Random Questions Flashcards

1
Q

What does RMF stand for?

A

Risk Management Framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How many steps are in the RMF?

A

Seven

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the abbreviated RMF steps?

A

Prepare, Categorize, Select, Implement,
Assess, Authorize, Monitor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Who is invited to the kickoff meeting?

A

The Subject Matter Experts (SME’s)
Project Manager
Software Engineer, Network Engineer, System Engineer
Hardware Team
Common Control Provider
Authorizing Official (AO)
Chief Information Officer (CIO)
Chief Information Security Officer (CISO)
Information System Security Officer (ISSO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is discussed during the kickoff meeting?

A

C.I.A. of the system
Location of the system
Cost of the system
A Unique Identification number is assigned to the system
Overlays
Assessment scheduled start and end date and what is expected during assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the types of overlays?

A

Privacy, ISO, IEC, CDS, IC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What publications are used in the Prepare step?

A

NIST-800-30 | Conducting Risk Assessments
NIST-800-37 | RMF 1-7
NIST-800-39 | Managing Risk
NIST-800-18 | How to develop an SSP (Creation of the SSP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is categorization?

A

The security categorization of Federal systems and step 2 of RMF.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the two types of systems?

A

GSS and Major Application System

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which system requires an assessement of the whole system?

A

GSS - General Support System

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which system requires an assessment of one application?

A

Major Application System

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How many security impacts are there?

A

Five

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the five security impacts?

A

Critical, High, Moderate, Low, N/A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How soon must you remediate a critical security impact?

A

Immediately or 30 days

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How soon must you remediate a high security impact?

A

Immediately or 30 days

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How soon must you remediate a moderate security impact?

A

60 days

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

How soon must you remediate a low security impact?

A

90 to 180 days

18
Q

What publication is used in the Categorize step?

A

FIPS-199

19
Q

How do you get the high water mark of a system?

A

Know what type of system
Use CIA
Determine the highest or most reoccurring security impact
Which will give you the sensitivity of the system (high water mark), which will give you FIPS-199

20
Q

What is an example of assessment of a whole system?

A

Cell phone

21
Q

What is an example of assessment of one application?

A

Screen timeout

22
Q

How many security control families are there?

A

19 + 1

23
Q

How many types of security control families are there?

A

Three

24
Q

What are the three types of security controls?

A

Technical, Operational, Managerial

25
Q

How are technical controls tested?

A

They are demonstrated.

26
Q

What are Operational Controls and how are they managed?

A

They tell you how something works and are uploaded into a Government Risk Management tool.

27
Q

What is an example of a government risk management tool?

A

Xactor 360, E-mass, C-SAM, SharePoint

28
Q

What are managerial controls?

A

Controls that managers or supervisors must do or provide.

29
Q

What references do you need to select the controls?

A

NIST-800-53 | Information Types
NIST-800-53A | Data
NIST-800-53B | Baseline controls for REV5
NIST-800-60 | Mapping
NIST Special Publication 200 | Basic Controls
DHS Sensitive System Policy Directive 4300A
ISO/IEC 27001 & 27002 | Communication
CNSS-1253 |Committee on National Security Systems
Privacy Overlay (PII or PKI)
Intelligence Community (IC)

30
Q

What is the first thing the ISSO will do after the controls are selected?

A

TAILOR OUT THE CONTROLS that are NOT APPLICABLE or NOT NEEDED for the system.

31
Q

What is the second thing the ISSO will do after the controls are selected?

A

Scrub the client’s CAT.

32
Q

What will the SCA do after the controls are selected?

A

Look for deficiencies between the CAT and the RTM. Ensure both have the same information.

33
Q

If deficiencies are found between the CAT and RTM, what document also needs updated, when, and why?

A

The SSP needs updated immediately because it is a living document.

34
Q

What information is on the CAT and RTM?

A

Tester’s name
Contact number
Contact email
Controls being tested
Date and time of test

35
Q

What artifacts satisfy Operational and Managerial controls?

A

PDF’s and URL’s

36
Q

What artifacts satisfy Technical controls?

A

Screen Shots

37
Q

How does the ISSO ensure the controls are doing what is designed or intended?

A

The ISSO will TIE:
Test the control
Interview
Examine

38
Q

What tools are used to conduct vulnerability scans?

A

Nessus Tenable
Burp
Intruder
Insight

39
Q

How often does the ISSO run patches and perform updates?

A

Weekly

40
Q

How often must vulnerability scans be conducted?

A

Every 30 days

41
Q

Implementation satisfies which controls?

A

RA-5 | Vulnerability Scans
SA-5 | Information System Documentation
SI-5 | Automated Security Alerts and Advisories

42
Q

STIG

A

Security Technical Implementation Guide