Practice Test 1 Flashcards by Nicholas Phelps

An event or situation that has the potential for causing undesirable consequences or impact.

A. Threat Event
B. Threat Assessment
C. Threat Source
D. Threat Scenario

A. Threat Event

How well did you know this?

Not at all

Perfectly

In which type of access control do user ID and password system come under?

A. Administrative
B. Technical
C. Power
D. Physical

B. Technical

How well did you know this?

Not at all

Perfectly

The Organization Level (Tier 1) strategy addresses/requires……..

A. Assessment of Risks
Evaluation of Risks
Mitigation of Risks
Acceptance of Risk
Monitoring Risk
Risk Management Strategy Oversight

B. Mitigation of Risks
Acceptance of Risk
Monitoring Risk
Risk Management Strategy Oversight
Assessment of Risks
Evaluation of Risks

C. Acceptance of Risk
Assessment of Risks
Evaluation of Risks
Mitigation of Risks
Monitoring Risk
Risk Management Strategy Oversight

D. Evaluation of Risks
Mitigation of Risks
Acceptance of Risk
Monitoring Risk
Assessment of Risks
Risk Management Strategy Oversight

A. Assessment of Risks
Evaluation of Risks
Mitigation of Risks
Acceptance of Risk
Monitoring Risk
Risk Management Strategy Oversight

How well did you know this?

Not at all

Perfectly

Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.

A. Adversary
B. Enterprise
C. Countermeasures
D. Assurance

A. Adversary

How well did you know this?

Not at all

Perfectly

Choose from the following options the U.S. government repository of standards-based vulnerability management data where you can easily find the NIST standards for guidance on continuous monitoring.

A. NIST SP 800-37
B. NVD
C. SCAP
D. ISCM

B. NVD (National Vulnerability Database)

How well did you know this?

Not at all

Perfectly

In the case of a complex information system, where a “leveraged authorization” that involves two agencies will be conducted, what is the minimum number of system boundaries/accreditation requirements boundaries that can exist?

A. Only one
B. Only two, because there are two agencies.
C. At least two
D. A leveraged authorization cannot be conducted with more than one agency involved.

A. Only one.

How well did you know this?

Not at all

Perfectly

What is the MOST appropriate action to take after weaknesses or deficiencies in controls are corrected?

A. The system is given an Authority to Operate (ATO)
B. The remediated controls are reassessed.
C. The assessment report is generated.
D. The original assessment results are changed.

B. The remediated controls are reassessed.

How well did you know this?

Not at all

Perfectly

You are the project manager for GHY Project and are working to create a risk response for a negative risk. You and the project team have identified the risk that the project may not complete on time, as required by the management, due to the creation of the user guide for the software you’re creating. You have elected to hire an external writer in order to satisfy the requirements and to alleviate the risk event. What type of risk response have you elected to use in this instance?

A. Sharing
B. Avoidance
C. Transference
D. Exploiting

C. Transference

How well did you know this?

Not at all

Perfectly

Which of the following are the goals of risk management?
Each correct answer represents a complete solution. Choose three.

A. Finding an economic balance between the impact of the risk and the cost of the countermeasure
B. Identifying the risk
C. Assessing the impact of potential threats
D. Identifying the accused

A. Finding an economic balance between the impact of the risk and the cost of the countermeasure
B. Identifying the risk
C. Assessing the impact of potential threats

How well did you know this?

Not at all

Perfectly

What would be the impact level due to the loss of CIA that could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations or the nation?

A. Low impact level
B. Medium impact level
C. Moderate impact level
D. High impact level

D. High impact level

How well did you know this?

Not at all

Perfectly

Which of the following is not an authorization decision identified in the RMF?

A. Authorization to operate
B. Denial of authorization to operate
C. Common control authorization
D. All of the above

D. All of the above

How well did you know this?

Not at all

Perfectly

Sensitivity of a system based on the _________ processed, stored, and transmitted by the system.

A. Data
B. Program
C. Image
D. Signal

A. Data

How well did you know this?

Not at all

Perfectly

Which of the following terms related to risk management represents the estimated frequency at which a threat is expected to occur?

