CGRC Practice Test

Please enter your email:

1. The objective of conducting security assessment early in the life cycle is to ————— and the security controls to ensure that the system design, and testing validate the implementation of those controls.

Develop POAM

Perform Vulnerability Scanning

Identify security and privacy related deficiencies/vulnerabilities/weaknesses

Ensure compliance

2. ______________ is the process of determining the security category for information or an information system.

Security Categorization

Security Authorization

Security Assessment

Security Classification

3. __________ is required for information system to transition into the Operation and Maintenance Phase of the SDLC Life Cycle.

Penetration Testing

System Development Lifecycle

Security Assessment

ATO (Authorization to Operation)

Authorization package includes an executive summary and _______, _______, and __________.

Business Impact Analysis (BIA)

POAM (Plan of Action Milestone)

System Security Plan (SSP)

Security Assessment Report (SAR)

5. Continuous monitoring is best described as:

A security process that requires common control implementation

A new security concept

Security Control

Operational

6. The three tasks for RMF Step 2 are:

Security categorization, Information System Description, and Information System Registration

Assign roles, create plan of action milestones (POA&M), and categorize the system

Determine the information types, determine the security objectives, and categorize the system.

Review the starting part, determine the information types, and categorize the information system

7. Which attribute of a control implementation detail is incorrect?

Control Requirement Satisfy By – Describes how a solution meets the requirements of the control

Control Enhancement Implementation Details – describes what solution is implemented, planned or compensated, to increase the the strength of a base control

Implementation detail – describes what solution is implemented or planned or compensated

Review Period – Describes how often the solution is reactivated or updated.

8. Assessment methods define the nature of the assessor actions and include the examine methods, the interview method, and the:

Governance method

Assess method

Test Method

Box method

9. What are the core security objective or the tenet of information security?

Vulnerability, Pentest, Accounting

Confidentiality, Integrity, Availability

Accounting, Assessment, Authentication

Condition, Introduction, Annuity

10. The types of authorization decision that can be rendered by authorizing official for an information system include the following except:

Interim Authorization to Operate (IATO)

Denial of Authorization to Operate

Authorization to Denied

Authorization to Operate

11. ——————– are actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. Synonymous with security controls and safeguards

Management

Countermeasures

System Development Life Cycle (SDLC)

Acquisition/Development

12. ————–detailed guidance and constraints regarding the execution of information security testing established before the start of a security test and gives the test team authority to conduct defined activities without the need for additional permission.

Permission Structure

Assessment Authorization

Assessment Appropriation

Rules of Engagement

13. Potential impact values for confidentiality, integrity, and availability are not the same for information type, as such the ___________ must be used to determine the overall impact level of the information system.

High Water Mark Concept

Security Assessment Model

Authorization to Operate (ATO)

Vulnerability Management Concept

14. Along with the information System Owner, Common Control Provider, and Authorizing Official, the other primary role that occurs in RMF 6 – Monitor is:

Security Control Assessor

Senior Information Security Officer

Chief Information Officer

Information System Security Officer

15. _____________can be defined as a weakness in an information system, system security procedure, internal control, or implementation that could be exploited or triggered by a threat source.

Conditional Acceptance

Threat

Vulnerability

Risk

16. ………….describe the specific measures planned to correct identified weaknesses or deficiencies in the security controls and to address know vulnerabilities in the information system.

Security

POAM

Vulnerability

Management

17. The potential impact is _______________if the loss of confidentiality, integrity or availability could be expected to have severe or catastrophic adverse effect on organization operation, organization assets or individuals, other organization and/or the Nation.

Medium

High

Moderate

Moderate-High

18. Which of the following is incorrect regarding the implementation tasks, activity or process?

Business Impact Analysis is the process of controlling modification to hardware, firmware, software and documentation to protect the information system against improper modification prior to , during or after system implementation.

Business Continuity Plan provides procedures for sustaining an organization processes during and after a disruption.

