CAP - StudiQuestions
During continuous monitoring once the security controls are assessed, an updated SAR generated, and a plan of action & milestones created, what is the final action taken to re-mediated, modified, or added security controls. - Assess security controls. - Risk assessment. - Updated security assessment report. - Develop a POA&M.
Assess security controls. The assessor will generate an updated SAR which will be used by the ISO to create a POA&M. The ISO & CC provider will initiate remediation actions on outstanding items listed in the POA&M. The security controls that are modified, enhanced, or added to address the findings in the POA&M are reassessed by the assessor to ensure that appropriate corrective actions are taken to eliminate weaknesses or deficiencies or to mitigate the identified risk.
Risk determination includes a review of organizational operations, organizational assets, individuals, and other organizations. What information is needed in the risk assessment? - Business strategy - Cost-benefit analysis - Potential impact -Monitoring control reports
Potential Impact
Which tier of the risk management approach defines the types of information that the organization needs to successfully execute the stated missions and business processes and the information flows both internal and external to the organization? - Governance - Mission/Business Process - Organization - Information System
Governance
A system specific control can be inherited under what criteria? -Only when assigned to a Common Control Provider, and as identified in the system security plan. - A system specific control is never inherited, but it can be one part of a hybrid control. - Only to the degree that is allowed in the Common Control Provider Security Authorization Package terms and conditions. - Only to the degree that a Information System Owner had defined that a system specific control can be inherited in the System Security Plan.
A system specific control is never inherited, but it can be one part of a hybrid control. Security controls not designated as CCs are considered system-specific controls or hybrid controls. System-specific controls are the primary responsibility of the information system owners and their respective authorizing officials. Organizations assign a hybrid status to a security control when one part of the control is deemed to be common & another part of the control is deemed to be system-specific. ISOs are responsible for any system-specific implementation details associated with the organization's CCs.
What is the last step before an information system is placed into operation? - Acceptance of risk by Information System Security Officer (ISSO) - Approval from Information System Owner (ISO) - Approval from Chief Information Officer (CIO) - Acceptance of risk by Authorizing Official (AO)
Correct Answer Acceptance of risk by Authorizing Official (AO) Answer Explanation The last step before an information system is placed into operation is the explicit acceptance of risk by the authorizing official.
When should the information system owner document the information system and authorization boundary description in the Security Plan? While assembling the Authorization Package. After security controls are implemented. After Security Categorization. When reviewing the Security Control Assessment Plan.
Correct Answer After Security Categorization. Answer Explanation During Task 1-2, Information System Description, the information system owner should describe the information system (including system boundary) and document the description in the security plan. Descriptive information about the information system is documented in the system identification section of the security plan, included in attachments to the plan, or referenced in other standard sources for information generated as part of the system development life cycle. The information system and authorization boundary should have been documented prior to security control implementation, before reviewing the security control assessment plan and prior to System Authorization tasks. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- page 21 Knowledge Area Categorize Information Systems
In a multi-tiered organization, Tier 1 deals with organization, Tier 2 with business processes in the organization and Tier 3 with day to day operations of processes. Information security should be incorporated at which of the following Tiers? a. All Tiers b. Tier 3, since it deals with actual implementation of security controls c. Tier 1, since it deals with governance d. Tier 2, since it deals with business processes and various information flows in the organization
Correct Answer All Tiers Answer Explanation Including security requirements at all tiers in an organization brings close cooperation among personnel from design and development to implementation and operations. The common perception is Tier 3 since it concerns the implementation and operations of actual systems. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- 10 Knowledge Area Understand The Security Authorization Of Information Systems
Which of the following BEST describes the risk executive (function)? - The process for ensuring that the organization's risk management approach is comprehensive. - The highest-level official or executive within an organization with the overall responsibility to provide information security protections. - The authorization to operate decision based on acceptability of residual risk to an information system. - An individual or group within an organization that helps to provide a comprehensive, organization-wide, holistic approach for addressing risk.
Correct Answer An individual or group within an organization that helps to provide a comprehensive, organization-wide, holistic approach for addressing risk. Answer Explanation The risk executive (function) is a key role in the Risk Management Framework (RMF). It is not a process or a decision. The risk executive (function) is an individual or group within an organization that helps to ensure that: (i) risk-related considerations for individual information systems, to include authorization decisions, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its core missions and business functions; and (ii) managing information system-related security risks is consistent across the organization, reflects organizational risk tolerance, and is considered along with other types of risks in order to ensure mission/business success. The risk executive (function) coordinates with the senior leadership of an organization.
Which of the following BEST describes the role of the common control provider? - An individual responsible for ensuring that the appropriate operational security posture is maintained for an information system - An individual, group, or organization responsible for ensuring that the information security requirements necessary to protect the organization's core missions and business processes are adequately addressed - An individual, group, or organization responsible for the development, implementation, assessment, and monitoring of security controls inherited by other information systems - An individual, group, or organization responsible for ensuring that inheritable controls are implemented
Correct Answer An individual, group, or organization responsible for the development, implementation, assessment, and monitoring of security controls inherited by other information systems Answer Explanation NIST SP 800-37, Revision 1, Appendix D states "the common control provider is an individual, group, or organization responsible for the development, implementation, assessment, and monitoring of common controls (i.e., security controls inherited by information systems)."
The Security Control Assessor (SAR) has completed the assessment, what is the next step? Certify the system Create the Plan of Actions and Milestones (POAM) Update system security plan Analyze the test results
Correct Answer Analyze the test results Answer Explanation The assessor must analyze all the test results prior to writing the SAR. Creating the POAMs is done after the SAR is written. The completed SAR, POAM and the security plan comprise the security authorization package that is sent to the Authorizing Official (AO) to certify the system.
Which Risk Management Framework (RMF) step determines the extent to which security controls are implemented correctly, operating as intended and producing the desired result with respect to meeting security requirements? Assess Security Controls Authorize Security Controls Implement Security Controls Categorize Security Controls
Correct Answer Assess Security Controls Answer Explanation During the Assess Security Controls step, an independent assessment team will assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desire result with respect to the meeting the security requirements for the system. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- page 8 Knowledge Area Understand The Security Authorization Of Information Systems
Several weaknesses or deficiencies in security controls were corrected based on the Security Assessment Report (SAR) and the remediated controls were reassessed for effectiveness. What is the next step? - Assessors update the SAR with the findings from the reassessment. - System owner generates a new security plan. - Assessors inform the Authorizing official to get approval for remediation. - Assessors generate a new SAR.
Correct Answer Assessors update the SAR with the findings from the reassessment. Answer Explanation If weaknesses or deficiencies in security controls are corrected, the remediated controls are reassessed for effectiveness. Security control reassessments determine the extent to which the remediated controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the information system. Exercising caution not to change the original assessment results, assessors update the security assessment report with the findings from the reassessment.
Which role is primarily responsible for ongoing risk determination and acceptance? Information System Owner (ISO) Authorizing Official (AO) Chief Information Security Officer (CISO) Information Owner
Correct Answer Authorizing Official (AO) Answer Explanation Only the Authorizing Official (AO) may accept risk on behalf of an organization. All other roles are stakeholders in the process and outcome but only the AO may make the risk based decision. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- pg 41 Knowledge Area Monitor Security Controls
Who determines the required level of independence for security control assessors? Information System Owner (ISO) Information System Security Officer (ISSO) Information System Security Manager (ISSM) Authorizing Official (AO)
Correct Answer Authorizing Official (AO) Answer Explanation The authorizing official, or designated representative, determines the required level of independence for security control assessors based on the results of the security categorization process for the information system and the ultimate risk to organizational operations and assets, individuals, other organizations, and the Nation. The authorizing official determines if the level of assessor independence is sufficient to provide confidence that the assessment results produced are sound and can be used to make a risk-based decision on whether to place the information system into operation or continue its operation.
What individual within your organization can make an executive decision in determining whether risk is acceptable? Authorizing Official (AO) Executive Risk Committee Authorizing Official Direct Representative Information System Owner (ISO)
Correct Answer Authorizing Official (AO) Answer Explanation The explicit acceptance of risk is the responsibility of the authorizing official and cannot be delegated to other officials within the organization. The authorizing official considers many factors when deciding if the risk to organizational operations (including mission, function, image, or reputation), organizational assets, individuals, other organizations, and the Nation, is acceptable. Reference Risk Management Guide for Information Technology Systems (NIST SP 800-30) July 2002. http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf pp 4 Knowledge Area Authorize Information System
The formula shown below is used to express security category. The formula is described in which of the following? - FIPS 199 Standards for Security Categorization of Federal Information and Information Systems - NISTIR 7358 Program Review for Information Security Management Assistance (PRISMA) - OMB Circular A-127 Financial Management System - NIST SP 800-55 Performance Measurement Guide for Information Security
Correct Answer FIPS 199 Standards for Security Categorization of Federal Information and Information Systems Answer Explanation The security category formula is described in FIPS 199 Standards for Security Categorization of Federal Information and Information Systems. The other selections do not describe the formula.
Which individual is selected by the Authorizing Official (AO), empowered to make certain decisions, coordinates activities required by the Security Authorization process, and is responsible for preparing authorization decision letters? - Chief Information Officer (CIO) - Senior Information Security Officer - Information System Owner - Authorizing Official Designated Representative
Correct Answer Authorizing Official Designated Representative Answer Explanation The Authorizing Official (AO) designated representative is the only position meeting all the listed criteria. A CIO is responsible for an organization's IT activities to include its information assurance program, but they do not have to be selected by the AO nor coordinate Security Authorization activities. Information System Owner (ISO) is responsible for operating and maintaining information systems (to include security functions), however they are not appointed by the AO and are not responsible for preparing authorization decision letters. Finally, the Senior Information Security Officer (often referred to as a CISO) is appointed by the CIO and is responsible for security within their agency. These individuals are accountable to the CIO for FISMA compliance and reporting.
