(ISC)2 CAP EXAMS
A. Development/Acquisition B. Planning C. Designing D. Initiation The Information Technology (IT) manager is responsible to the Information Officer for the implementation of Role Based Access Control (RBAC) assigned divisional resources. Specifically, the IT manager must facilitate Identity and Access Management (IAM) for configured assets. Which System Development Life Cycle (SDLC) phase will enable the system security officer to verify accountability and authentication of these implemented safeguards?
A. Development/Acquisition
A. Direct management control B. Cost of security authorization C. Network topography and complexity D. Interconnection Security Agreement (ISA) What is considered when establishing a system authorization boundary?
A. Direct management control
A. Enterprise architecture B. Originaldesign specification C. Disaster Recovery (DR) procedures D. Security authorization Process The baseline configuration of an information system should be consistent with the
A. Enterprise architecture
A. The security controls to be monitored, the frequency of monitoring , and the weakness mitigation strategy B. The volatility of specific security controls, the frequency of monitoring , and the vulnerability scanning approach C. The security controls to be monitored, the frequency of monitoring, and the control assessment approach. D. The security documentation to be updated, the frequency of updates , and the approval process The organizational and system monitoring strategies identifies 80. An effective continuous monitoring
C. The security controls to be monitored, the frequency of monitoring, and the control assessment approach.
A. Risk assessment B. Privacy threshold Analysis (PTA) C. Impact level determination D. Vulnerability scanning What activity MUST be completed before the System Owner (SO) considers the minimum security requirement of the system?
C. Impact level determination
If the protection offered by a common control proves to be unacceptable or insufficient, how can the problem be corrected? A. Revise the control to make it system specific B. Perform a second vulnerability Scan C. Implement supplementary Controls D. Inform the Common Control Provider (CCP)
C. Implement supplementary Controls
A. Implements an incident handling capability for security incidents B. Employs automated mechanisms to test the incident handling response capability C. Incorporates simulated events into incident response training D. Tracks and documents system security incidents on a quarterly basis The assessment effort for effective incident handling MUST include the determination that an organization
C. Incorporates simulated events into incident response training
A. Mission and business B. Organization-wide C. Information system (IS) D. Enterprise-wide The organization has implemented a project to move the physical servers to virtual machines (VM) over the next year. Which risk perspective addresses this project?
C. Information system (IS)
Which of the following BEST describes a government -wide standard for security Assessment and Authorization (A&A), and continuous monitoring for cloud products and services, which is mandatory for federal agencies and Cloud Services Providers (CSP)? A. Federal Risk and Authorization Management Program ( FedRAMP) B. National Institute of Standards and Technology (NIST) C. Federal Information Technology Acquisition Reform ACT (FITARA) D. National Cyber Security Program (NCSP)
A. Federal Risk and Authorization Management Program ( FedRAMP)
A. It is difficult for developers to build in security controls for individual applications B. Costs are increased in the Security Assessment and Authorization (A&A) activities C. Depth of analysis required is increased during the security Assessment and Authorization (A&A) D. Consistent application of security across the organization is enabled From an organizational viewpoint, what effect does the designation of some security controls as common controls have?
D. Consistent application of security across the organization is enabled
A. Risk avoidance B. Risk mitigation C. Risk tolerance D. Risk transfer A key part of the risk decision process is the recognition that, regardless of the risk response, there typically remains a degree of residual risk. On what basis an organization determine the acceptable degrees of residual risk?
C. Risk tolerance
During the assessment of a new system, the System Owner (SO) mentioned that if unauthorized modification or destruction of medical information in the system occurred, it could result in potential loss of life because the system is the authoritative source of information about patient healthcare records including current and previous medications and ongoing medical procedures. Which of the following is the BEST Security Categorization (SC) for the information type? A. SC medical information = ( confidentiality , MODERATE), ( integrity, LOW), (availability, LOW) B. SC medical information = ( confidentiality , MODERATE), ( integrity, MODERATE), (availability, MODERATE) C. SCmedical information = ( confidentiality , MODERATE), ( integrity, HIGH), (availability, HIGH) D. SC medical information = ( confidentiality , MODERATE), ( integrity, MODERATE), (availability, HIGH)
C. SCmedical information = ( confidentiality , MODERATE), ( integrity, HIGH), (availability, HIGH)
A. Security Plan (SP) B. Risk assessment C. Security Control Assessment (SCA) D. Requirements traceability Matrix (RMT) Which of the following is the principal vehicle used to verify that Information Systems (IS) are meeting their stated security goals and objectives?