Patch Management is the systemic notification, identification, deployment, installation and verification of operating system and application software code revision. These revision are also called patches, hot fixes and service packs .

The implementation phase marks the the progress in the RMF process after the system has been categorized and the security control baseline has been selected based on the system category.

19. Assessment findings identify that a security control resulted in a determination of satisfied or:

Unacceptable

Other than Satisfied

Unsatisfactory

Remediated

20. The activities or tasks that must be carried out by various organization officials to appropriately select and tailor control baseline and document the selected controls in the systems security and privacy plan are the following except:

Implementation

Control Allocation

Plan Review and Approval

Control Selection

Control Tailoring

Continuous Monitoring Strategy

Documentation of Planned Control Implementation

21. ____________ is any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.

Comunication

Information

Selection

Management

22. Risk assessment is used to identify, estimate, and prioritize risk to organizational operations organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.

Somewhat

Not Sure

True

False

23. The components of an information system to be authorized for operation by an Authorizing Official(AO) is known as:

Authorized Information System

Authorization Boundary

System Owner boundary

Authorization system implementation

24. The System Security Plan (SSP) should exist:

Before the system is categorized

After the system boundary is established

After the system is categorized

Before the system can be registered

25. To assign the system categorization, NIST SP 800-60 has four steps. What are they?

Review, select, coordinate and register

Select, review, assign and categorize

Identify, select , review and assign

Determine, review, select and categorize

26. The stages of a System Development Life Cycle includes…

Implementation, Security, Vulnerability, Management, Processes, Constitutionality

Initiation, Development/Acquisition, Implementation, Operation/Maintenance, Disposal/Disposition

Development/ Acquisition, Disposable, Implement, Initialization, Operational Control

Maintenance, Management, Monetary, Security, Capability and Vulnerability

27. FIPS 199 is all of the following except:

Defines the security categories, security objectives, and level of impact to which SP 800-60 maps information types.

Standards for Security Categorization of Federal Information and Information Systems

Guide for Mapping Types of Information and Information Systems to Security Categories

Establishes security categories based on the magnitude of harm expected to result from compromises

28. The policy and procedures for breach notification are mandated in which reference?

The Privacy Control Catalog and the Information Security Program Plan

Security Control Catalog and the Privacy Control Catalog

OMB Memorandum and the Security Control Catalog

Privacy Control Catalog and OMB Memorandum

29. At what point is risk completely eliminated?

Risk can never be eliminated. There will always be residual risk

When security control is applied

When compensating control is applied

When control enhancement is applied

30. Security categorization conducted in accordance with FIPS 199 provides for what degree of impact analysis using the high water mark concept?

Predicated-case

Best-case

Worse-case

Average-Case

31. _______________ activities should also be applied throughout the information system development life-cycle.

Risk management

Vulnerability Management

Compliance Management

Authorization to Operate

32. As defined by NIST SP 800-53A, assessment cases for conducting security control assessment have which logical flow?

Assessment procedures, assessment objectives, assessment objects, which are evaluated using assessment methods.

Assessment objects dictate assessments methods, which then leverage assessment objectives or procedures.

Assessment Objective, assessment procedures, assessment objects, which are evaluated using assessment method

Assessment methods, which dictates assessment procedures, assessment objectives, and assessment objects

33. In cases where robust continuous monitoring has been implemented, the authorization decision document termination date may have the following value:

The termination date would be annual instead of three years

The termination date is no longer required to be annotated

Any date range, but must be within three years as required by FISMA

The date can be extended to five years but only when robust continuous monitoring is applied to the system

34. A risk assessment can be started when?

After the RMF starting Point is accounted for

After the system has been registered.

After the Information types and system have been categorized

After the system boundary has been established

35. How often is a Security Assessment Report (SAR) updated and why?

On an ongoing bases whenever changes are made and incrementally versioned

Annually as determined by the agency and incrementally versioned

Annually as determined by FISMA and OMB memorandum.

Every three years to incorporate all updated charges and rename it.