A. Safeguard
B. Single Loss Expectancy (SLE)
C. Exposure Factor (EF)
D. Annualized Rate of Occurrence (ARO)

D. Annualized Rate of Occurrence (ARO)

How well did you know this?

Not at all

Perfectly

Where would you find standard guidance for determining an organization’s risk appetite?

A. NIST SP 800-39
B. NIST SP 800-50
C. NIST SP 800-37
D. NIST SP 800-53

A. NIST SP 800-39

How well did you know this?

Not at all

Perfectly

The FISMA defines three security objectives for information and information systems:

A. CONFIDENTIALITY, INTEGRITY and AVAILABILITY
B. INTEGRITY, AVAILABILITY and AUTHENTICITY
C. AVAILABILITY, AUTHENTICITY and CONFIDENTIALITY
D. AUTHENTICITY, CONFIDENTIALITY and INTEGRITY

A. CONFIDENTIALITY, INTEGRITY and AVAILABILITY

How well did you know this?

Not at all

Perfectly

Which of the following tasks are identified by the Plan of Action and Milestones document? Each correct answer represents a complete solution. Choose all that apply.

A. The plans that need to be implemented
B. The resources needed to accomplish the elements of the plan
C. Any milestones that are needed in meeting the tasks
D. The tasks that are required to be accomplished
E. Scheduled completion dates for the milestones

B. The resources needed to accomplish the elements of the plan
C. Any milestones that are needed in meeting the tasks
D. The tasks that are required to be accomplished
E. Scheduled completion dates for the milestones

How well did you know this?

Not at all

Perfectly

Authentication ensures that system users are who they say they are. At Colvine Tech, a system user must prove identity by providing an email address, a password, and answer a security question before being given logical access.
What factor of authentication fits this requirement?

A. Multi-factor authentication
B. Authentication and accountability
C. Single-factor authentication
D. Dual-factor authentication

C. Single-factor authentication

How well did you know this?

Not at all

Perfectly

The ability to quickly adapt and recover from any known or unknown changes to the environment through holistic implementation of risk management, contingency, and continuity planning.

A. Resilience
B. Fragile
C. Inanimate
D. Silence

A. Resilience

How well did you know this?

Not at all

Perfectly

A written plan for recovering one or more information systems at an alternate facility in response to a major hardware or software failure or destruction of facilities.

A. Disaster Recovery Plan (DRP)
B. Common Vulnerability Scoring System (CVSS)
C. Continuity of Operations Plan (COOP)
D. Common Vulnerability and Exposures (CVE)

A. Disaster Recovery Plan (DRP)

How well did you know this?

Not at all

Perfectly

The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect, a serious adverse effect, or a severe or catastrophic adverse effect on organizational operations,
organizational assets, or individuals.

A. Potential Impact
B. High Impact
C. Low Impact
D. Moderate Impact

A. Potential Impact

How well did you know this?

Not at all

Perfectly

Which of the following techniques are used after a security breach and are intended to limit the extent of any damage caused by the incident?

A. Safeguards
B. Preventive controls
C. Detective controls
D. Corrective controls

D. Corrective controls

How well did you know this?

Not at all

Perfectly

The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed‐upon set of security controls.

A. Authorization (to operate)
B. Systems operated
C. Security Authorization
D. Senior Organizational

A. Authorization (to operate)

How well did you know this?

Not at all

Perfectly

Which of the following are the common roles with regard to data in an information classification system program?
Each correct answer represents a complete solution. Choose all that apply.

A. Custodian
B. User
C. Security auditor
D. Editor
E. Owner

A. Custodian
B. User
C. Security auditor
E. Owner

How well did you know this?

Not at all

Perfectly

What RMF artifact establishes the scope of protection for an IS and encompass people, process, and info tech that are part of the system?

A. System Boundary
B. Risk Management Framework
C. Authorize
D. Categorization

A. System Boundary

How well did you know this?