When is the information system boundary established? During the development of security plans After the development of security plans After system deployment Before the development of security plans
Correct Answer Before the development of security plans Answer Explanation Information system boundaries are established in coordination with the security categorization process and before the development of security plans. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- Page 9 Knowledge Area Understand The Security Authorization Of Information Systems
When making a determination regarding the adequacy of the implementation of inherited controls for their respective systems, an Information System Owner (ISO) can refer to the authorization package prepared by which of the following? - Information Owner/Steward - Common Control Provider - Information System Security Engineer (ISSE) - Information Systems Security Officer (ISSO)
Correct Answer Common Control Provider Answer Explanation In accordance with the reference, the Common Control Provider is responsible for planning, development, implementation, assessment, authorization, and maintenance of common security controls inherited by information systems. The Common Control Provider is responsible for documenting common controls utilized in a security plan. Information Owners, ISSEs, ISSOs and other security roles are not responsible for preparing authorization packages related to common controls.
In determining risk, what position is responsible for supplying the Executive Risk Committee with assessment information related to a common control? Information Owner Inspector General Information Assurance Officer Common Control Provider
Correct Answer Common Control Provider Answer Explanation The authorizing official or designated representative, in collaboration with the senior information security officer, assesses the information provided by the information system owner or regarding the current security state of the system or the common controls inherited by the system and the recommendations for addressing any residual risks. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- pp 35 Knowledge Area Authorize Information System
What is the first phase in the System Development Life Cycle (SDLC) when security control assessments occur? Sunset/Disposal Initiation Operation/Maintenance Development/Acquisition
Correct Answer Development/Acquisition Answer Explanation Security control assessments occur as early as practicable in the SDLC preferably during the development phase of the information system. These types of assessments are referred to as developmental testing and evaluation and are intended to validate that the required security controls are implemented correctly and consistent with the established information security architecture. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- pp 31 Knowledge Area Assess Security Controls
A Chief Information Security Officer (CISO) must build a continuous monitoring program to ensure risk visibility and management. Which of the following options provides the BEST approach? - Implement vulnerability scanning tools and scan continuously. Report the vulnerabilities to a dashboard. This will show the number of vulnerable machines at any given time. - Divide the NIST SP 800-53 controls into four groups. One group is controls tested every year or more frequently with the remaining controls divided into three separate groups over three years. Testing will occur every year and all controls will be tested by the end of the third year. Report risk in accordance with laws and organizational policy to the Authorizing Official (AO) and the risk executive function. - Assess all controls once every three years in accordance with OMB Circular A-130. Update all key security documentation and secure in a DoD approved facility. Ensure the risk assessment report is sent to OMB for adjudication. - Implement a decision support system which takes input from several third party risk assessment groups and correlates it with the hardware profile of the organization. Determine organizational risk in near real time with alerting through the decision support system via email, Security Operations Center (SOC) alerting and phone to ensure timely notification takes place.
Correct Answer Divide the NIST SP 800-53 controls into four groups. One group is controls tested every year or more frequently with the remaining controls divided into three separate groups over three years. Testing will occur every year and all controls will be tested by the end of the third year. Report risk in accordance with laws and organizational policy to the Authorizing Official (AO) and the risk executive function. Answer Explanation The NIST 800-53 controls divided over a time period with selected controls monitored more frequently offers the best approach. Scanning tools alone will not associate the risk of a vulnerability with the mission of the organization. Decision support systems may be fed by continuous monitoring but do not constitute continuous monitoring. A-130 requires agencies to authorize systems minimally every three years. The authorizing official or designated representative reviews the reported security status of the information system (including the effectiveness of deployed security controls) on an ongoing basis, to determine the current risk to organizational operations and assets, individuals, other organizations, or the Nation. The authorizing official determines, with inputs as appropriate from the authorizing official designated representative, senior information security officer, and the risk executive (function), whether the current risk is acceptable and forwards appropriate direction to the information system owner or common control provider. The use of automated support tools to capture, organize, quantify, visually display, and maintain security status information promotes the concept of near real-time risk management regarding the overall risk posture of the organization. The use of metrics and dashboards increases an organization's ability to make risk-based decisions by consolidating data from automated tools and providing it to decision makers at different levels within the organization in an easy-to-understand format. The risks being incurred may change over time based on the information provided in the security status reports. Determining how the changing conditions affect the mission or business risks associated with the information system is essential for maintaining adequate security. By carrying out ongoing risk determination and risk acceptance, authorizing officials can maintain the security authorization over time. Formal reauthorization actions, if required, occur only in accordance with federal or organizational policies. The authorizing official conveys updated risk determination and acceptance results to the risk executive (function). Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- pg 41 Knowledge Area Monitor Security Controls
When the level of trust in the external provider of a subsystem is below expectations, the organization should do which of the following? - Get a waiver from the Head of Agency - Employ compensating control and accept a greater degree of risk - Continue to use the external subsystem, but document its limitation - Apply additional monitoring for this subsystem
Correct Answer Employ compensating control and accept a greater degree of risk Answer Explanation When the level of trust in the external provider of a subsystem is below expectations, the organization should employ compensating control and accept a greater degree of risk or not obtain the service.
What is the last required step before an Information system is placed into operation? - Explicit acceptance of risk by the authorizing official - Ensure all personnel have appropriate training to handle the system - Reassessment of the System Security Plan - Complete implementation of security controls for the system
Correct Answer Explicit acceptance of risk by the authorizing official Answer Explanation Regardless of the task ordering, the last step before an information system is placed into operation is the explicit acceptance of risk by the Authorizing Official (AO).
An information system categorization has been completed for a federal information system. Which two documents ensure appropriate security requirements and security controls are applied? FIPS 199 and NIST SP 800-37 FIPS 200 and NIST SP 800-53 FIPS 199 and NIST SP 800-53 FIPS 200 and NIST SP 800-37
Correct Answer FIPS 200 and NIST SP 800-53 Answer Explanation FIPS 200 and NIST SP 800-53 is the correct answer: FIPS 200 provides minimum security requirements covering seventeen security-related areas representing a broad-based information security program; FIPS 200 directs federal information security managers to use NIST SP 800-53 when selecting and tailoring baseline security controls to be implemented. FIPS 199 cannot be the correct answer because it pertains to security classification and is not applicable to security requirements or security controls implementation. NIST SP 800-37 provides guidance for applying a Risk Management Framework (RMF) approach to information security and is a distractor. Although security controls are processes within the RMF and System Development Life Cycle (SLDC), SP 800-37 would not be the best answer.
How does the Authorizing Official (AO) determines the proper length of an information system's security authorization? - State Law and Business Impact Analysis (BIA) - Incident Response Plan and Security Plan - Federal policies and Continuous Monitoring Program - Interconnection Security Agreement (ISA) and Memorandum of Agreement (MOA/U)
Correct Answer Federal policies and Continuous Monitoring Program Answer Explanation Organizations may choose to eliminate the authorization termination date if the continuous monitoring program is sufficiently robust to provide the authorizing official with the needed information to conduct ongoing risk determination and risk acceptance activities with regard to the security state of the information system and the ongoing effectiveness of security controls employed within and inherited by the system. Authorization termination dates are influenced by federal and/or organizational policies which may establish maximum authorization periods.
An information system processes information types that have a potential impact of MODERATE and LOW. One of the information system's four subsystems processes an information type that has potential impact of HIGH but the subsystem is only accessed by a small group of users with security clearances. What is the appropriate Security Categorization for the entire information system? Catastrophic Significant MODERATE HIGH
Correct Answer HIGH Answer Explanation If only one subsystem processes an information type with a potential impact of HIGH, the information system should be categorized as HIGH. Determining the security category of an information system requires consideration of the security categories of all information types resident on the information system. For an information system, the potential impact values assigned to the respective security objectives shall be the highest values (i.e., high water mark) from among those security categories that have been determined for each type of information resident on the information system. MODERATE is not the correct security categorization. Significant and Catastrophic describes the potential adverse affect on the information system should one of the security objectives is compromised. Reference Standards for Security Categorization of Federal Information and Information Systems (FIPS 199) February 1, 2004. http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf page 4 Knowledge Area Categorize Information Systems
A large organization has documented information security policy that is reviewed and approved by senior officials and is readily available to all organization staff. This information security policy explicitly addresses each of the control families in NIST SP 800-53, Revision 3. The policy also establishes procedures for the management class of security controls. In the information system security plans for each of the organization's information systems, AC-1 Access Control Policy and Procedures (a technical class security control) must be identified as what type of control? System-specific Inherited Hybrid Fully-inheritable
Correct Answer Hybrid Answer Explanation NIST SP 800-53, Revision 3 states: Organizations assign a hybrid status to a security control when one part of the control is deemed to be common and another part of the control is deemed to be system-specific. For example, an organization may implement the Incident Response Policy and Procedures security control (IR-1) as a hybrid control with the policy portion of the control deemed to be common and the procedures portion of the control deemed to be system-specific.
The Security Control Assessor has finished their assessment of the National Library's Computer Network and discovered that some controls were not implemented as described in the security plan. There were issues with identification and authentication implementation. Their system security policy states that all new account passwords will be given to the individual directly by the help desk personnel after identity verification. The assessor was given their new system account login and password by the Information System Owner (ISO). What control was NOT properly implemented? SC-2 Application Partitioning AC-3 Access Enforcement IA-5 Authenticator Management PS-2 Position Categorization
Correct Answer IA-5 Authenticator Management Answer Explanation IA-5 deals with distributing the authenticator. AC-3 deals with access enforcement. PS-2 and SC-2 are not related to access or account management.