36. _____Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security

Countermeasures

Adequate Security

Safeguards

Protection

37. ___________ includes the people, processes, and information technologies (i.e., system elements) that are part of each system supporting the organization’s missions and business functions.

Authorization Boundary

Authorization Association

Authorization to Operate (ATO)

Authorization Model

38. According to the NIST SP 800-37 Rev. II, _________is the starting point and incorporated into RMF process to achieve a more effective, efficient, and cost-effective execution of risk management .processes

Implementation Phase

Monitoring Security Control

Categorize

Prepare Step

39. A privacy impact assessment (PIA) is required when?

Later in the RMF Task 2.2

Only when the system will incorporate privacy information

Before a system enters the development phase of the SDLC, when privacy information will be incorporated

when the information system owner determines that it is required.

40. Any telecommunication or information system that is defined as a national security system that processes any information; the loss, misuse, disclosure, or unauthorized access to or modification of, would have a debilitating impact on the mission of an agency is said to be:

Mission Critical

Management Impact

Mission Impact

Critical Mission Impact

41. What is the function of RMF Task 6-6, and what primary roles exists?

Risk determination, and acceptance, accomplished by AO and DR

Risk acceptance, accomplished bu AO and DR

Risk determination, accomplished by the AO and DR

Risk determination and acceptance, accomplished by the AO

42. ………………. is safeguard or countermeasure for an information system that is primarily implemented and executed by the information system through mechanisms contained in the hardware, software, and firmware components of the system.

Security Controls

Security Plan

Security and Compliance model

Security Assessment

43. The security control analysis results and recommended corrective actions are contained in:

Security assessment Report

System Security Plan

Plan of Action and Milestones

Security Assessment Report and Plan of Action and Milestones

44. All of the following are correct except:

High-impact system is an information system in which at least one security objective is high.

Moderate-impact system is an information system in which at least one of the security objectives is moderate and no security objective is greater than moderate.

Low-impact system is an information system in which all three of the security objectives are low.

Medium-impact system is an information system in which all three of the security objectives are low or medium high.

45. _____ is a formal document that provides an overview of the security requirement for the information system and describes the security controls in place or planned for meeting those requirements.

Security Assurance Book (SAB)

System Security Plan (SSP)

Contingency Planning (CP)

System of Record

46. NIST Cybersecurity Framework includes the following stages or steps:

Monitor, Disaster, Forensic, Management and Assessment

Select, Implement, Protect, Code, and Deploy

Categorize, Build, Code, Testing, Deploy and Monitor

Identify, Protect, Detect, Respond and Recover

47. Security Assessment are used to determine whether a security control demonstrates which of the following?

The control exhibits traceability to the security design.

The control was implemented correctly, operating as intended, and producing the desired outcome

The Security Control Assessors cannot recommend an improvement in the security control

It exactly meets the security control assessment method

48. ————-is considered type of security assessment.

Independent audit or inspection

Self assessment by information system owner and common control provider

All of the above

Independent Assessment

Independent verification and validation

49. What is the role of the Common Control Provider (CCP) in the RMF Step 2?

None, because the common controls are not defined before before RMF Step 3

Pimary, because the common control system includes an information type

None, because the common control system generally does not incorporate an information type

The organization defines the role for the common control provider, which is identified in the Information Security Program Plan, as shown as PM 1

50. Before an AO issues a rescission letter, which two NIST roles should the AO consult with?

CIO and CISO

CISO and RE

CIO and RE

CISO and ISO

51. All of the followings are correct except:

Penetration Testing is a test methodology in which assessors, using all available documentation (e.g., system design, source code, manuals, and working under specific constraints, attempt to circumvent the security features of an information system

Quantitative Risk Assessment is use of a set of methods, principles, or rules for assessing risk based on numeric categories or level.

Security Assessment Plan is the objective for the security control assessment and a detailed road map of how to conduct such an assessment.

Assessment Object is a set of determination statements that expresses the desired outcome for the assessment of a security control, privacy control, or control enhancement.