C. Security Control Assessment (SCA
What is the PRIMWhat is the PRIMARY goal of an Information Security Continuous Monitoring (ISCM) strategy?ARY goal of an Information Security Continuous Monitoring (ISCM) strategy? A. Create expedited assessment process for cost savings. B. Maintain visibility of an organization's high-cost controls. C. Support organization risk management decisions. D. Assess the organizational tiers
C. Support organization risk management decisions.
A. Determination of the residual risk B. Security Control Assessment (SCA) plan C. System Security Plan (SSP) and Concept of Operations (CONOPS) D. Recommendations for correcting deficiencies The final Security Assessment Report (SAR) should contain which of the following
D. Recommendations for correcting deficiencies
A. Implementation of the United States Government Configuration Baseline (USGCB) B. Adherence to the organization's approved enterprise architecture C. Documenting the functional security baseline configuration D. Reporting of security and privacy posture to organizational officials An effective continuous monitoring strategy includes which of the following?
D. Reporting of security and privacy posture to organizational officials
A. AuthorizingOfficial (AO) and Information System Security Officer (ISSO) B. Authorizing Official (AO) and Senior Information Security Officer (SISO) C. Security Control Assessor (SCA) and risk executive D. Security Control Assessor (SCA) and Information System Security Officer (ISSO) Who has the authority to divide a complex system in order to establish realistic security authorization boundaries?
B. Authorizing Official (AO) and Senior Information Security Officer (SISO)
A. Identify false negative findings B. Categorize vulnerabilities C. Determine threats to the system D. Validate the system boundaries One of the PRIMARY goals in conducting analysis of the test results from a scan during the Security Control Assessment (SCA) is to
B. Categorize vulnerabilities
A. Baseline and tailoring B. Tailoring and scoping C. Compensating controls D. Baseline and scoping An organization's Information System (IS) is categorized as a high-impact system. The organization's architecture does NOT support wireless connectivity. The initial security control baseline requires the organization to implement AC-1B: wireless Access. What process can the organization implement to eliminate this unnecessary control?
B. Tailoring and scoping
A. That exists before the implementation of security controls. B. That exists after the implementation of security controls. C. Introduced by the implementation of security controls. D. Introduced by implementing security controls Residual risk can be categorized as risk
B. That exists after the implementation of security controls.
Which of the following documents provides a functional description of the Information System's (IS) control implementation? A. Security and Privacy assessment reports B. Security and Privacy Plans C. Plans of Action and Milestones (POA&M) D. Risk Assessment Report ( RAR)
Security and Privacy Plans
A. Access Control B. System and Information Integrity C. Audit and Accountability D. Identification and Authentication The Least Privilege security control is a member of which control family?
A. Access Control
A. Appropriate weight to mission and security requirements. B. Greater weight to mission requirements than security requirements. C. Appropriate weight to system performance and security requirements D. Greater weight to security requirements than performance requirements. Determining the level of acceptable risk associated with the operation of an Information System (IS), organization shall give
A. Appropriate weight to mission and security requirements.
Which of the following is an example of the test assessment method? A. Conducting a vulnerability scan on web applications B. Reading vulnerability scan policies and procedures C. Asking administrators about the scanning process D. Reviewing the most recent scan reports
A. Conducting a vulnerability scan on web applications
The potential impact value "not applicable" applies to which of the following security objectives A. Confidentiality B. Availability C. Integrity D. Non-repudiation
A. Confidentiality
A. Independent B. Isolated C. Influenced D. Reliant Security controls are designed to be technology and implementation
A. Independent
A. It provides a detailed roadmap for how to conduct the assessment. B. It provides an assessment process for the integration of software and hardware C. It describes how to verify the change control and Configuration Management (CM) practices. D. It ensures that changes made during system development are included in security assessments. Which of the following BEST describes the objective of the Security Assessment Plan (SAP)?
A. It provides a detailed roadmap for how to conduct the assessment.
A. Manage and track the system B. Determine security categorization C. Set security authorization boundaries D. D. Initiate the risk management process An Information System (IS) is registered with appropriate program/management offices in order to
A. Manage and track the system
A. Memorandum of Understanding (MOU) B. Memorandum of Agreement (MOA) C. Reciprocity D. Reuse Which of the following is the mutual agreement among participating organizations to accept one another's security assessments in order to reuse system resources or to accept each other's assessed security posture in order to share information?