Not at all

Perfectly

The loss of confidentiality, integrity, or availability that could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a severe degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; 2) results in major damage to organizational assets; 3) results in major financial loss; or 4) results in severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries). A. High Impact B. Low Impact C. Medium Impact D. Moderate Impact

A. High Impact

The findings from a security control assessment are documented in which of the following documents? A. Security Assessment Plan (SAP) B. Plan of Action & Milestones (POA&M) C. Security Assessment Report (SAR) D. System Security and Privacy Plan

C. Security Assessment Report (SAR)

The security control type for an information system that primarily are implemented and executed by people (as opposed to systems). A. Operational B. Technical C. Organizational D. Implementation

A. Operational

The security controls for an information system that primarily are implemented by people (as opposed to systems) are known as A. Management controls B. Operational controls C. Technical controls D. Logical controls

B. Operational controls

The authorizing official may determine that additional information supporting the authorization package is needed. The additional documentation may include all but one of the following. A. Plan of action and milestones B. Risk assessments C. Contingency plans D. Supply chain risk management plans

A. Plan of action and milestones

A business‐based framework for government wide improvement developed by the Office of Management and Budget that is intended to facilitate efforts to transform the federal government to one that is citizen‐ centered, results‐oriented, and market‐based. A. Federal Enterprise Architecture B. Net-Centric Architecture C. Industry Standard Architecture D. Enterprise Architecture

A. Federal Enterprise Architecture

You are working as a project manager in your organization. You are nearing the final stages of project execution and looking towards the final risk monitoring and controlling activities. For your project archives, which one of the following is an output of risk monitoring and control? A. Quantitative risk analysis B. Qualitative risk analysis C. Requested changes D. Risk audits

C. Requested changes

Defining the types of information needed by the organization to successfully carry out identified missions and business processes as well as defining the organization's internal and external information flows. A. NIST SP 800-60 B. NIST SP 800-57 C. NIST SP 800-50 D. NIST SP 800-37

A. NIST SP 800-60

The set of minimum-security controls defined for a low-impact, moderate‐impact, or high‐impact information system. A. Security Control Baseline B. Minimum Security Baselines C. None of these D. Revised Control Baseline

A. Security Control Baseline

The security category of information 1 is determined to be: Confidentiality, low; Integrity, moderate; and availability, Moderate. The security category for information 2 is determined to be: confidentiality, Not Applicable, Integrity, Low; and availability, Moderate. What is the overall security category? A. Security Category information type = (confidentiality, NOT APPLICABLE), (integrity, LOW), (availability, MODERATE) B. Security Category information type = (confidentiality, LOW), (integrity, LOW), (availability, MODERATE) C. Security Category information type = (confidentiality, NOT APPLICABLE), (integrity, MODERATE), (availability, HIGH) D. Security Category information type = (confidentiality, LOW), (integrity, MODERATE), (availability, MODERATE)

D. Security Category information type = (confidentiality, LOW), (integrity, MODERATE), (availability, MODERATE)

The emphasis of the revised NIST SP 800-37 process is on............. Choose all that apply. A. Building information security controls into government information systems by applying up-to-date management, operational and technical security controls. B. Maintaining awareness of the security posture of information systems through the application of "enhanced monitoring processes." C. Providing senior leaders essential information to facilitate decision making with regard to risk acceptance. D. Creating secured environment to provide guidance to individuals involved in security information systems. E. Developing leadership to use, analyze and manage technical security of government information systems.

A. Building information security controls into government information systems by applying up-to-date management, operational and technical security controls. B. Maintaining awareness of the security posture of information systems through the application of "enhanced monitoring processes." C. Providing senior leaders essential information to facilitate decision making with regard to risk acceptance.

Which of the following is NOT an objective of the security program? A. Security plan B. Security education C. Security organization D. Information classification

A. Security plan

Certification and Accreditation (C&A or CnA) is a process for implementing information security. Which of the following is the correct order of C&A phases in a DITSCAP assessment? A. Definition, Validation, Verification, and Post Accreditation B. Verification, Definition, Validation, and Post Accreditation C. Verification, Validation, Definition, and Post Accreditation D. Definition, Verification, Validation, and Post Accreditation

D. Definition, Verification, Validation, and Post Accreditation

Prepare, Categorize, select, and implement are steps or phases of the risk management framework which can be described as A. The certification phase of the system authorization plan B. The pre-certification phase of the system authorization plan C. The authorization phase of the system authorization plan D. The post-authorization phase of the system authorization plan