52. The two principal reference that are used to categorize Information Systems are:

NIST SP 800-60 and FIPS 199

NIST SP 800-62 and NIST SP 800-60

FISMA and FIPS 200

NIST SP 800-59 and FIPS 200

53. Risk Management Framework include these many phases or stages…

Configuration, Coding, Monitoring, Testing, Deploment

Planning, Organizing, Implement, Vulnerability, Assess, Produce

Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor

Select, Control, Managed, Assess, Authorize, Monitor

54. Risk assessment and risk determination include, in the proper order:

Threat, probability, impact, and vulnerabilities

Probability, threat, vulnerabilities, and impact

Vulnerabilities, threat, probability, and impact

Threat, vulnerabilities,probability, and impact

55. The two primary roles defined in the RMF Step 2 are:

Chief Information Officer (CIO) and Chief Information Security Officer (CISO)

Information system Owner (ISO) and Information Owner (IO)

Authorizing Official (AO) and Information system Owner (ISO)

Information system Owner (ISO) and Information System Security Officer (ISSO)

56. Who has primary responsibility to prepare the plan of action and milestones (POAMs) based on the findings and recommendations identifiedin the SAR?

Information System Security Officer

Risk Executive

Chief Information Security Officer

Common Control Provider

57. The purpose of the ___________________ is to determine the adverse impact to organizational operations and assets, individuals, other organizations, and the Nation with respect to the loss of confidentiality, integrity, and availability of organizational systems.

Select Step

Operation and Maintenance Step

Categorize Step

Risk Management Step

58. The key RMF roles includes:

Customer Service Representative, Manager, System Administrator, Security Engineer, HR Director, Communication Director, Director of Finance

Accountant, CRM, Vulnerability Manager, Security Assessor, President, Managing Director

Authorizing Official, Information System Owner, Information System Security Officer, Common Control Provider, Information Owner/Steward, Security Control Assessor, Chief Information Officer, Risk Executive, Authorizing Official Designated Representative

System Owner, Manager, Director, Customer Advocate, Control Assessor, Chief Security Officer, Security Architect.

59. …………….. is a document that identifies task that need to be accomplished and it describes resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for milestones.

POAM (Plan of Action and Milestone)

Penetration Testing

Security Assessment

Vulnerability Management

60. The following are assessment task that need to performed in sequential order (Task 1 through Task 5) Choose all that apply.

Assess the controls in accordance with the assessment procedure described in assessment plans.

Select the appropriate assessor or assessment team for the type of control assessment to be conducted.

Develop, review, and approve plans to assess implemented controls.

Categorize system to determine the security objective using FIPS 199 and NIST 800-53.

Prepare the assessment reports documenting the findings and recommendations from the control assessments.

Conduct initial remediation actions on the controls and reassess remediated controls

61. The purpose of the implementation step is to implement the controls in the security and privacy plan for the system and for the organization to document in a configuration , the specific details of the control implementation.

False

True

Compliance

Assessment

62. _____________ is a safeguard, countermeasure, designed or built or imbedded into the system to minimize security risk.

Security Assurance

Pentest

Protection Activity

Security Control

63. Risk management process comprises which four component?

Formulation, Assess, Respond, Monitor

Plan, Do, Check, Act

Frame, Action, Respond, Manage

Frame, Assess, Respond, Monitor

64. RMF 6-7 is associated with what System Development Life Cycle (SDLC) phase?

Disposal

Removal

Operation and Maintenance

System Shutdown

65. —————— is conducted throughout the System Development Life Cycle but more significantly at these phases: Development/Acquisition & Implementation Phases and Operations & Maintenance phase of the life cycle.

