A. Substantial

B. Abbreviated

C. Comprehensive

D. Significant

A

B. Abbreviated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What assessment procedure is designed to work with and complement the assessment procedures to contribute to the grounds for confidence in the effectiveness of the security controls employed in the information system?
A. Extended

B. Subordinate

C. Based

D. Cross control

A

A. Extended

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

In which type of access control do user ID and password system come under?
A. Physical

B. Administrative

C. Power

D. Technical

A

D. Technical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

This stakeholders involvement is required to determine acceptable residual risk and also advises the development team if the risks associated with eventual operation of the system appear to be unacceptable.
A. Authorization Official

B. Acceptance Official

C. Accreditation Officer

D. Assessment Officer

A

B. Acceptance Official

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which one of the following publications provides details of the monitoring security control?
A. NIST SP 800 53

B. NIST SP 800 42

C. NIST SP 800 37

D. NIST SP 800 41

A

C. NIST SP 800 37

17
Q

What process should be initiated when changes to the information system negatively impact the security of the system or when a period of time has elapsed as specified by agency or federal policy?
A. IS audit

B. Systems acquisition

C. Reauthorization

D. Reclassification of data

A

C. Reauthorization

18
Q

Applying the first three steps in the RMF to legacy systems can be viewed in what way to determine if the necessary and sufficient security controls have been appropriately selected and allocated?
A. Sequential

B. Level of effort

C. Gap analysis

D. Common control

A

C. Gap analysis

19
Q

Which of the following NIST documents provides a guideline for identifying an information system as a National Security System?
A. NIST SP 800 59

B. NIST SP 800 53

C. NIST SP 800 60

D. NIST SP 800 37

A

A. NIST SP 800 59

20
Q

Concerning residual risk which of the following statements is true?
A. It is a weakness or lack of control that can be exploited by a risk.

B. It is an indicator of threats coupled with vulnerability.

C. It is the possible risk after implementing all security measures.

D. It is the possible risk prior to implementing all security measures.

A

C. It is the possible risk after implementing all security measures.