B. The pre-certification phase of the system authorization plan

A citizen of the United States or an alien lawfully admitted for permanent residence. Agencies may, consistent with individual practice, choose to extend the protections of the Privacy‐Act and E Government Act to businesses, sole proprietors, aliens, etc. A. Individual B. Combined C. Private D. Mixed

A. Individual

The property of being genuine and being able to be verified and trusted, confidence in the validity of a transmission, a message, or message originator. A. Authenticity B. Validity C. Complexity D. Responsibility

A. Authenticity

In which of the following elements of security does the object retain its veracity and is intentionally modified by the authorized subjects? A. Integrity B. Nonrepudiation C. Availability D. Confidentiality

A. Integrity

What is the purpose of a Privacy impact assessment? A. To determine the extent to which proposed or actual changes to the system or its environment of operation can affect or have affected the system’s security posture. B. To determine the level of impact of the violation of the confidentiality of PII. C. To determine if the information system processes PII. D. To determine the level of violation of CIA.

B. To determine the level of impact of the violation of the confidentiality of PII.

A discrete set of resources organized for the collection, processing, maintenance, or disposition of information best describes one of the following A. An information system B. General Support System (GSS) C. An IT infrastructure D. A Major Application

A. An information system

Who is primarily responsible for the withdrawal and decommissioning of and information system? A. Security Architect B. Senior Information System Security Officer C. Information System Security Engineer D. Information System Owner

D. Information System Owner

Tailoring refers to the process by which a security control baseline is modified based on all but one of the following: A. The security categorization of the information system B. The application of scoping guidance C. The specification of compensating controls D. The specification of organization-defined parameters in controls via explicit assignment and selection statements.

A. The security categorization of the information system

Which of the following statements about the authentication concept of information security management is true? A. It determines the actions and behaviors of a single individual within a system and identifies that particular individual. B. It ensures that modifications are not made to data by unauthorized personnel or processes. C. It establishes the identity of users and ensures that the users are who they say they are. D. It ensures the reliable and timely access to resources.

C. It establishes the identity of users and ensures that the users are who they say they are.

What is the first SDLC phase; which maps to the first two RMF steps (Categorization, Select Controls)? A. Initiation B. Categorization C. Implementation D. Disposition

A. Initiation

True or False; After an ATO is granted, ongoing continuous monitoring is performed on all identified security controls as well as physical environment, etc. A. True B. False

A. True

The security control assessor for Colvine Tech will be conducting a comprehensive level assessment on an information system at Colvine Tech. Which controls must be assessed separately, not by the assessor for Colvine Tech? A. Common Controls B. Management controls C. Failed controls D. Alternative controls

A. Common Controls

What is the comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. A. Certification B. Examination C. Operation D. Information

A. Certification

A security assessment plan comprises of all of the following except one A. Scope B. Methodology C. Recommendations for remediation D. Rules of engagement

C. Recommendations for remediation

Which NIST special configuration provides guidance on security-focused configuration management? A. NIST SP 800-128 B. NIST SP 800-37 C. NIST SP 800-30 D. NIST SP 800-137

A. NIST SP 800-128

The authorization boundary of a system undergoing assessment comprises of: A. The information System (IS) elements to be authorized for operation. B. Any elements or systems specified by the Chief Information Owner (CIO). C. Any components found within the given Internet Protocol (IP) range. D. The information System (IS) elements to be authorized for operation as well as interconnected systems.

A. The information System (IS) elements to be authorized for operation.

Which of the following BEST describes the objective of a Security Assessment Plan? A. It provides a detailed roadmap for how the assessment will be conducted. B. It provides an assessment process for the integration of software and hardware. C. It describes how to verify the change control and Configuration Management (CM) practices. D. It ensures that changes made during system development are included in security assessments.