Operation Management

Vulnerability Scan

Penetration Testing

Security Assessment

66. Security controls can be designated as the following except:

System Specific Controls

Hybrid Controls

Common Control

Assurance Controls

67. A well-designed and well-managed continuous monitoring program can effectively transform which area?

System log collection

Security control selection

Risk determination processes

Dynamic security control assessments

68. ————— are controls that are inheritable by one or more outside organization information systems or program:

Management Controls

Security Controls

Inherited security controls

Vulnerability Scan

69. The following are major types of security control…

Technical, Operational, Management

Technological, Operability, Ministerial

Technical, Operate, Mechanical

Mechanical, Obstructional, Technical

70. Vulnerabilities could result from…

Vulnerability Testing

Baseline Mis-configurations

Penetration Testing

Software Flaws

71. A moderate common control system can be used to protect a high system if specific tailoring is applied, and the information system owner determines that tailoring achieves the minimum assurance requirement.

True

False

Somewhat

Not Sure

72. What System impact level is defined as “The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, assets, or individuals”?

Low

Moderate

Adequate

Very High

73. The possibility or likelihood of a threat exploiting a vulnerability resulting in a loss, damage or destruction of an asset is called…..

Assessment

Compromise

Penetration Testing

Risk

74. Common control can be based on, and incorporated from which security control classes?

Management, Operational and Technical

Operational, Technical and Logical

Administrative, Technical and Physical

Management, Operational and Logical

75. _____________ is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

Information Assurance

Information Protection

Information system

Information Security

76. ……………describe the specific measures planned to correct identified weaknesses or deficiencies in the security controls and to address know vulnerabilities in the information system.

POAM

Assessment

Management

Vulnerability

77. The primary reference used to create a System Security Plan (SSP) is:

NIST SP 800-15

NIST SP 800-39

NIST SP 800-18

NIST SP 800-37

78. Assessment objects include specifications, mechanisms, activities and:

Individuals

Policies

Configurations

Directives

79. ———and———-are responsible for security control assessment.

Information System Owner and Authorizing Official

Information System Owner and Common Control Provider

Information System Owner and Information owner

ISSO and CIO

80. Who is responsible to ensure that the security controls are adequate to protect all agency system, and provide an annual FISMA report to OMB and Congress?

Chief Information Officer

Chief Information Security Officer

Head of Agency

Risk Executive

81. Conditions that may warrant a formal re-authorization includes (Choose all that apply)

Authorization period has expired (3 years maximum)

Change of the Authorizing Official

Modification or configuration changes

New or upgraded components

Multitasking

Modifications of Security Control

82. —————— are hardware, software, or firmware safeguards and countermeasures employed within an information system.

Vulnerability Management

Security and Compliance

Mechanisms

Information System

83. The three types of authorization approaches include:

Internal, External, Cloud

Single, Multiple, Leveraged

Single, Multiple, Joint

Single, Joint, Leveraged

84. All of the following consideration or requirement is correct except:

Determining the impact of loss on confidentiality, integrity and availability is never a consideration for the selection of security control baseline.

For low-impact information systems, organizations must select at a minimum, security controls from the low baseline of security controls defined in NIST Special Publication 800-53

For high-impact information systems, organizations must select at a minimum, security controls from the high baseline of security controls defined in NIST Special Publication 800-53

For moderate-impact information systems, organizations must select at a minimum, security controls from the moderate baseline of security controls defined in NIST Special Publication 800-53

85. The primary references for RMF Step 6 are:

SP 800-37 and SP 800-39

SP 800-53A and SP 800-115

SP 800-39 and SP 800-53

SP 800-37 and SP 800-53A

86. The Selection of Security Control is contingent on the —————— completed at the RMF Step 2.

Security Categorization

SDLC

Security Assessment

Management Controls

87. For partial assessments, information system owner and common control providers collaborate with organizational officials that have an interest in the assessment. The selection of security control depends on the continuous monitoring strategy established by the information System owner or common control provider to ensure that (1) items on the plan of action and milestones (POAM) receive adequate oversight; (2) controls with greater volatility or importance to the organization are assessed more frequently, and:

The Risk Executive remains informed about those security controls that are still deemed to be effective

Control implementation that have changed since the last assessment are re-evaluated.