A. Memorandum of Understanding (MOU)
A. Monitor for unauthorized access B. Prevent Denial of Service (DoS) conditions. C. Not broadcast the Service Set Identifier (SSID). D. Increase monitoring for non-wireless networks. When implementing a control on wireless access, the organization MUST do which of the following?
A. Monitor for unauthorized access
When a system contains Personally Identifiable Information (PII) what additional action MUST be performed related to the specific system? A. Perform a Privacy Impact Assessment (PIA) B. Develop design documents C. Perform vulnerability scan of the hardware D. Send out a Notice of Privacy Practices (NPP)
A. Perform a Privacy Impact Assessment (PIA)
Which of the following documents is updated when a vulnerability is discovered during continuous monitoring A. Plan of Action and Milestones (POA&M) B. Business Impact Assessment (BIA) C. Security Assessment Report (SAR) D. Incident Response Plan (IRP)
A. Plan of Action and Milestones (POA&M)
What should be included in a functional description of security control implementation? A. Planned inputs, expected behavior, and expected outputs B. Owner, process, and procedures C. Control metrics and monitoring plan D. Planned metrics, expected behavior, and monitoring description
A. Planned inputs, expected behavior, and expected outputs
All Federal agencies are required by federal law to conduct which of the following activities? A. Protect Information Systems (IS) used or operated by a contractor of an agency or other organization on behalf of an agency. B. Coordinate with the National Institutes of Standards and Technologies (NIST) to develop binding operational directives. C. Report the effectiveness of information security policies and practices to the Office of Personnel Management ( OPM) D. Monitor the implementation of information security policies and practices of other agencies to ensure compliance.
A. Protect Information Systems (IS) used or operated by a contractor of an agency or other organization on behalf of an agency.
A. Residual risk of similar systems. B. Impact to mission personnel. C. Impact of environmental factors D. Residual risk of the specific systems. The Authorizing Official (AO) may accept authorization recommendations that are based on the
A. Residual risk of similar systems.
Which document in support of the authorization package defines the well-defined set pf security and privacy controls? A. Security Plan (SP) B. Initial risk assessment C. Security and Privacy assessment reports D. Plan of Action and Milestones (POA&M)
A. Security Plan (SP)
A. Security requirement and specification traceability B. Inclusion of threat and vulnerability pairs C. Organizational risk tolerance D. Control threat assessment What is essential when documenting the implementation of security controls?
A. Security requirement and specification traceability
A. Technical expertise and level of independence B. System knowledge C. Technical expertise and relevant certifications D. Assessor certification Organizations consider which of the following factors when selecting security or privacy control assessors?
A. Technical expertise and level of independence
The Authorization boundary of a system undergoing assessment includes A. The information System (IS) components to be authorized for operation. B. The information (IS) components to be authorized for operation and any outside system it connects to. C. Any components or systems the Information Owner (IO) states should be included in the assessment D. Any components found within the given Internet Protocol (IP) range
A. The information System (IS) components to be authorized for operation.
What is the MOST appropriate action to take after weaknesses or deficiencies in controls are corrected? A. The remediated controls are reassessed B. The system is given an Authority to Operate (ATO) C. An assessment report is generated. D. The original assessment results are changed
A. The remediated controls are reassessed
A. Threats, impacts, vulnerabilities, likelihood of occurrence, and predisposing conditions B. Threats, impacts, vulnerabilities, risk assessment results, and predisposing conditions C. Threats, impacts, vulnerabilities, likelihood of occurrence, and compliance verification D. Threats, impacts, vulnerabilities, risk assessment results, and compliance verification What factor MUST be analyzed during risk determination activities?
A. Threats, impacts, vulnerabilities, likelihood of occurrence, and predisposing conditions
As part of an annual Federal Information Security Management Act (FISMA) compliance audit, the inspector general security program review has identified vulnerabilities to an Information System (IS) in an operational division, which of the following activities is the MOST likely to occur? A. Update the Plan of Action and Milestones (POA&M) B. Perform additional security scans of systems C. Update the Security Plan (SP) immediately D. D. Revoke the Authorization to Operate (ATO)
A. Update the Plan of Action and Milestones (POA&M)
A. Version control B. Technical control C. Administrative control D. Operational control Which of the following is an essential element when an organization updates its authorization package documents?