When referring to the System Development Life Cycle Phase (SDLC), during what phase does the Information System Owner (ISO) assemble the Security Authorization Package? Verification Initiation Disposal Implementation
Correct Answer Implementation Answer Explanation Implementation/Assessment is the third phase of the SDLC. During this phase, the system will be installed and evaluated in the organization's operational environment. Key security activities for this phase include: • Integrate the information system into its environment • Plan and conduct system certification activities in synchronization with testing of security controls, and complete system accreditation activities. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- pp 42 Security Considerations in the System Development Life Cycle (NIST SP 800-64) October 1, 2008. Rev. 2: http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-evision2.pdf pp 34 Knowledge Area Authorize Information System
An initial remediation action was taken by the information system owner based on findings from the Security Assessment Report (SAR). What is the next appropriate step based on the Risk Management Framework (RMF)? - Include the remediation action taken by information system owner as an addendum to the SAR - Information System Security Officer (ISSO) documents the remediation action and informs the Information System Owner (ISO) - Information System Owner (ISO) documents the remedial action in the security plan - Remedial action taken is sent for review to the Information System Security Officer (ISSO)
Correct Answer Include the remediation action taken by information system owner as an addendum to the SAR Answer Explanation Organizations can prepare an optional addendum to the SAR that is transmitted to the authorizing official. The optional addendum provides ISO and common control providers an opportunity to respond to the initial findings of assessors. The addendum may include, for example, information regarding initial remediation actions taken by the ISO or common control providers in response to assessor findings, or provide an owner's perspective on the findings (e.g., including additional explanatory material, rebutting certain findings, and correcting the record). The addendum to the SAR does not change or influence, in any manner, the initial assessor findings provided in the original report. Information provided in the addendum is considered by authorizing officials in their risk-based authorization decisions.
Which of the following roles is responsible for updating key information system security documentation during continuous monitoring? Information Owner Chief Information Security Officer (CISO) Information Systems Security Manager (ISSM) Information System Owner (ISO)
Correct Answer Information System Owner (ISO) Answer Explanation The Information System Owner (ISO) is primarily responsible for all operational aspects of the information system including security, documentation and reporting. The ISSM typically provides security oversight and subject matter support to the information system owner but is NOT responsible for the system's documentation. The information owner relies on the information system owner for the system and therefore is removed from this process. The Chief Information Security Officer (CISO) is typically not a system owner and therefore has no responsibility for ensuring the documentation is updated. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- p 38 Knowledge Area Monitor Security Controls
Which role is responsible for implementing security controls in a general support system? - Information Systems Security Officer (ISSO) - Chief Information Security Officer (CISO) - Security Control Assessor (SCA) - Information System Owner (ISO)
Correct Answer Information System Owner (ISO) Answer Explanation The information system owner (ISO) is responsible for implementing the security controls for their systems. The Security Control Assessor (SCA) assesses the controls, the Chief Information Security Officer manages the overall security posture of the organization and the information system security officer provides operational security support to the information system owner.
Who prepares the plan of action and milestones? Security control assessor Authorizing Official (AO) Information System Owner (ISO) CORRECT ANSWER Information System Security Officer (ISSO)
Correct Answer Information System Owner (ISO) Answer Explanation The plan of action and milestones, prepared for the authorizing official by the ISO or the common control provider, is one of three key documents in the security authorization package and describes the specific tasks that are planned: (i) to correct any weaknesses or deficiencies in the security controls noted during the assessment; and (ii) to address the residual vulnerabilities in the information system. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- Knowledge Area Authorize Information System
Which role is MOST responsible for the development and maintenance for identified weaknesses listed on a Plan of Action and Milestones (POAM)? Information System Owner (ISO) Security Control Accessor (SCA) Authorizing Official (AO) Chief Information Security Officer (CISO)
Correct Answer Information System Owner (ISO) Answer Explanation The plan of action and milestones, prepared for the authorizing official by the information system owner or the common control provider, is one of three key documents in the security authorization package and describes the specific tasks that are planned: (i) to correct any weaknesses or deficiencies in the security controls noted during the assessment; and (ii) to address the residual vulnerabilities in the information system.
Results from a security control assessment require remediation actions. Who among the following is responsible to take the remedial actions? - Chief Information Officer (CIO) - Information System Owner (ISO) - Information System Security Officer (ISSO) - Authorizing Official (AO) or Designated Representative
Correct Answer Information System Owner (ISO) Answer Explanation The results from security control assessments can trigger remediation actions on the part of an Information System Owner (ISO), which can in turn require the reassessment of selected controls.
Who has primary responsibility for compliance with Risk Management Framework (FMF), Step 6 Monitor Security Controls, Task 6-1: Determine the security impact of proposed or actual changes to the information system and its environment of operation? - Information System Owner (ISO) or Common Control Provider - Risk Executive (Function) and/or Authorizing Official (AO) - Information Owner/Steward - Information System Security Officer (ISSO)
Correct Answer Information System Owner (ISO) or Common Control Provider Answer Explanation Information System Owner (ISO) or the Common Control Provider has the primary responsibility for RMF, Task 6-1. The Risk Executive (Function) and/or Authorizing Official (AO) has a supporting role but not a primary responsibility. The Information Owner/Steward has neither primary responsibility nor a supporting role. Information System Security Officer (ISSO) has a supporting role. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- TASK 6-1, page 38 Knowledge Area Monitor Security Controls
Who has the primary responsibility to comply with Risk Management Framework (RMF), Step 6 Monitor Security Controls, Task 6-3: Conduct remediation actions based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the plan of action and milestones? - Information System Owner (ISO) or Common Control Provider - Security Control Assessor - Information System Security Officer (ISSO) - Authorizing Official (AO) or Designated Representative
Correct Answer Information System Owner (ISO) or Common Control Provider Answer Explanation Information System Owners (ISO) and Common Control Provider's have the primary responsibility for monitoring security controls and for remediation of flaws. Authorizing Official (AO) or Designated Representative, Information System Security Officer (ISSO), and Security Control Assessor are wrong since the positions mentioned have supporting roles but not primary responsibility.
What is the MAIN purpose of the addendum to the final Security Assessment Report (SAR)? - The addendum is sent to the Information System Security Manager (ISSM) to inform them of the system's risks. - The addendum provides Information System Owners (ISO) and common control providers an opportunity to fix the issues without being reported in the SAR. - Information provided in the addendum is considered by authorizing officials in their risk-based authorization decisions. - The addendum to the SAR changes the initial assessor findings provided in the original report.
Correct Answer Information provided in the addendum is considered by authorizing officials in their risk-based authorization decisions. Answer Explanation The optional addendum to the Security Assessment Report (SAR) provides information system owners and common control providers an opportunity to respond to the initial findings of assessors. The addendum may include, for example, information regarding initial remediation actions taken by information system owners or common control providers in response to assessor findings, or provide an owner's perspective on the findings (e.g., including additional explanatory material, rebutting certain findings, and correcting the record). The addendum to the security assessment report does not change or influence in any manner, the initial assessor findings provided in the original report. Information provided in the addendum is considered by authorizing officials in their risk-based authorization decisions. There is no requirement to send the SAR or its addendum to the Information System Security Manager (ISSM). Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- Page 33 Knowledge Area Assess Security Controls
While implementing security controls, Information System Security Engineers (ISSE) with support from Information System Security Officers (ISSO) employ a sound engineering process that captures and refines which one of the following? - Resources used to allocate security controls, and security mechanisms and services, to an information system and any organizational-defined subsystem. - The likelihood of a given threat-source exercising a particular potential vulnerability and the resulting impact of that adverse event on the organization - Information security requirements that ensure the integration of those requirements into information technology products and systems through purposeful security design or configuration - User information protection needs and the designing and making of information systems, with economy and elegance, so they can safely resist the forces to which they will be subjected.
Correct Answer Information security requirements that ensure the integration of those requirements into information technology products and systems through purposeful security design or configuration Answer Explanation It is up to the ISSE and ISSO to work together to capture, "information security requirements that ensure the integration of requirements into information technology products and systems through purposeful security design or configuration." The key concept to this question is that the ISSE and ISSO work to integrate security requirements. Resources used to allocate security controls, security mechanisms, and similar services describe the systems security architecture; moreover, the ISSE and ISSO do not address security mechanisms and services when implementing security controls. "Discovery of user information protection needs and the designing and making of information systems, with economy and elegance, so they can safely resist the forces to which they will be subjected "is a tenant for Information System Security Engineers (ISSE) taken direction the Information Assurance Technical Framework (IATF 3.1); this tenant has no bearing on implementing security controls. "The likelihood of a given threat-source exercising a particular potential vulnerability and the resulting impact of that adverse event on the organization" is the defined function of Risk and is a distractor. There is only one logical answer. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- pp. 28 Risk Management Guide for Information Technology Systems (NIST SP 800-30) July 2002. http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf pp. 8 Knowledge Area Apply Security Controls
The monitoring of security controls applies to which System Development Life Cycle (SDLC) phases? - Implementation and operations and maintenance - Development/acquisition; implementation; and, operations and maintenance - Initiation; development/acquisition; implementation; and, operations and maintenance - Initiation; development/acquisition; implementation; operations and maintenance; and, disposal
Correct Answer Initiation; development/acquisition; implementation; operations and maintenance; and, disposal Answer Explanation The monitoring of security controls continues throughout the system development life cycle. (RMF Task 2-3, Monitoring Strategy, NIST SP 800-37, Revision 1) Also, RMF Task 6-7, Information System Decommissioning and Removal, supplemental guidance in NIST SP 800-37, Revision 1, provides several examples of security control monitoring that occur during the system development lifecycle (SDLC) disposal phase. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- pages 26 and 41 Knowledge Area Monitor Security Controls
Security control volatility is a measure of how frequently a control is likely to change over time subsequent to its implementation. Why is security control volatility an important consideration in the development of a security control monitoring strategy? - It indicates a need for compensating controls. - It establishes priority for security control monitoring. - It provides justification for revisions to the configuration management and control plan. - It identifies needed security control monitoring exceptions.