Most of the controls are assessed during the authorization period established by federal legislation, policies, direction, standards, and guideline.

Control That have changed since the last assessment and are not assessed during the current assessment are properly documented for the Authorizing Officials.

88. Security commensurate with the risk and the magnitude of harm resulting from loss, misuse, or unauthorized access to or modification of information is known as:

Risk

Impact

Adequate Security

Minimum Security Requirement

89. The ———– establishes the scope of protection for an information system (i.e., defines what the organization wants to protect under its direct management or within the scope of its responsibilities).

Authorization Boundary

Risk Assessment

Penetration Testing

System Categorization

90. Which of these statements is incorrect?

System Specific Controls is implemented at the system level and its not inherited by any other information system.

Common Control is inherited by multiple information systems or programs.

Hybrid Control is implemented for an information system in part as a common control and in part as s system specific control

Security Control cannot be a common control among disparate systems.

91. ———————— are document-based artifacts (e.g., policies, procedures, plans, system security and privacy requirements, functional specifications, architectural designs) associated with an information system.

Assessment

Specifications

Objective

Interview

92. The security control tailoring process includes scoping consideration, compensating controls, organization-defined parameters, and……….

Identifying and designing common controls and providing additional specification information for control implementation if needed.

Supplementing baselines and providing additional specification information for control implementation if needed.

Identifying and designating common controls and supplementing baseline

Identifying and designating common controls, supplementing baselines, and providing additional specification information for control implementation if needed.

93. An Information Type is defined as:

Those information types listed in FIPS 199

The specific category of Information defined by an organization or a specific law

Either a major application or general support system

A business reference model (BRM)category

94. The authorization to operate (ATO) is the official management decision to formally accept risk and authorized operation of an information system.

False

Most Likely

True

Not Sure

95. A repeatable and documented security assessment methodology is beneficial in that it can: (1) provide consistency and structure to security testing, which can minimize testing risks, (2) expedite the transition of new assessment staff, and:

Provide a guarantee of security control effectiveness

Improve the ability of security controls to demonstrate control effectiveness

Eliminate the need for periodic assessment testing

Address resource constraints associated with security assessment

96. The two pillars of continuous monitoring are:

Monitoring for change and security control effectiveness

Ongoing authorization and security control effectiveness

Ongoing authorization and near real-time risk management

Near real-time risk management and security control effectiveness.

97. Which of the RMF role has the statutory authority to assume the responsibility for accepting organization risk and also can authorize system to operate (ATO)?

System Owner (SO)

Chief Information Officer (CIO)

Authorizing Official Designated Officer

Authorizing Official (AO)

98. The following types of actions (i.e., examine, interview, test) taken by assessors in obtaining evidence during an assessment is called:

Assessment Objectives

Assessment Mechanism

Assessment Method

Assessment Object

99. Organization prepare and manage risk at all levels (Organization, Mission/Business and Information System) of the organization hierarchy due to the following, except:

No organization level is immune to risk

Risk is only present at the information system level.

Risk is present at all the three levels or tiers of the organization

Risk Management is enterprise wide program

100. ———————- is define as the security controls (i.e., safeguards or countermeasures) for an information system that primarily are implemented and executed by people (as opposed to systems).

Management Control

Privacy Control

Technical Control

Operational control

101. The generalized format for expressing the security category, or SC, of an information type is:

SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}

SC information type = {(confidentiality, Managed), (integrity, impact), (availability, impact)}

SC information type = {(confidentiality, Remediated), (integrity, Fix), (availability, impact)}

SC information type = {(confidentiality, Moderate), (integrity, Moderate), (availability, Moderate)}

102. Security and privacy assessments at the operations and maintenance phase of the life cycle ensures that security and privacy controls continue to be effective in the operational environment and can protect against constantly evolving threats.