A. Version control
Which of the following cannot be delegated by the Authorizing Official (AO)? A. Certificate resources B. Authorization decision C. Acceptance of Security Plan (SP) D. Determination of risk to agency operations
Authorization decision
A. Update the Security Plan (SP) with the CIO's monitoring criteria B. Advise the System Owner (SO) of the CIO's recommendation C. Ignore the CIO's direction because they are inconsistent with Federal Information Processing Standard (FIPS) 199 standards. D. Update the Plan of Action and Milestones (POA&M) with the CIO's direction The Chief Information Officer (CIO) is establishing a policy of monthly assessment for access controls. What is the BEST corresponding action the system security officer should complete?
B. Advise the System Owner (SO) of the CIO's recommendation
The PRIMARY benefit of documenting the control implementation is that it A. Protects the Information Owner/Steward B. Allows traceability of deployment decisions taken C. Supports the Plan of Action and Milestones (POA&M) D. Demonstrates the use of sound information system methodologies
B. Allows traceability of deployment decisions taken
A. Documented in the Security Plan (SP) B. Assessed for the information security and privacy impact C. Documented in the Plan of Action and Milestones (POA&M) D. Implemented once approved by the System Owner (SO) When monitoring controls, changes to the system should be (See question 67)
B. Assessed for the information security and privacy impact
The process of uniquely assigning information resources to an Information System (IS) defines the A. Overall security management program B. Authorization boundary C. Rules of engagement D. Acceptable risk
B. Authorization boundary
A System Owner (SO) is implementing a new system within their existing organization Information Technology (IT) environment. What objectives are considered when determining possible impact to risk? A. Low ,Moderate, and High B. Authentication ,Authorization, and Accountability C. Common, Hybrid, and System-Specific D. Integrity,Confidentiality, and Availability
D. Integrity,Confidentiality, and Availability
A. Completing the Security Plan (SP) B. Conducting the Business Impact Analysis (BIA) C. Developing the Plan of Action Milestones (POA&M) D. Completing the security Requirement Traceability Matrix (RTM) Which of the following is a key step in the overall Contingency planning process?
B. Conducting the Business Impact Analysis (BIA)
What is a KEY consideration when selecting a media sanitization method or destruction tool when decommissioning an Information System (IS)? A. Accountability B. Confidentiality C. Availability D. Integrity
B. Confidentiality
Which of the following is the BEST approach to authorizing operations of complex systems? A. Assuring the system works both in a secure and functional manner B. Decomposing and authorizing the system into multiple subsystems C. Documenting the decomposition of the information in the Security Plan (SP) D. Decomposing the system into smaller subsystems and authorizing them as a single system
B. Decomposing and authorizing the system into multiple subsystems
An organization is developing a risk assessment for a newly installed Information System (IS) to determine the best configuration or a supporting Information Technology (IT) product. Which of the following specific factors is often overlooked in this analysis? A. Exposure of interconnections to organizational core mission functions B. Effectiveness of inherited security controls C. Cost benefits that can be gained from a broad-based security implementation D. Implementation of stove-piped activities that enhance security solutions
B. Effectiveness of inherited security controls
A. For a user to have system access before reviewing the rules B. Ensuring that users submit a formal acknowledgement of the rules C. That testing is conducted in order to validate the rules D. Ensuring that all applicable controls are detailed within the rules In establishing the rules of behavior for a system, which of the following is necessary?
B. Ensuring that users submit a formal acknowledgement of the rules
A. Cost versus benefit B. Function versus security C. Availability versus integrity D. Accountability versus authentication When implementing the organizational disposal process, what factors are considered when making a final decision about sanitization of media?
B. Function versus security
A. System Owner has changed. B. System authorization boundary has changed C. System technical requirements has changed D. System regulatory and legal requirements has changed Organization A has merged with another similar organization, organization B, and has expended the data center operations to include Information Technology (IT) assets from both locations. What is the BEST reason for requiring updated risk assessments?
B. System authorization boundary has changed
A. Risk executive (function) B. Information Owner (IO) C. Authorizing Official (AO) D. System security officer Which of the following roles within the organization is responsible for clearly defining the Impact level of the information the system processes?