Correct Answer It establishes priority for security control monitoring. Answer Explanation According to NIST SP 800-37, Revision 1: "Priority for security control monitoring is given to the controls that have the greatest volatility and the controls that have been identified in the organization's plan of action and milestones." Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- page G-3 Knowledge Area Establish The Security Control Baseline
Common control identification occurs in what phase of the Risk Management Framework (RMF) and System Development Life Cycle (SDLC)? Implementation and Continuous Monitoring Categorize and Initiation Select and Initiation Authorize and Disposal
Correct Answer Select and Initiation Answer Explanation The security categorization process is carried out by the information system owner and information owner/steward in cooperation and collaboration with appropriate organizational officials. This helps to ensure that individual information systems are categorized based on the mission and business objectives of the organization. The results of the security categorization process influence the selection of appropriate security controls for the information system and also, where applicable, the minimum assurance requirements for that system.
Which of the following BEST represents the drivers of determining security status reporting frequency? a. Federal Information Security Management Act (FISMA) and system maintenance b. Personnel schedules and privacy impact of the system c. Organizational financial reporting requirements and Systems of Record Notice (SORN) d. Legal requirements and organizational specific requirements based on risk
Correct Answer Legal requirements and organizational specific requirements based on risk Answer Explanation The correct answer is based on laws, information system significance and the overall risk posture of the organization. NIST has little to no input in determining an organization's reporting schedule. OMB mandates only minimums which must be met but must also be reviewed to determine if additional reporting is required. Security status reporting can be: (i) event-driven (e.g., when the information system or its environment of operation changes or the system is compromised or breached); (ii) time driven (e.g., weekly, monthly, quarterly); or (iii) both (event- and time-driven). Security status reports provide the authorizing official and other senior leaders within the organization, essential information with regard to the security state of the information system including the effectiveness of deployed security controls. Security status reports describe the ongoing monitoring activities employed by the information system owner or common control provider. Security status reports also address vulnerabilities in the information system and its environment of operation discovered during the security control assessment, security impact analysis, and security control monitoring and how the information system owner or common control provider intends to address those vulnerabilities. Organizations have significant latitude and flexibility in the breadth, depth, and formality of security status reports. Security status reports can take whatever form the organization deems most appropriate. The goal is cost-effective and efficient ongoing communication with senior leaders conveying the current security state of the information system and its environment of operation with regard to organizational missions and business functions. At a minimum, security status reports summarize key changes to security plans, security assessment reports, and plans of action and milestones. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- pg 40 Knowledge Area Monitor Security Controls
Which of the following documents describes the relationship between the Risk Management Framework (RMF) steps and the security authorization process? Privacy Act of 1974 Federal Information Security Management Act (FISMA) NIST SP 800-53A NIST SP 800-37
Correct Answer NIST SP 800-37 Answer Explanation NIST SP 800-37 rev 1 is the Guide for Applying the Risk Management Framework to Federal Information Systems and does describe the relationship between the Risk Management Framework (RMF) steps and the security authorization process. NIST SP 800-115 is the Technical Guide to Information Security Testing and Assessment and does not discuss the RMF. Neither FISMA nor the Privacy Act of 1974 describes the relationship between the Risk Management Framework (RMF) steps and the security authorization process. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- page 2, section 1.2 Purpose and Applicability Knowledge Area Understand The Security Authorization Of Information Systems
When selecting security controls, which NIST Special Publication provides recommended security controls for federal information systems? NIST SP 800-12 NIST SP 800-199 NIST SP 800-53 NIST SP 800-34
Correct Answer NIST SP 800-53 Answer Explanation NIST SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations is the correct answer. NIST SP 800-199 does not exist and is an easily eliminated distractor. Some students may confuse this response with FIPS 199; however FIPS 199 it is a standards publication that deals with security classification of federal information systems and not recommended security controls. NIST SP 800-12 provides an introduction to Computer Security and is not applicable to selecting recommended security controls. Likewise, NIST SP 800-34 is a Contingency Planning Guide and is also not applicable. Reference Recommended Security Controls for Federal Information Systems and Organizations (NIST SP 800-53) May 2010 . Rev. 3 final: http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf pp1. Knowledge Area Understand The Security Authorization Of Information Systems
Which of the following is an example of a common control being inherited? - A custom authentication system used for an accounting system - A webserver's SSL certificate used exclusively for a major web application - Physical security at a datacenter hosting several applications and systems - Specialized training used for a firearms tracking system
Correct Answer Physical security at a datacenter hosting several applications and systems Answer Explanation The only clear example of common control inheritance provided is physical security. All the other examples are either system specific or hybrid controls. Many of the security controls needed to protect organizational information systems (e.g., contingency planning controls, incident response controls, security training and awareness controls, personnel security controls, physical and environmental protection controls, and intrusion detection controls) are excellent candidates for common control status. Information security program management controls (see Appendix G, PM family) may also be deemed common controls by the organization since the controls are employed at the organization level and typically serve multiple information systems. By centrally managing and documenting the development, implementation, assessment, authorization, and monitoring of common controls, security costs can be amortized across multiple information systems. Reference Recommended Security Controls for Federal Information Systems and Organizations (NIST SP 800-53) May 2010 . Rev. 3 final: http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf pg 10 Knowledge Area Understand The Security Authorization Of Information Systems
What is the final step in the Risk Management Framework (RMF) Step 4 - Assess Security Controls? Security Assessment Report (SAR) Remediation Actions Write a Plan of Actions and Milestones (POAM) Security Control Assessment
Correct Answer Remediation Actions Answer Explanation Write a Plan of Actions and Milestones (POAM) is actually step 5-1 of the Risk Management Framework (RMF). The Security Control Assessment is step 4-2 of the RMF, and the Security Assessment Report (SAR) is step 4-3 of the RMF. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- Page 32-34 Knowledge Area Assess Security Controls
Which of the following control families belongs to the Management class of security controls? Media Protection Access Control Risk Assessment Configuration Management
Correct Answer Risk Assessment Answer Explanation Media Protection and Configuration Management are Operational Controls. Access Control is a Technical Control.
According to NIST SP 800-37A "Guide for Applying the Risk Management Framework to Federal Information Systems", "determine the risk to organizational operations (including mission, functions,image, or reputation), organizational assets, individuals, other organizations, or the Nation" is the description for Risk Determination. CORRECT ANSWER risk mitigation. Risk Acceptance. risk management.
Correct Answer Risk Determination. Answer Explanation Risk acceptance is used in risk management to describe an informed decision to accept the consequences and likelihood of a particular risk. Risk Management - The process of managing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system. Risk Mitigation - systematic reduction in the extent of exposure to a risk and/or the likelihood of its occurrence. Also called risk reduction. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- Page E-3 Knowledge Area Authorize Information System
Continuous monitoring of security controls to include ongoing remediation actions is defined in the - System Development Life Cycle (SDLC) Phase 5. - OMB Circular A-11 Preparation, Submission, and Execution of the Budget. - Risk Management Framework (RMF) Step 6. - NIST SP 800-61 Computer Security Incident Handling Guide.
Correct Answer Risk Management Framework (RMF) Step 6. Answer Explanation Risk Management Framework (RMF) Step 6 - Monitor Security Controls, Task 6-3: Conduct remediation actions based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the plan of action and milestones. NIST SP 800-61 Computer Security Incident Handling Guide does not include a requirement for monitoring of security controls and ongoing remediation of flaws found. The SDLC Phase 5 is Disposal and does not require monitoring of security controls and remediation. OMB Circular A-11 does not have an ongoing remediation requirement.
After residual risks identified during the security control assessment have been evaluated and prior to a security authorization decision, the Authorizing Official (AO) or designated representative makes a final risk determination based on input obtained DIRECTLY from the following individuals? - Information System Owner (ISO), Risk executive and Senior Agency Information Security Officer (SAISO) - Risk executive, Senior Agency Information Security Officer (SAISO) and Common Control Provider - Risk executive, Information System Owner (ISO) and Common Control Provider - Information System Owner (ISO), Senior Agency Information Security Officer (SAISO) and Common Control Provider
Correct Answer Risk executive, Information System Owner (ISO) and Common Control Provider Answer Explanation The correct answer is risk executive, Information System Owner (ISO) and Common Control Provider since the operative word in this question is DIRECTLY. In accordance with the reference, the Authorizing Official (AO) or designated representative considers information obtained from the risk executive (function) and the information provided by the Information System Owner (ISO) or common control provider in the security authorization package. All risk-related information from others (e.g., SAISO, ISSO, ISSE, etc.) is contained within deliverables such as the security plan, Security Assessment Report (SAR), and Plan of Action and Milestones (POAM) provided by the aforementioned individuals. Moreover, the SAISO has no formal risk reporting authority to the AO or designated representative when determining risk.