A. It provides a detailed roadmap for how the assessment will be conducted.

You are the project manager for a construction project. The project includes a work that involves very high financial risks. You decide to insure processes so that any ill happening can be compensated. Which type of strategies have you used to deal with the risks involved with that particular work? A. Transfer B. Mitigate C. Accept D. Avoid

A. Transfer

Security categorization of a National Security System must consider the security categories of all information types resident on it. A. True B. False

A. True

The Security Category that primarily deals with preserving authorized restrictions on information access and disclosure. A. Confidentiality B. Availability C. Integrity D. Authenticity

A. Confidentiality

As indicated in NIST SP 800-37, and NIST SP 800-53 the RMF provides architectural description inputs to the risk management strategy, including mission/business processes, FEA reference models, segment and solution architecture and: A. Information security requirements B. Information system boundaries C. Laws, directives and policy guidance D. Strategic goals and objectives

C. Laws, directives and policy guidance

An interconnected set of information resources under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, and people. A. General Support System B. Recovery Point Objective C. Internal Security Testing D. Recovery Point Objective

A. General Support System

Who has the responsibility to review and ensure that only substantive items are incorporated in the plan of action and milestones? A. Information System Owner B. Common Control Provider C. Authorizing Official D. Information Owner

C. Authorizing Official

An application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. A. Major Application B. Humble Application C. Slight Application D. Worthless Application

A. Major Application Note: All federal applications require some level of protection. Certain applications, because of the information in them, however, require special management oversight and should be treated as major. Adequate security for other applications should be provided by security of the systems in which they operate.

Which of the following governance bodies directs and coordinates implementations of the information security program? A. Information Security Steering Committee B. Senior Management C. Business Unit Manager D. Chief Information Security Officer

D. Chief Information Security Officer

Not all deficiencies in controls or lack of security protections are vulnerabilities. Vulnerabilities in control can be defined as: A. Only deficiencies that can be exploited B. Missing patches C. All deficiencies in the controls D. Acceptable risks to the organization

A. Only deficiencies that can be exploited

Which of the following is a standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system? A. FITSAF B. TCSEC C. FIPS D. SSAA

B. TCSEC

The scope of activities associated with a system, encompassing the system's initiation, development and acquisition, implementation and maintenance, and ultimately its disposal that instigates another system initiation best describes A. Information system B. System Development Life Cycle (SDLC) C. Authorization Process D. IT infrastructure

B. System Development Life Cycle (SDLC)

A fundamental of Risk Management per NIST SP 800-37 is the integration of information security requirements into an organization's what? A. Software Development Life-Cycle B. Risk Management Framework C. National Institute of Standards and Technology D. Chief Information Officer

A. Software Development Life-Cycle

Which of the following access control models uses a predefined set of access privileges for an object of a system? A. Discretionary Access Control B. Mandatory Access Control C. Policy Access Control D. Role-Based Access Control

B. Mandatory Access Control

Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management is the title of what requirement? A. OMB memorandum M-11-33, FY 2011 B. Clinger-Cohen Act C. OMB Circular A-130, Appendix III, 1997 D. FISMA, 2002

A. OMB memorandum M-11-33, FY 2011

According to U.S. Department of Defense (DoD) Instruction 8500.2, there are eight Information Assurance (IA) areas, and the controls are referred to as IA controls. Which of the following are among the eight areas of IA defined by DoD? Each correct answer represents a complete solution. Choose all that apply. A. VI Vulnerability and Incident Management B. DC Security Design & Configuration C. EC Enclave and Computing Environment D. Information systems acquisition, development, and maintenance

A. VI Vulnerability and Incident Management

Interrelationships of system authorization processes. A. 1. System Security Authorization Project Planning. 2. System Inventory Process. 3. Assess Sensitivity and Criticality 4. Develop System Security Plan 5. Coordinate Security for Interconnected Systems. 6. Apply Minimum Security Baselines. 7. Assess Risk 8. Develop Security Procedures 9. Conduct Certification Testing 10. Plan for Remediation 11. Create System Authorization Documentation 12. Document the Accreditation Decision B. 1. System Security Authorization Project Planning. 2. System Inventory Process. 3. Assess Sensitivity and Criticality 4. Develop System Security Plan 5. Create System Authorization Documentation 6. Document the Accreditation Decision 7. Assess Risk 8. Apply Minimum Security Baselines. 9. Develop Security Procedures 10. Conduct Certification Testing 11. Coordinate Security for Interconnected Systems. 12. Plan for Remediation C. 1. Coordinate Security for Interconnected Systems. 2. Apply Minimum Security Baselines. 3. Assess Risk 4. Develop Security Procedures 5. Document the Accreditation Decision 6. System Inventory Process. 7. Create System Authorization Documentation 8. Develop System Security Plan 9. Conduct Certification Testing 10. System Security Authorization Project Planning. D. 1. Conduct Certification Testing 2. Plan for Remediation 3. Create System Authorization Documentation 4. Document the Accreditation Decision 5. System Inventory Process. 6. Coordinate Security for Interconnected Systems. 7. Assess Risk 8. Develop System Security Plan 9. System Security Authorization Project Planning. 10. Apply Minimum Security Baselines.