B. Information Owner (IO)
For a new system, the controls are selected and the security and privacy plans are written during which System Development Life Cycle (SDLC) phase? A. Development/Acquisition B. Initiation C. Operation/Maintenance D. Implementation/Assessment
B. Initiation
When addressing Configuration Management (CM), why is it MOST important to document the proposed changes? A. It is mandated by the federal Information Security Management Act (FISMA) B. It can affect the overall security and privacy posture of the system C. It is required for authorization to operate D. It will be used across accreditation boundaries
B. It can affect the overall security and privacy posture of the system
A. When time permits B. On an ongoing basis C. When the budget allows it D. After the Security Plan (SP) is updated When should a Plan of Action and Milestones (POA&M) be updated?
B. On an ongoing basis
A. System budget and personnel B. Operations, assets, and individual C. System maintenance and Disaster Recovery (DR) D. Administrative, technical, and operational functions In determining residual risk, an organization considers impact on which of the following?
B. Operations, assets, and individual
A. Organizational security families B. Organizational Information System (IS) C. Information security classes D. Information data categories Common security controls are those that apply to one or more of which of the following?
B. Organizational Information System (IS)
What document is based on the findings and recommendations of the assessment report? A. Security Test Plan ( STP) B. Plan of Action and Milestones (POA&M) C. Security and Privacy Plans D. Configuration Management Plan (CMP)
B. Plan of Action and Milestones (POA&M)
A. Privacy Impact Assessment (PIA) B. Security Categorization C. Risk Assessment D. Contingency Plan (CP) Overlays can be implemented as part of control tailoring after the completion of what process?
B. Security Categorization
A. Security Category Information type = ( Confidentiality ,LOW), (integrity, LOW), (availability MODERATE) B. Security Category Information type = ( Confidentiality ,LOW), (integrity, MODERATE), (availability HIGH) C. C. Security Category Information type = ( Confidentiality ,NOT APPLICABLE), (integrity, LOW), (availability, MODERATE) D. Security Category Information type = ( Confidentiality ,NOT APPLICABLE), (integrity, MODERATE), (availability, HIGH) The Security category of information 1 is determined to be: Security Category Information type = ( Confidentiality ,NOT APPLICABLE), (integrity, MODERATE), (availability, LOW) and the security category of information 2 is determined to be: Security Category information type = ( Confidentiality ,LOW), (integrity, LOW), (availability HIGH) What is the security category for the Information System (IS)?
B. Security Category Information type = ( Confidentiality ,LOW), (integrity, MODERATE), (availability HIGH)
A. Plan of Action and Milestones (POA&M) B. Security and privacy plans C. Continuous monitoring strategy D. Risk AssessmentReport (RAR) Which will an Authorizing Official (AO) find implementation details for a control?
B. Security and privacy plans
A. Risk assessment B. Security categorization C. Vulnerability assessment D. Privacy Impact Assessment (PIA) Which process guides the selection of security controls to ensure adequate security commensurate with the risk of the organization?
B. Security categorization
Which of the following BEST defines the purpose of the security assessment? A. To determine if the remaining known vulnerability pose an acceptable level of risk B. To determine the extent to which the security controls are implemented correctly and operating as intended C. To perform oversight and monitor the security controls in the Information System (IS) D. To perform initial risk estimate and security categorization of the Information System (IS)
B. To determine the extent to which the security controls are implemented correctly and operating as intended
Which is the likelihood that security controls with a low level of volatility will change? A. Likely to change from year to year B. Unlikely to change from year to year C. Likely to change during system upgrades D. Unlikely to change during system upgrades
B. Unlikely to change from year to year
A. An Information Security incident has occurred B. Information types should be reevaluated C. A lack of specified protection D. The contingency plan must be revised What does a finding of "other than satisfied" reflect in an assessment report?
C. A lack of specified protection
In the security and privacy assessment reports, the control assessor identified some weaknesses and proposed initial remediation actions. Based on the identified weaknesses, it is determined that certain findings are inconsequential and present no threat to the organization. Who is PRIMARILY responsible for determining this initial risk response? A. SystemOwner (SO) B. System Security Officer C. Authorizing Official (AO) D. Risk executive (function)
C. Authorizing Official (AO)
In order to receive an Authorization to Operate (ATO), the Plan of Action and Milestones (POA&M) MUST A. Be implemented within 90 days B. Have all vulnerabilities mitigated C. Be implemented after the ATO is granted D. Address the remaining vulnerabilities.