Which of the following defines National Security Systems? - NIST SP 800-100 Information Security Handbook: A Guide for Managers - OMB Circular A-130 Management of Federal Information Resources, Transmittal 4 - FIPS 199 Standards for Security Categorization of Federal Information and Information Systems - Section 3541 Title 44 U.S.C. Federal Information Security Management Act of 2002 (FISMA)
Correct Answer Section 3541 Title 44 U.S.C. Federal Information Security Management Act of 2002 (FISMA) Answer Explanation Federal Information Security Management Act of 2002 (FISMA) defines National Security Systems as, ''(2)(A) The term 'national security system' means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency— ''(i) the function, operation, or use of which ......." The other selections mention National Security Systems but do not define what is a National Security System.
The security authorization package contains which of the following documents? - Security Assessment Report (SAR), security audit logs and Plan of Action and Milestones (POAM) - Security Assessment Report (SAR), security audit logs and security plan - Security Assessment Report (SAR), security plan and Plan of Action and Milestones (POAM) - security audit logs, security plan and Plan of Action and Milestones (POAM)
Correct Answer Security Assessment Report (SAR), security plan and Plan of Action and Milestones (POAM) Answer Explanation The security authorization package contains following documents: 1. Security Assessment Report (SAR) 2. Security plan 3. Plan of Action and Milestones (POAM)
What key information is used by the Authorizing Official (AO) to assist them with the risk determination of an Information System (IS)? - Plan of Action and Milestones (POAM) - Security Authorization Package (SAP) - Interconnection Security Agreement (ISA) - Security Plan (SP)
Correct Answer Security Authorization Package (SAP) Answer Explanation A security authorization package contains the security plan, security assessment report, and the plan of action and milestones. The information in these key documents is used by authorizing officials to make risk-based authorization decisions.
During this Risk Management Framework (RMF) step, common controls and system-specific security controls are BEST documented in a security plan (or equivalent document)? Authorize Information Systems Select Security Controls Assessing Security Controls Categorize the Information System
Correct Answer Select Security Controls Answer Explanation During the Select Security Controls step, security controls that are provided by the organization as common controls for organizational information systems are identified and the information system's controls are documented in a security plan (or equivalent document). The Security Plan is primarily developed during the Select Security Control step. Documentation of security controls isn't required during Categorization of an Information System. Security controls are assessed during the Assess Security Controls step. During the Authorization of a Information System, controls have already been documented and assessed at this point.
An information system categorized as MODERATE impact according to FIPS 199 has experienced a Denial of Service attack (DoS). What is the potential adverse effect to organizational operations, organizational assets, or individuals? Limited Serious Catastrophic Minor
Correct Answer Serious Answer Explanation During Security Categorization of an information system, the potential impact is MODERATE if the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational. The potential impact is HIGH if the expected adverse effect is catastrophic and the potential impact is LOW if the expected adverse impact is limited. According to FIPS 199, minor is not described as being an expected adverse impact. Reference Standards for Security Categorization of Federal Information and Information Systems (FIPS 199) February 1, 2004. http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf page 2 Knowledge Area Categorize Information Systems
Tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions is performed during which Risk Management Framework (RMF) step? Step 4 - Assess Security Controls Step 6 - Monitor Security Controls Step 2 - Select Security Controls Step 3 - Implement Security Controls
Correct Answer Step 2 - Select Security Controls Answer Explanation During Step 2 select Security Controls step, an initial set of baseline security controls are selected for the information system based on the security categorization as well as tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions. The correct answer does not apply to the other RMF steps. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- page 7 Knowledge Area Understand The Security Authorization Of Information Systems
Using the Risk Management Framework (RMF), conducting initial remediation actions on security controls is part of Step 2 - Select Security Controls. Step 3 - Implement Security Controls. Step 4 - Assess Security Controls. Step 5 - Authorize Information System.
Correct Answer Step 4 - Assess Security Controls. Answer Explanation In the Risk Management Framework, Task 4-4 is remediation actions. Quote, "Conduct initial remediation actions on security controls based on the findings and recommendations of the security assessment report and reassess remediated control(s), as appropriate."
An information system categorized as HIGH has implemented significant technology upgrades. Conducting security impact analysis of the associated changes are BEST performed during this Risk Management Framework (RMF) step? Step 6 - Monitoring Security Controls Step 2 - Select Security Controls Step 1 - Categorize Information Systems Step 3 - Implement Security Controls
Correct Answer Step 6 - Monitoring Security Controls Answer Explanation During Step 6, the information system owner is responsible for monitoring security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials. While conducting a security impact analysis may occur during Categorization, it is best performed during Step 6 after changes occur. The other options are not appropriate answers.
An information system is currently in the initiation phase of the System Development Life Cycle (SDLC) and has been categorized high impact. The information system owner wants to inherit common controls provided by another organizational information system that is categorized moderate impact. How does the information system owner ensure that the common controls will provide adequate protection for the information system? - Supplement the common controls with system-specific or hybrid controls to achieve the required protection for the system. - Consult with the Information System Security Engineer and the Information Security Architect. - Perform rigorous testing of the common controls to determine if they provide adequate protection. - Ask the common control provider for the system security plan for the common controls.
Correct Answer Supplement the common controls with system-specific or hybrid controls to achieve the required protection for the system. Answer Explanation RMF Step 2 - Select Security Controls, Task 2-1 Common Control Identification, in NIST SP 800-37, Revision 1, explicitly states each of the three activities associated with inheriting common controls, including "Supplement the common controls with system-specific or hybrid controls to achieve the required protection for the system." The other answers do not ensure that the common controls will provide appropriate protection for a high impact information system.
Information System Quality and Assurance requirements are determined in which of the following processes? System Development Life Cycle (SDLC) Privacy Impact Assessment (PIA) Penetration Testing System Test and Evaluation (ST&E)
Correct Answer System Development Life Cycle (SDLC) Answer Explanation Information System Quality and Assurance are part of the overall Security requirements of a system. Security requirements are a subset of the overall functional and nonfunctional (e.g., quality, assurance) requirements levied on an information system and are incorporated into the system development life cycle simultaneously with the functional and nonfunctional requirements.
The Risk Management Framework (RMF) provides a structured process that integrates information security and risk management activities into the Synchronous Data Link Control (SDLC). System Development Life Cycle (SDLC). Security Development Life Cycle (SDLC). Software Development Life Cycle (SDLC).
Correct Answer System Development Life Cycle (SDLC). Answer Explanation The correct answer is System Development Life Cycle (SDLC). The RMF provides a structured process that integrates information security and risk management activities into the SDLC. Risk management tasks begin early in the SDLC and are important in shaping the security capabilities of the information system. Software Development Life Cycle is applicable to the software engineering community; Synchronous Data Link Control is a proprietary communications protocol; and Security Development Life Cycle is not a government or industry standard term.
What family of security controls below is in the Operational class of security controls? Identification and Authentication System and Information Integrity System and Communications Protection Security Assessment and Authorization
Correct Answer System and Information Integrity Answer Explanation Security Assessment and Authorization is in the Management class, System and Communications Protection and Identification and Authentication are both in the Technical control family. Reference Recommended Security Controls for Federal Information Systems and Organizations (NIST SP 800-53) May 2010 . Rev. 3 final: http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf Page 6 Knowledge Area Assess Security Controls
The final, agreed-upon set of security controls is documented with appropriate rationale for the information system in which artifact? The security Assessment Report (SAR) The System Security Authorization Agreement (SSAA) The security assessment plan The Security Plan
Correct Answer The Security Plan Answer Explanation According to NIST SP-53, "The authorizing official or designated representative, by accepting the security plan, agrees to the set of security controls proposed to meet the security requirements for the information system." The security assessment plan and security assessment report are produced after security controls have been accepted. The System Security Authorization Agreement (SSAA) is merely a distractor. Reference Recommended Security Controls for Federal Information Systems and Organizations (NIST SP 800-53) May 2010 . Rev. 3 final: http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf pg.4 Knowledge Area Establish The Security Control Baseline
For a small organization a developer of an information system is designated to carry out the security control assessment of the information system. Which among the following is TRUE in accordance with established Risk Management Framework (RMF)? - The security control assessment plan needs to be modified. - The assessment results are carefully reviewed and analyzed by an independent team of experts to validate the completeness, consistency and veracity of the results. - The system owner should consult with the system security control assessor to get a waiver. - The system owner should designate the system administrator in addition to carry out the security control assessment.
Correct Answer The assessment results are carefully reviewed and analyzed by an independent team of experts to validate the completeness, consistency and veracity of the results. Answer Explanation In special situations (for example, when the organization that owns the information system is small or the organizational structure requires that the security control assessment be accomplished by individuals that are in the developmental, operational, and/or management chain of the system owner) independence in the assessment process can be achieved by ensuring that the assessment results are carefully reviewed and analyzed by an independent team of experts to validate the completeness, consistency, and veracity of the results. The authorizing official consults with the Office of the Inspector General, the senior information security officer, and the chief information officer to discuss the implications of any decisions on assessor independence in the types of special circumstances described above.
During a weekly Chief Information Officer's (CIO) status update a Certified Authorization Professional (CAP) working for the CIO is informed a contract for processing medical records is about to end. Which of the following options BEST represent the immediate concerns the CAP should bring to the attention of the federal contract manager? - Use FIPS 140-2 approved algorithms to personally verify destruction of all federal information stored on the contractor's system. - The manager of the contract needs to ensure that the contractor has disposed of all information in accordance with NIST SP 800-88. Independent verification of remnant destruction may be required. - In accordance with NIST SP 800-100, perform a risk assessment on the contractor system to determine if the medical records need to be degaussed. - Nothing, the Federal Acquisition Regulation (FAR) states the contractor is responsible for the system and the information.