False

Maybe

Not Sure

True

103. System Development Life Cycle Stages includes the following:

Development/Acquisition

Implementation

Intitiate

Disposal

Operation/Maintenance

104. Risk Assessment process includes: (Choose all that apply)

Control Recommendation

Risk Determination

Threat

Impact Analysis

Control Analysis

Vulnerability

Documentation

Likelihood Determination

105. __________________ could be weakness in the hardware, the software, the configuration, or even the users operating the system.

Management

Vulnerability

Compliance

Assessment

106. The purpose of the Assess Step is to determine if the controls selected for implementation are……………, …………….., and ……………. with respect to meeting the security and privacy requirements for the system.

Operating as intended

Durability and Scalability

Producing the desired outcome

Implemented correctly

107. At the ———————–, security assessments are conducted to ensure that important organizational information is purged from the information system prior to disposal.

Aquisition/Development Phase

End of System life cycle

Operation/Maintenance Phase

Implementation Phase

108. The organization’s overall strategy for communicating organization risk identified through continuous monitoring results would be contained in the:

Information Security Program Plan

Risk assessment policy and procedures

Continuous Monitoring Strategy

Risk Management Strategy

109. What are the NIST Special publications guide for the Selection of Security Controls?

NIST SP 800-60 and FIPS 200

NIST SP 800-18 and FIPS 199

NIST SP 800-53 and FIPS 200

NIST SP 800-47 and FIPS 199

110. —————- are the security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security.

Management Controls

Technical Controls

Privacy Controls

Operational Controls

111. The minimum security control required for safeguarding an information technology system based on its defined impact levels for confidentiality, integrity and availability is known as:

Sufficient Security

Necessary Security

Adequate Security

Baseline Security

112. The potential impact is ___if the loss of confidentiality, integrity or availability could be expected to have serious or significant adverse effect on organization operation, organization assets or individuals, other organization and/or the Nation.

Very High

Moderate

High

Medium

113. Information System registration is completed by:

The CISO, who maintains the registry

The Information Security Architect who manages the Information System inventory and registry

The CIO after reviewing and approving the system registration

The Information System Owner, assisted by the Information System Security Officer

114. Once a system is authorized to operate; who is ultimately responsible to ensure that the system continue to operate in accordance with the terms and condition?

Authorizing Official Designated Representative

Both the Information System Owner and the Authorizing official

Authorizing Official

Information System Owner

115. _____ is a requirement levied on an information system that are derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures, or organizational mission/business case needs to ensure

Countermeasure

Assurance

Security Requirement

Adequate Security

116. According to NIST SP 800-37 Rev.II, the RMF incorporate privacy risks i.e Personal Identifiable Information (PII) and supply chain risk.

Compliance

Not Sure

True

False

117. NIST SP 800-53 defines how many security control families without adding in the Privacy Control?

17 Control Families

16 Control Families

18 Control Families

2 2 Control Families

118. Establishing an appropriate security category for an information type simply requires determining the potential impact for each security objective associated with the particular information type.

False

Independently

Not Sure

True

119. Assessment objects identify the specific items being assessed and include specifications, mechanisms, activities, and individuals (AIMS).

Not Sure

False

True

POAM

120. In RMF Step 6-4, the focus is on which document(s)?

System Security Plan

System Security Plan, Security Assessment Report, and Plan of Action and Milestones

Security Assessment Report

Plan of Action and Milestones

121. ____________ is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide confidentiality, integrity, and availability.

Information System

Confidentiality

Information Security

Authentication

122. Beyond NIST SP 800-37, the primary references used for RMF Step 5 (Assessment) are:

NIST SP 800-53A and NIST SP 800-115

NIST SP 800-47 and NIST SP 800-53A

NIST SP 800-53 and NIST SP 800-37

NIST SP 800-39 and NIST SP 800-53

123. Implementation detail addresses………………… (choose from the options below)

Why, when, whereabout, system owner

Where, how, why and how

Who, What, When and how

You, who, how and Solution

124. All the following are correct except:

The authorizing official Designated Representative is explicitly responsibility for the acceptance of risk and cannot be delegated to other officials in an organization.