C. Be implemented after the ATO is granted
A. Probability assigned for each threat likelihood examined during initiation B. Cost of remediating the vulnerability and the value of the data C. Value of confidentiality, availability, or integrity of the system concerned. D. Likelihood of a given threat source's attempt to exercise the vulnerability. The determination of risk for a particular threat/vulnerability pair include assessment of the
D. Likelihood of a given threat source's attempt to exercise the vulnerability
A. A vulnerability scan run against system B. Inspector general's Security Assessment Report (SAR) C. Change in Information System Owner (ISO) D. Leave of absence of Authorizing Official (AO) Which of the following triggers a Security Plan (SP) update?
C. Change in Information System Owner (ISO)
Besides the System Owner (SO), what role has the PRIMARY responsibility for implementing the security controls into the security and privacy plans for the Information Systems (IS?) A. SystemSecurity Officer B. System administrator C. Common Control Provider (CCP) D. Information Owner
C. Common Control Provider (CCP)
Configuring an Information System (IS) to prohibit the use of unused ports and protocols A. Helps provide least privilege B. Helps provide least functionality C. Streamlines the functionality of the system D. Violates configuration management best practices
Helps provide least functionality
A. Considers system-specific controls before assigning common controls B. Allows each Information System Owner (ISO) to accept only those common controls that are mission-critical C. Facilitates a more global strategy for assessing those controls and sharing essential assessment results D. Encourages Information System Owners and Authorizing Officials (AO) to complete their initial Security Plan (SP) prior to control assignment An organization-wide approach to identifying common controls early in the Risk Management Framework (RMF) process does which of the following?
C. Facilitates a more global strategy for assessing those controls and sharing essential assessment results
A. Volatile security controls B. High-impact level systems C. High organizational risk tolerance D. Risks in the control assessment What consideration leads to a less frequent assessment and monitoring activity?
C. High organizational risk tolerance
A. A comprehensive control assessment is conducted for the environment. B. The Plan of Action and Milestones (POA&M) is updated to reflect the removal. C. Organizational documentation is updated to reflect the system's removal. D. An updated authorization memo is signed by the Authorizing Official (AO). Which of the following MUST be done when a federal Information System (IS) is removed from service?
C. Organizational documentation is updated to reflect the system's removal.
If an assessment of a common control determines that it is not effective, what documentation is required? A. Letter describing findings sent to system owners using the common control B. Security Plan (SP) addendum for each system using the common control C. Plan of Action and Milestones (POA&M) D. Continuous monitoring plan
C. Plan of Action and Milestones (POA&M)
What is used by System Owners (SO) to establish a disciplined and structured process to monitor the residual risk in the Information Security (IS)? A. Security and privacy assessment reports B. Security and Privacy assessment plans C. Plan of Action and Milestones (POA&M) D. SecurityPlan (SP)
C. Plan of Action and Milestones (POA&M)
Which of the following phases is identified as one of the four Incident Response (IR) phases? A. Initiation Phase B. Reconstitution phase C. Preparation phase D. Activation phase
C. Preparation phase
A. To maintain an up-to-date Configuration Management Plan (CMP) B. To conduct a point-in-time assessment to demonstrate due diligence and compliance C. To determine if the deployed security controls continue to be effective over time D. To validate an Interconnection Service Agreement (ISA) What is the MOST important reason for developing a continuous monitoring strategy?
C. To determine if the deployed security controls continue to be effective over time
A. Information System Security Officer (ISSO) B. System Owner C. Risk executive ( function) D. Authorizing Official (AO) Who is responsible for accepting the risk when a system undergoes a significant change?
D. Authorizing Official (AO)
A. Approval by the system owner. B. Shared security controls costs across agencies' system owners. C. Accept from the Information System Security Officer (ISSO) D. Documenting in a security plan by the Common Control Provider (CCP). Security controls that are shared throughout an organization's enterprise require
D. Documenting in a security plan by the Common Control Provider (CCP).
A. Systems security engineer B. Control assessor C. Information System Owner (ISO) D. InformationOwner/Steward Which role has the PRIMARY responsibility for the documentation of control implementation?
D. InformationOwner/Steward
A. Implement B. Assess C. Select D. Monitor At what point in the Risk Management Framework (RMF) process is a system analyzed for changes that impact the security and privacy posture of the system?