Correct Answer The manager of the contract needs to ensure that the contractor has disposed of all information in accordance with NIST SP 800-88. Independent verification of remnant destruction may be required. Answer Explanation The manager of the contract is responsible for the federal information entrusted to a contractor. It is the contract manager's responsibility to ensure the contractor destroys all information after it is no longer required for the contract. The nature and sensitivity of the contract may require independent verification of the destruction. The FAR states that the owner of the information (not the contractor) is ultimately responsible for the information as it references FISMA. NIST SP 800-100 does not require a risk assessment prior to decommission and only in circumstances where another mission of the agency would be impacted would you perform this action; furthermore, degaussing may or may not be the correct approach. As media is not specified we do not know what destruction method is the best approach. FIPS 140-2 is related to encryption algorithms and are not related to the destruction of information.
When dealing with security control effectiveness, the common control provider relies on the Security Control Assessor (SCA) for what purpose? To determine if the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation is acceptable. To provide the common control provider a system authorization decision for the department information system. To identify flaws in the existing security plan for the usage of operational, management, and technical controls within the organization. To determine the extent of which the controls are implemented, operating as intended, and providing the desired outcome with respect to the security requirements for the information system.
Correct Answer To determine the extent of which the controls are implemented, operating as intended, and providing the desired outcome with respect to the security requirements for the information system. Answer Explanation Security Control Assessor (SCA) will determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the information system.
Which of the following must be documented and implemented according to the United States Office of Management and Budget (OMB)? Standardization Committee of China (SCC) International Organization for Standardization (ISO) American National Standards Institute (ANSI) United States Government Configuration Baseline (USGCB)
Correct Answer United States Government Configuration Baseline (USGCB) Answer Explanation The Office of Management and Budget (OMB) mandates the use of the United States Government Configuration Baseline through Memorandum 07-18. Additionally, FISMA requires secure baseline configurations for all systems.
You are an Information System Owner (ISO), during a routine vulnerability scan, several high risk vulnerabilities are discovered. Many will take several weeks or months to repair. Which response provides the Best approach for ensuring risk management and transparency? - Email the scan results to the Information System Security Officer (ISSO) and ask her to update the system security plan and Plan of Actions and Milestones (POAM). Wait for Information System Security Officer (ISSO) to provide further guidance and priority on resolving the vulnerabilities. - Run a scan with another tool to ensure comprehensive results. Ensure the Information System Security Officer (ISSO) receives a copy and deliver the raw scan report to the Authoring Official (AO) immediately who will need to make a risk based decision as soon as possible. - Begin making repairs as soon as possible. Rank and start with the highest ranked vulnerability on the list. Report completion of corrected items to the information System Security Officer (ISSO) as each repair is complete. - Update the information system's security assessment report, plan of actions and milestones and system security plan to reflect the new security posture and inform the Information System Security Officer (ISSO), Chief Information System Officer (CISO) and the Authorizing Official (AO) of the new risk.
Correct Answer Update the information system's security assessment report, plan of actions and milestones and system security plan to reflect the new security posture and inform the Information System Security Officer (ISSO), Chief Information System Officer (CISO) and the Authorizing Official (AO) of the new risk. Answer Explanation Updating the documentation and reporting the risk ensures proper transparency and risk reporting. The first distracter provides a raw scan report to an executive who may not understand the technical details or be charged with determining false positives. The Authorizing Official (AO) typically only works with a POAM, security assessment report and a system security plan. Such a plan could lead to a hasty system shutdown or limitation. The third distracter neglects the need for timely risk visibility in the organization. The last distracter states that the ISSO is responsible for the system security plan when the information system owner is.
A vulnerability scan has been completed for an organization's network. Numerous vulnerable assets (print servers, workstations, servers) must now be prioritized for mitigation across the organization. What is the BEST approach for ensuring the mission of the organization is preserved? - Using the system inventory of the organization link the vulnerable asset to the parent system. Determine the impact of the system by reviewing its FIPS-199 categorization. Perform a risk assessment based on the impact of the system and the vulnerability discovered. Prioritize the entire scan results in this fashion. - Use the native scan results as they provide the vendor supplied risk level. Prioritize repairs and responses based on the vendor rating to ensure the high risk assets are remediated first. Update the Plan of Actions and Milestones (POAM) when competed. - Send an email to all asset owners informing them of the vulnerabilities with the scan results. Require the owners to patch their systems and report back to you when patching is completed. Use the Plan of Actions and Milestones (POAM) to monitor this task. - Start with the assets nearest to the organizational headquarters and begin patching those to ensure headquarters is least affected. Work with other components and geographic areas once headquarters is patched to ensure complete enterprise compliance.
Correct Answer Using the system inventory of the organization link the vulnerable asset to the parent system. Determine the impact of the system by reviewing its FIPS-199 categorization. Perform a risk assessment based on the impact of the system and the vulnerability discovered. Prioritize the entire scan results in this fashion. Answer Explanation A vulnerability will have a different impact across different FIPS-199 systems. The remediation of HIGH impact systems will take priority over MODERATE or LOW impact systems given an identical vulnerability. Vendor supplied risk information is typically based on assumptions which may not be valid for your organization. Care must be taken to differentiate between the act of ensuring compliance with a set baseline and performing the prioritization function which is risk management. Patching based on geographic area ignores the impact of the overarching system as does broadcasting "fix-it" lists to asset owners without risk analysis first. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- pg 17 Information Security Handbook: A Guide for Managers (NIST SP 800-100) October 1, 2006. http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf pg 43 Knowledge Area Understand The Security Authorization Of Information Systems
An effective security control monitoring strategy for an information system includes - the annual assessment of all security controls in the information system. - monitoring the security controls of interconnecting information systems outside the authorization boundary. - all controls listed in NIST SP 800-53, Revision 3. - active involvement by authorizing officials in the ongoing management of information system-related security risks.
Correct Answer active involvement by authorizing officials in the ongoing management of information system-related security risks. Answer Explanation NIST SP 800-37, Revision 1 explicitly states (in appendix G, under Monitoring Strategy): " An effective organization-wide continuous monitoring program includes: •Configuration management and control processes for organizational information systems; • Security impact analyses on proposed or actual changes to organizational information systems and environments of operation; • Assessment of selected security controls (including system-specific, hybrid, and common controls) based on the organization-defined continuous monitoring strategy; • Security status reporting to appropriate organizational officials; and • Active involvement by authorizing officials in the ongoing management of information system-related security risks." Not all of the NIST SP 800-53, Revision 3 security controls are required for an information system. The annual assessment is performed on a subset of the security controls in the information system. While security controls for a system interconnection should be monitored, the monitoring of the security controls on the interconnecting information system is the responsibility of the interconnecting information system's owner.
When contracting for services to process or store a federal organization's information, the information system used by the contractor to process or store federal information must - be registered in a separate inventory of contractor systems used by the organization but does not need to meet the same level of compliance as federal systems. - be registered in the organization's information system inventory and treated in an identical manner as a federal owned and operated system. - not be registered as it is not a federally owned system and therefore the organization has no responsibility for it - be registered in the contractor's systems inventory and meet the contractor's information security policy
Correct Answer be registered in the organization's information system inventory and treated in an identical manner as a federal owned and operated system. Answer Explanation FISMA and its requirements follow federal information. Therefore any system which processes, stores, transmits or disseminates federal information is subject to FISMA and must be registered in the organization's inventory. Organizations must treat contractor systems with the same level of due diligence as federally owned information systems.
The Risk Management Framework (RMF) and associated RMF tasks apply to - only system specific security controls. - only common controls. - both information systems and common controls. - only organization wide security systems.
Correct Answer both information systems and common controls. Answer Explanation The Risk Management Framework (RMF) and associated RMF tasks apply to both Information System Owners (ISO) and common control providers.
An organization-wide incident response plan is established which requires that all information system incidents are reported to the organization's incident response team. The policy also establishes that the incident response team is responsible for all follow-up investigation and reporting. Incident response security controls have been developed, implemented, assessed, and authorized in an organization-wide information system security plan. An information system security plan for an information system in this organization will identify the incident response controls as hybrid. common. system-specific. compensating.
Correct Answer common. Answer Explanation The Incident Response Team has been authorized by the organization to provide incident response controls for all organizational information systems, and the incident response controls have been implemented, assessed, and authorized. According to NIST SP 800-53, Revision 3: "Common controls are security controls that are inheritable by one or more organizational information systems. The organization assigns responsibility for common controls to appropriate organizational officials and coordinates the development, implementation, assessment, authorization, and monitoring of the controls."
An organization utilizes a commercial service provider for pickup and offsite storage of backup media. The information system owner of one of the organization's information systems has established backup data encryption and media marking procedures prior to backup media pickup by the commercial service provider. This is an example of - Business Impact Analysis (BIA). - common controls. - System of Records Notice (SORN) requirements. - compensating controls.
Correct Answer compensating controls. Answer Explanation According to NIST SP 800-53, Revision 3, Organizations are responsible and accountable for the risk incurred by use of services provided by external providers and address this risk by implementing compensating controls when the risk is greater than the authorizing official or the organization is willing to accept. Compensating Security controls as defined in the glossary: The management, operational, and technical controls (i.e., safeguards or countermeasures) employed by an organization in lieu of the recommended controls in the baselines described in NIST Special Publication 800-53 and CNSS Instruction 1253, that provide equivalent or comparable protection for an information system. The Business Impact Analysis (BIA) and System of Records Notice (SORN) have no requirements for data backup encryption.