The authorization package provides a record of the results of the control assessments and provides the authorizing official with the information needed to make a risk-based decision on whether to authorize the operation of a system.

The system owner or common control provider is responsible for the development, compilation, and submission of the authorization package.

Balancing security and privacy considerations with mission and business needs is vital to achieving an acceptable risk-based authorization decision.

125. In RMF Step 4, what system Development life Cycle (SDLC) phase(s) is/are valid?

Development/Acquisition

Implementation and Operation and Maintenance

Development/Acquisition and Implementation

Implementation

126. ______________ is any circumstance or event that has the potential to compromise confidentiality, integrity, or availability (exploit a weakness or vulnerability to obtain, damage or destroy an asset).

Vulnerability

Threat

Probability

Contingency

127. According to the NIST SP 800-37 revision II, Risk Management Framework has 7 distinct phases or stages. What is the proper order of progression through the cyclical process?

Prepare for Risk Management

Development/Acquisition

Categorize Information System

Implement Security Controls

Assess Security Controls

Authorize Information System

Monitor Security Controls

128. Categorization of the Information and Information System is one of the most crucial step and if done incorrect and the system is not categorized appropriately, every proceeding step may suffer from the decisions made at the categorization step.

Somewhat

Yes (True)

No (False)

Not Sure

129. Plan of action and milestone includes all of the following except:

Source that identify the weakness

Enhancements

Milestone changes

Schedule completion date

Key milestones with completion dates

Estimated funding to address the weakness

Status

Types of weakness

Responsible office or organization

130. The following are types of personally Identifiable Information (PII) – (choose all that apply)

Mother’s Maiden Name

Date and Place of Birth

Phone number

Address

Social Security Number

Name

131. Nist SP 800-55 defines performance management criteria, which translate into key performance indicators (KPI) using what evaluation criteria?

Measures of compliance, measures of efficiency, and impact measures

Measures of effectiveness, measures of efficiency, and measures of compliance

Measures of effectiveness, measures of efficiency, and impact measures

Measures of compliance, measures of effectiveness, and impact measures.

132. The potential impact is _________________if the loss of confidentiality, integrity or availability could be expected to have limited adverse effect on organization operation, organization assets or individuals, other organization and/or the Nation.

Very High

Low

High

Moderate

133. Supply chain (Privacy) threat events may rang from insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware.

False

Somewhat

Not Sure

True

134. The authorization to operate (ATO) is the official management decision to formally accept risk and authorized operation of an information system. Who is responsible to issue the ATO?

Authorizing Official

Information System Owner

Authorizing Official Designated Representative

Chief Information Security Officer

135. Security control effectiveness is determine based on an evaluation of:

Management, Operational and Technical controls

demonstration that the control was implemented correctly, operating as intended and producing the desired outcomes.

Management, Operational and Logical controls

136. You have just completed a System Impact Analysis. What are the next RMF Task and applicable System Development Life Cycle (SDLC) phase?

Task 6-1 and the Operation and Maintenance Phase

Task 6-1 and the implementation phase

Task 6-2 and the Operation and Maintenance Phase

Task 6 -2 and the implementation Phase

137. Security and Privacy Controls have the following structure except:

Control enhancements section

References section

Authorization section

Base control section

Supplemental guidance section

Related controls section

138. –—————– Indicates that the security control addresses the determination statement and the evidence collected indicates the assessment objective for the control has been met, producing a fully acceptable result.

Operation

Satisfied (S)

Compliance

Other Than Satisfied (O)

139. ——- is the guide for Mapping Types of Information and Information Systems to Security Categories.

NIST SP 800-37

NIST SP 800-62

NIST SP 800-60

NIST SP 800-53

140. The terms and conditions for the common control authorization provide a description of any specific limitations or restrictions placed on the operation of the system or the controls that must be followed by the system owner or common control provider.

False

True

Most Likely

Not Sure

CGRC Practice Test

VobaLink Inc

Contact

Our Location