A. 1. System Security Authorization Project Planning. 2. System Inventory Process. 3. Assess Sensitivity and Criticality 4. Develop System Security Plan 5. Coordinate Security for Interconnected Systems. 6. Apply Minimum Security Baselines. 7. Assess Risk 8. Develop Security Procedures 9. Conduct Certification Testing 10. Plan for Remediation 11. Create System Authorization Documentation 12. Document the Accreditation Decision

NIST SP 800-37 provides guidance for applying RMF to all of which type of information systems for design, development, implementation, operation, maintenance and development? A. Federal B. Detach C. Sell D. Forfeit

A. Federal

The official primarily responsibility for security of an Info System, who establishes sensitivity level and types of controls required to protect the IS and initiates system authorization activities. A. Information System Owner B. System Development Life-Cycle C. Risk Management Framework D. Designated Representative

A. Information System Owner

Is it a good or bad idea for the inspecting team to work with host staff to correct weaknesses on the spot when possible? A. Good B. Bad C. Harmful D. Offensive

A. Good

Which NIST Special publication provides guidance on security assessment reports? A. NIST SP 800-18 B. NIST SP 800-53A C. NIST SP 800-53 D. NIST SP 800-37

B. NIST SP 800-53A

When carrying out ongoing risk response, the effectiveness of new, modified, enhanced, or added controls must be… A. Verified B. Reassessed C. Examined D. Tested

B. Reassessed

In what step of the RMF process would you create the SSP? A. Step 1 (Categorization) B. Step 2 (Recommendations) C. Step 3 (Mitigation) D. Step 4 (Determination)

A. Step 1 (Categorization)

Which organization is responsible for procurement, development, integration, modification, operation, maintenance, and disposal of an Information System? A. Information System Owner B. Information system security engineer (ISSE) C. Chief Information Officer (CIO) D. Information security architect

A. Information System Owner

An assessment procedure consists of a set of which things, each with an associated set of potential assessment methods and assessment objects? A. Assessment objectives B. Security controls C. Operational requirements D. Assessment objects

A. Assessment objectives

The authorization decision document conveys the final security authorization decision from the authorizing official to the information system owner. The authorization decision document contains all of the following information except? A. Authorization decision B. Terms and conditions for the authorization C. Approving revisions to the SSAA D. Authorization termination date

C. Approving revisions to the SSAA

During the security impact analysis vulnerabilities were uncovered in the information system. Which of the following documents should address the outstanding items? A. Plan of action and milestones B. System security plan C. System discrepancy plan D. System deficiency plan

A. Plan of action and milestones

Failure to authorize an operational system to process demonstrates that management has not exercised due care in protecting the system in the event of a security incident. Which of the following Acts has been violated? A. Clinger-Cohen Act of 1996 B. Computer security Act of 1987 C. FISMA, 2002 D. FIPS 102

C. FISMA, 2002

Guarding against improper information modification or destruction and includes ensuring information non‐ repudiation and authenticity. A. Integrity B. Authenticity C. Confidentiality D. Availability

A. Integrity

When an Information System Owner applies a risk-based approach to his selection of specific controls; his adjustment is called __________. The revised/tailored control baseline is documented in the system security plan. A. Tailoring B. Failing C. Scoping D. Passing

A. Tailoring

Office of Management and Budget (OMB) works directly for? A. White house Staff B. Black house Staff C. Without Staff D. None of These

A. White house Staff

Which of the following individuals is responsible for ensuring the security posture of the organization's information system? A. Authorizing Official B. Chief Information Officer C. Security Control Assessor D. Common Control Provider

A. Authorizing Official

Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Synonymous with security controls and countermeasures. A. Safeguards B. Subsystem C. Tailored Security D. Control Baseline

A. Safeguards

What is the purpose of the assess step? A. To find and remediate system vulnerabilities. B. To determine if the selected controls are implemented correctly, functioning as required, and producing the desired outcome. C. To identify and eliminate risk factors. D. To logically test and evaluate information systems.