An organization has developed an enterprise policy and strategy to implement awareness and training security controls. A department within this organization has decided to supplement the security controls because the department manager believes the enterprise controls do not meet the protection needs of the department's information system. The supplemental controls are examples of a. system-specific controls. b. hybrid controls. c. common controls. d. compensating controls.
Correct Answer compensating controls. Answer Explanation For common controls that do not meet the protection needs of the information systems inheriting the controls or that have unacceptable weaknesses or deficiencies, the system owners identify compensating or supplementary controls to be implemented. System-specific controls provide a security capability for a particular information system only, common controls provide a security capability for multiple information systems and hybrid controls have both system-specific and common characteristics. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- page 16 Knowledge Area Establish The Security Control Baseline
FIPS 199 Standards for Security Categorization of Federal Information and Information Systems defines the potential impact of a security breach based on - data confidentiality, integrity or accessibility. - systems Authentication, Authorization and Accounting (AAA). - Business Impact Analysis (BIA) and annual loss expectancy. - data confidentiality, integrity, or availability.
Correct Answer data confidentiality, integrity, or availability. Answer Explanation FIPS 199 Standards for Security Categorization of Federal Information and Information Systems defines potential impact based on data confidentiality, integrity or accessibility.
The criteria for selecting security controls to be monitored post deployment and for determining the frequency of such monitoring is established - during development of the security control monitoring strategy. - during the risk assessment process. - by FISMA. - before development of the security control monitoring strategy.
Correct Answer during development of the security control monitoring strategy. Answer Explanation RMF Task 2-3, Monitoring Strategy, in NIST SP 800-37, Revision 1 states that the criteria for selecting security controls to be monitored post deployment and for determining the frequency of such monitoring is established by the information system owner or common control provider in collaboration with selected organizational officials including, for example, the authorizing official or designated representative, chief information officer, senior information security officer, and risk executive (function).
The purpose of the security assessment plan is to establish expectations for the security control assessment. certify the system. establish the cost for the security control assessment. establish the plan of actions and milestones.
Correct Answer establish expectations for the security control assessment. Answer Explanation The purpose of the security assessment plan approval is two-fold: (i) to establish the appropriate expectations for the security control assessment; and (ii) to bound the level of effort for the security control assessment. The cost of the security control assessment does not affect the assessment. The plan of actions and milestones are accomplished after the control assessment is completed. System certification is the ultimate result of the control assessment. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- Pg 30 (pp 1) Knowledge Area Assess Security Controls
Periodic security status reporting is - a poor method of risk management. - only performed once every three years according to FISMA. - performed at the discretion of the system owner. - event driven or time driven as determined by the organizational risk requirements
Correct Answer event driven or time driven as determined by the organizational risk requirements. Answer Explanation Status reporting is minimally event or time driven. In many organizations reporting may be based on both events and time triggers. FISMA mandates annual reporting and system owners may have input into reporting but should not be the sole decision making authoring due to conflicts of interest. A system owner may be hesitant to voluntarily report problems with their system should it cast doubt on their administration of that system. Status reporting is a key component of a healthy risk management framework. Security status reporting can be: (i) event-driven (e.g., when the information system or its environment of operation changes or the system is compromised or breached); (ii) time driven (e.g., weekly, monthly, quarterly); or (iii) both (event- and time-driven). Security status reports provide the authorizing official and other senior leaders within the organization, essential information with regard to the security state of the information system including the effectiveness of deployed security controls. Security status reports describe the ongoing monitoring activities employed by the information system owner or common control provider. Security status reports also address vulnerabilities in the information system and its environment of operation discovered during the security control assessment, security impact analysis, and security control monitoring and how the information system owner or common control provider intends to address those vulnerabilities. Organizations have significant latitude and flexibility in the breadth, depth, and formality of security status reports. Security status reports can take whatever form the organization deems most appropriate. The goal is cost-effective and efficient ongoing communication with senior leaders conveying the current security state of the information system and its environment of operation with regard to organizational missions and business functions. At a minimum, security status reports summarize key changes to security plans, security assessment reports, and plans of action and milestones. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- pg 40 Knowledge Area Monitor Security Controls
The use of automated tools to perform security control assessments - is best performed by independent contractors who have the training and experience to maximize the efficiency and effectiveness of each tool. - facilitates a greater frequency and volume of assessments to meet an organization's monitoring strategy. - is not possible since there are no tools that can perform a comprehensive security control assessment specific to each organization's unique environment. - should be avoided as automated tools provide a specific vendor's viewpoint and not necessarily an accurate assessment of an organization's unique implementation of security controls.
Correct Answer facilitates a greater frequency and volume of assessments to meet an organization's monitoring strategy. Answer Explanation Using automated tools to perform security control assessments is more efficient that performing manual assessments. Automated tools allow an organization to perform more frequent assessments and to assess a greater volume of security controls without using more people and more work hours. Using independent contractors is sometimes a good security practice but in-house resources can perform as accurate or more accurate assessments since they have a detailed understanding of the deployment of the security controls, the expected performance of each security control and the organization's business requirements. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- Chapter 3, page 39 Knowledge Area Understand The Security Authorization Of Information Systems
Office of Management and Budget (OMB) Circular A-130 requires all federal information systems to - use the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP). - have security plans. - comply with National Security Agency (NSA) security guidelines. - implement the Risk Management Framework (RMF).
Correct Answer have security plans. Answer Explanation OMB Circular 130-A requires all federal information systems to have a security plan. It does not require compliance with National Security Agency (NSA) security guidelines, implementation of the Risk Management Framework (RMF), nor the use of Department of Defense Information Assurance Certification and Accreditation Process (DIACAP).
The Risk Management Framework (RMF) and the System Development Life Cycle (SDLC) - are waterfall methodologies with the RMF preceding the SDLC. - integrate information security into software/system development. - are competing methodologies for developing secure software. - serve different security requirements and have no relationship.
Correct Answer integrate information security into software/system development. Answer Explanation NIST SP 800-37, quote "The RMF has the following characteristics: Integrates information security into enterprise architecture and system development life cycle"
The unauthorized modification or destruction of information is a loss of privacy. confidentiality. availability. integrity.
Correct Answer integrity. Answer Explanation The security objective of integrity is concerned with guarding against improper information modification or destruction and ensuring information non-repudiation and authenticity. Confidentiality is about preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of availability is the disruption of access to or use of information or an information system. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- page 2 Knowledge Area Categorize Information Systems
An accurate information systems inventory allows an organization to - meet NISTIR 7358 requirement for documenting all information systems hardware installed on a federal government network. - identify which systems require security controls and which systems do not require security controls. - determine final risk based on the documented cost of each information system and an objective best guess cost of the data stored on each information system. - make explicit decisions regarding where to allocate the controls in order to satisfy organizational security requirements.
Correct Answer make explicit decisions regarding where to allocate the controls in order to satisfy organizational security requirements. Answer Explanation NIST SP 800-53 quote, "Organizations assess the inventory of information system components to determine which security controls are applicable to the various components and subsequently make explicit decisions regarding where to allocate the controls in order to satisfy organizational security requirements." All information systems require security controls. NISTIR 7358 does not include an information systems hardware documentation requirement. An objective best guess cost of the data stored on each information system is not a good method of determining risk.
Best security practice requires that personnel implementing changes to production systems should - not be the same personnel who developed the change. - implement the change at a random time to prevent attacks when a systems security controls are known to be turned off. - be the same personnel who developed the change. - not be the primary system administrators responsible for the system being changed.
Correct Answer not be the same personnel who developed the change. Answer Explanation Personnel who develop changes should not have the authorization and permissions to install the changes on production systems. If developers can install changes on production systems, they can bypass peer testing and change review processes that should catch unauthorized changes and vulnerable code or configuration settings. In order to reduce potential negative impact during heavy use periods, changes should be implemented during scheduled maintenance windows and not at random times. Changes should be installed by the system administrators who know the systems, not by system administrators who do not understand the correct system configuration, processes and functions. Reference Information Security Handbook: A Guide for Managers (NIST SP 800-100) October 1, 2006. http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf Chapter 14, page 136 Knowledge Area Monitor Security Controls
When implementing information system security controls, the Information System Owner (ISO) must ensure consistency with - organizational enterprise architecture and information security architecture. - application and information system default settings. - vendor recommended control selections. - industry best practices.
Correct Answer organizational enterprise architecture and information security architecture. Answer Explanation Security control implementation is consistent with the organization's enterprise architecture and information security architecture. The information security architecture serves as a resource to allocate security controls (including, for example, security mechanisms and services) to an information system and any organization defined subsystems. Security controls targeted for deployment within the information system (including subsystems) are allocated to specific system components responsible for providing a particular security capability.
When documenting security controls, Information System Owners (ISO) must ensure the documentation contains - OMB Circular A-127 and OMB Circular A-11 information related to financial control implementation and the effectiveness of independent audit control documents. - Open Vulnerability Assessment Language (OVAL) information for managerial controls detailing the interconnection of management controls with third party common control providers. - platform dependencies and additional information necessary to describe how the security capability required by the security control is achieved at the level of detail sufficient to support control assessment. - Federal Desktop Core Configuration (FDCC) information for servers and routers detailing specific configuration and registry settings including security content automation protocol (SCAP) design specifications.