D. Monitor
A. Corrective Action Plan (CAP) B. Mitigation plan C. Monitoring strategy D. Plan of Action and Milestones (POA&M) Which of the following includes the resource required for mitigation?
D. Plan of Action and Milestones (POA&M)
A. Risk Assessment (RA) B. Risk management strategy C. Assessment report D. Plan of Action and Milestones (POA&M) Which organizational reference can an Information System Security Officer (ISSO) use to help prioritize the remediation of a vulnerability found during a weekly vulnerability scan?
D. Plan of Action and Milestones (POA&M)
The results of the completed control assessments, including recommendations for correcting any weaknesses or deficiencies in the control, are documented in which document? A. Plan of Action and Milestones (POA&M) B. Security and privacy assessment plans C. Risk Assessment Report (RAR) D. Security and Privacy assessment reports
D. Security and Privacy assessment reports
A. The authorization termination date can never be eliminated. B. A continuous monitoring plan is approved by the Risk executive (function) C. Risk acceptance activities are performed by the Information System Security Officer (ISSO) so that the effectiveness of common controls are inherited periodically. D. The continuous monitoring program is sufficiently robust to provide the Authorizing Official (AO) with the needed information to conduct risk determination. When can an organization choose to eliminate the authorization termination date?
D. The continuous monitoring program is sufficiently robust to provide the Authorizing Official (AO) with the needed information to conduct risk determination.
A. Report the security status of the IS to the Authorizing Official (AO) B. Review the reported security status of the IS. C. Update the Security Plan (SP) and the assessment report. D. The explicit acceptance of risk by the Authorizing Official (AO) Regardless of the task ordering, what is the last step before an Information System (IS) is placed into operation?
D. The explicit acceptance of risk by the Authorizing Official (AO)
A. The recent risk Assessment Report (RAR) for each system B. The recent assessment reports for each system C. The recent vulnerability scan for each system D. The recent security status report for each system The new Authorizing Official (AO) is reviewing all moderate and high systems to determine if a formal reauthorization action is needed for any of the systems. Which of the following documents will BEST facilities this process?
D. The recent security status report for each system
A. The security control list is deleted. B. A compensating control is implemented C. A less restrictive security control is employed D. The security control is marked as non-applicable. When a security control selected for a system cannot be applied,
D. The security control is marked as non-applicable.
A. This can omitted in order to expedite the assessment. B. This can be waived by the System owner (SO) C. This can be carried out only by internal sources. D. This can viewed as a gap analysis Which of the following is TRUE when applying the Risk Management Framework (RMF) steps and associated tasks to existing systems?
D. This can viewed as a gap analysis
A. Within the same physical network segment B. Certified by the same Security Control Assessor (SCA) C. Certified within six months of one another D. Under the same higher management authority Subsystems are considered part of a larger system provided that they are
D. Under the same higher management authority
A. Privacy Impact Assessment (PIA) B. Business Impact Analysis (BIA) C. Authorization Packages D. Vulnerability Scans When making determinations regarding the adequacy of common controls for their respective systems, Information System Owner (ISO) refer to the Common Control Providers' (CCP)
D. Vulnerability Scans
What is included in the Plan of Action and Milestones (POA&M) that is presented to the Authorizing Official (AO) as part of the initial authorization package? A. All items identified throughout the Risk Management Framework (RMF) process B. Only volatile findings that require prioritization in remediation C. Deficiencies that have not yet been remediated and verified throughout the Risk Management Framework (RMF) process D. Only findings that have been evaluated as moderate or high
Deficiencies that have not yet been remediated and verified throughout the Risk Management Framework (RMF) process
What are the steps of a risk assessment? A. Prepare, Conduct, Communicate, Maintain B. Prepare, Conduct , Communicate C. Prepare ,Communicate, Conduct D. Prepare, Communicate ,Maintain, Conduct
Prepare, Conduct, Communicate, Maintain
A. Agency implementing them, as they apply to new systems. B. Secretary of Commence when the documents are finalized C. Office of Management and Budget (OMB) in policies, directives, or memoranda. D. Joint Task Force Transformation Initiative Interagency Working Group when the documents are issued The compliance schedules for National Institutes of Standards and technology (NIST) security standards and guidelines are established by the
Office of Management and Budget (OMB) in policies, directives, or memoranda.