B. To determine if the selected controls are implemented correctly, functioning as required, and producing the desired outcome.

Which of the following BEST defines the purpose of security assessment? A. To determine if the remaining known vulnerability pose an acceptable level of risk. B. To determine the extent to which the security controls are implemented correctly and operating as intended. C. To perform oversight and monitor the security controls in the information system (IS). D. To perform initial risk estimate and security categorization of the information system (IS).

B. To determine the extent to which the security controls are implemented correctly and operating as intended.

The point in time to which data must be recovered after an outage. A. Recovery Point Objective (RPO) B. Active Security Testing (AST) C. Internal Security Testing (IST) D. General Support System (GSS)

A. Recovery Point Objective (RPO)

In which of the RMF phases (task 3) is the conduct remediation actions based on the results of ongoing monitoring activities, assessment of risk and outstanding items in the POA&M and milestones. A. RMF Step 6, Monitor B. RMF Step 6, Authorize C. RMF Step 6, Implement D. RMF Step 5, Authorize

A. RMF Step 6, Monitor

Why is the early selection of assessors important to organizations implementing a systems security engineering approach? A. Early selection of assessors assess all implement security controls. B. Early selection of assessors support verification and validation activities that occur throughout the system life cycle. C. Early selection of assessors violates security requirements. D. Early selection of assessors complete security control assessments in a timely manner.

B. Early selection of assessors support verification and validation activities that occur throughout the system life cycle.

Which of the following DITSCAP phases validates that the preceding work has produced an IS that operates in a specified computing environment? A. Phase 4 B. Phase 3 C. Phase 2 D. Phase 1

B. Phase 3

Sam is the project manager of a construction project in south Florid a. This area of the United States is prone to hurricanes during certain parts of the year. As part of the project plan Sam and the project team acknowledge the possibility of hurricanes and the damage the hurricane could have on the project's deliverables, the schedule of the project, and the overall cost of the project. Once Sam and the project stakeholders acknowledge the risk of the hurricane, they go on planning the project as if the risk is not likely to happen. What type of risk response is Sam using? A. Mitigation B. Avoidance C. Passive acceptance D. Active acceptance

C. Passive acceptance

The registration of the system directly follows which Risk Management Framework (RMF) task? A. Categorize the system B. Describe the system C. Review and approve the system security plan D. Select security controls

B. Describe the system

Which of the following is an official authorization decision that is focused on specific controls implemented in a defined environment of operation to support one or more systems residing within the environment? A. Authority to test B. Facility authorization C. Type authorization D. Joint authorization

B. Facility authorization

The initial security plan for a new application has been approved. What is the next activity in the Risk Management Framework? A. Asses a selected subset of the security controls inherited by the information system. B. Assemble the security authorization package. C. Implement the security controls specified in the system security plan. D. Develop a strategy for the continuous monitoring of security control effectiveness.

C. Implement the security controls specified in the system security plan.

What are the phases of the System Development Life Cycle? A. 1. Initiation 2. Acquisition/Development 3. Implementation 4. Operations/maintenance 5. Disposition B. 1. Acquisition/Development 2. Implementation 3. Operations/maintenance 4. Disposition 5. Initiation C. 1. Initiation 2. Disposition 3. Implementation 4. Acquisition/Development 5. Initiation D. 1. Implementation 2. Operations/maintenance 3. Disposition 4. Acquisition/Development 5. Initiation

A. 1. Initiation 2. Acquisition/Development 3. Implementation 4. Operations/maintenance 5. Disposition

NIST SP 800-37 defines this role as an organizational official responsible for the development, implementation, assessment, and monitoring of common controls (i.e., security controls inherited by information systems). A. Common Controls Provider B. Implement Controls C. Security Controls D. Common Controls

A. Common Controls Provider

The security controls for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, and firmware components of the system are known as A. Operational controls B. Physical controls C. Technical controls D. Management controls

C. Technical controls

Test Results should be shown as "meeting standards" or "not meeting standards"; or in short ________, _______. A. Pass, fail B. Yes, no C. True, false D. Good, bad

A. Pass, fail