Correct Answer platform dependencies and additional information necessary to describe how the security capability required by the security control is achieved at the level of detail sufficient to support control assessment. Answer Explanation To the extent possible, organizations reference existing documentation (either by vendors or other organizations that have employed the same or similar information systems), use automated support tools, and maximize communications to increase the overall efficiency and cost effectiveness of security control implementation. The documentation also addresses platform dependencies and includes any additional information necessary to describe how the security capability required by the security control is achieved at the level of detail sufficient to support control assessment. Documentation for security control implementation follows best practices for hardware and software development as well as for system/security engineering disciplines and is consistent with established organizational policies and procedures for documenting system development life cycle activities. Whenever possible and practicable for technical security controls that are mechanism-based, organizations take maximum advantage of functional specifications provided by or obtainable from hardware and software vendors and/or systems integrators including security-relevant documentation that may assist the organization during the assessment and monitoring of the controls. OMB Circular A-11 is not related to control documentation. A-127 is related to financial systems management. Open Vulnerability Assessment Language (OVAL) is not related to managerial controls. Federal Desktop Core Configuration does not apply to servers or routers. Security content automation protocol design specifications would not typically be documented in a security plan. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- pg 29 Knowledge Area Apply Security Controls
The creation of the Security Control Assessment Plan requires supporting materials to be identified to give the Information System Owner (ISO) and their staff time to gather all requested data. Supporting material includes various logs, reports, records showing evidence of security control implementation and - procedures. - test steps. - new authorization letter. - security accreditation package.
Correct Answer procedures. Answer Explanation The Security Control Assessment Plan identifies procedures that will be examined so the System Owner (SO) and other personnel have enough time to gather them together for the assessment team. The test steps are actually in the Security Control Assessment Plan. Both the security accreditation package and the new authorization letter are completed after the assessment is finished.
The level of effort required to ensure appropriate security for a particular information system depends upon the - procurement policy of the organization. - time period for review of security assessment for that information system. - security categorization of the information system. - audit logs of the information system.
Correct Answer security categorization of the information system. Answer Explanation The security categorization process influences the level of effort expended when implementing the RMF tasks. Information systems supporting the most critical and/or sensitive operations and assets with an organization as indicated by security categorization demand the greatest level of attention and effort to ensure the appropriate security and risk mitigation are achieved. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- 19 Knowledge Area Assess Security Controls
Security controls for an information system are assessed in accordance with the vulnerability assessment. security control assessment plan. testing and evaluation. security plan.
Correct Answer security control assessment plan. Answer Explanation Task 4.2: Assess the security controls in accordance with the assessment procedures defined in the security assessment plan. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- Page 31 Knowledge Area Assess Security Controls
Security controls for an information system are assessed in accordance with the vulnerability assessment. security control assessment plan. testing and evaluation. security plan.
Correct Answer security control assessment plan. Answer Explanation Task 4.2: Assess the security controls in accordance with the assessment procedures defined in the security assessment plan. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- Page 31 Knowledge Area Assess Security Controls
Common controls are BEST described as - security controls that apply to more than one information system. - security controls that are inheritable by one or more organizational information systems. - security controls that are another organization's responsibility. - security controls necessary to adequately mitigate risk.
Correct Answer security controls that are inheritable by one or more organizational information systems. Answer Explanation NIST SP 800-53, Revision 3 states that "Common controls are security controls that are inheritable by one or more organizational information systems." While it is true that common controls might be viewed as another organization's responsibility, this answer is too vague. In fact, the responsibility for common controls is shared by at least the common control provider, the Information System Owner (ISO) of the information system inheriting the common control, and organizational officials who authorize the common control. While it is true that common controls are usually inheritable by more than one information system, common controls can be inheritable by only one information system. In addition, the word "apply" is too vague. NIST specifically uses the word "inheritable" for a security control which provides protection (completely or partially) to another application or system. While it is true that common controls may adequately mitigate risk, this answer does not specifically describe common controls. Reference Recommended Security Controls for Federal Information Systems and Organizations (NIST SP 800-53) May 2010 . Rev. 3 final: http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf page 10 Knowledge Area Understand The Security Authorization Of Information Systems
An effective continuous monitoring program requires - information assurance professionals to frequently monitor hacker websites to understand new attacks. - security impact analysis on changes to the information system. - either a National Information Assurance Partnership (NIAP) approved or a Common Criteria Evaluation Assurance Level (EAL) 4 approved network monitoring tool. - FIPS 140-2 compliant encryption of all data collected.
Correct Answer security impact analysis on changes to the information system. Answer Explanation A continuous monitoring program refers to frequent checking of security controls to ensure that they are functioning as expected, still required, and that installed system changes have not resulted in security controls being bypassed or that there is not a requirement for new security controls. The requirement to encrypt data depends on the sensitivity of the data and the data owner's need to protect the data. Continuous monitoring program data may not require encryption. Tools that monitor networks for intrusions or vulnerabilities are not the same thing as a continuous monitoring program focused on security controls. It is a good practice for security professionals to stay current on the latest hacker attacks, but it is not a requirement of a continuous monitoring program. Reference Information Security Handbook: A Guide for Managers (NIST SP 800-100) October 1, 2006. http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf 11.6 Continuous Monitoring, page 103 Knowledge Area Monitor Security Controls
The results of the security categorization process will MOST influence the - selection of appropriate security controls - authorization decision. - Security Assessment Report (SAR). - Plan of Action and Milestones (POAM).
Correct Answer selection of appropriate security controls Answer Explanation The results of security categorization will most influence the selection of appropriate security controls and also, where applicable, the minimum assurance requirements for that system. For all other answers, security categorization is done earlier in the RMF is not the most influential factor. For example, the security assessment report, POAM, and updated security plan will influence the authorization decision. The results of the security control assessment will influence the security control assessment report.
An effective continuous monitoring program can be used to - meet an organization's requirement for periodic information assurance training of all computer users. - replace information system security audit logs. - meet the FIPS PUB 200 requirement for monthly risk assessments - support the FISMA requirement for annual assessment of the security controls in information systems.
Correct Answer support the FISMA requirement for annual assessment of the security controls in information systems. Answer Explanation FISMA has a requirement for annual assessment of information systems. FIPS PUB 200 Minimum Security Requirements for Federal Information and Information Systems does not have a requirement for monthly risk assessments. Continuous monitoring of systems is not a task performed by all of an organizations computer users and is not an information assurance training activity. Continuous monitoring does not collect the same data as audit logs and therefore does not replace the requirement for audit logs.
The Security Assessment Plan provides the objectives for the security control assessment, a detailed roadmap of how to conduct such an assessment, and - penetration steps. - a system security plan. - Plan of Actions and Milestones (POAM). - test procedures.
Correct Answer test procedures. Answer Explanation The test procedures are included in the Security Assessment Plan. Actual penetration testing is only done at the request of the Authorizing Official. Plan of Actions and Milestones are required after the assessment and the System Security Plan is the basis of the test.
The results of the security categorization, boundary of the information system, and information flows and paths, are pieces of information that might be included in - a Security Assessment Report (SAR). - a Plan of Action and Milestone (POAM). - the information system's description. - the security assessment plan.
Correct Answer the information system's description. Answer Explanation According to Task 1-2 Describe the information system (including system boundary) and document the description in the security plan, security categorization results, the boundary of the information system, and information flows and paths, are pieces of information that might be included in an information system's description. The level of detail provided in the security plan is determined by the organization and is typically commensurate with the security categorization of the information system. Information may be added to the system description as it becomes available during the system development life cycle and execution of the RMF tasks. The aforementioned information is not required by the POAM, SAR or the security assessment plan.
Information system registration, in accordance with organizational policy, uses information in the system identification section of the security plan to inform the parent or governing organization of - an information system with a HIGH impact system categorization that is going into operation and the need to begin continuous monitoring. - the need to re-authorize the information system and ensure transparency with the Authorizing Official (AO). - the information system's existence and any security implications for the organization due to the ongoing operation of the system. CORRECT ANSWER - an information system that has been denied authorization to operate and the potential impact to the organization.
Correct Answer the information system's existence and any security implications for the organization due to the ongoing operation of the system. Answer Explanation Information system registration, in accordance with organizational policy, uses information in the system identification section of the security plan to inform the parent or governing organization of: (i) the existence of the information system; (ii) the key characteristics of the system; and (iii) any security implications for the organization due to the ongoing operation of the system. This correct response is the only answer that pertains to information that should be documented in the "system identification section" of the security plan. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- page 22 Knowledge Area Categorize Information Systems
According to the Office of Management and Budget (OMB) a Plan of Action and Milestones (POAM) must contain - the type of weakness, the office or organization responsible for the weakness, estimated resources, scheduled completion date, key milestones, milestone changes, the source of discovery for the weakness and the present status. - the type of weakness, the office or organization responsible for the weakness, estimated resources, scheduled completion date, justification for risk acceptance, milestone change, the source of discovery for the weakness and the present status. - the type of weakness, the office or organization responsible for the weakness, estimated resources, scheduled completion date, key milestones, delay justification, the source of discovery for the weakness and the present status. - the type of weakness, the risk transfer party, estimated resources, scheduled completion date, key milestones, milestone changes, the source of discovery for the weakness and the present status.
Correct Answer the type of weakness, the office or organization responsible for the weakness, estimated resources, scheduled completion date, key milestones, milestone changes, the source of discovery for the weakness and the present status. Reference Candidates should be up-to-date on all OMB systems memorandums, circulars and directives. (Office of Management and Budget (OMB)) http://www.whitehouse.gov/omb/memoranda_m02-01
The purpose of the security assessment plan approval is two-fold: to establish the appropriate expectations for the security control assessment; and - to identify controls as common, hybrid or system specific controls. - to certify the system. - to determine the accreditation boundary. - to determine the level of effort for the security control assessment.
Correct Answer to determine the level of effort for the security control assessment. Answer Explanation The security assessment plan must establish the level of effort for the testers (this is usually based on the FIPS 199 determination, but the Authorizing Official (AO) can modify the test requirements). The accreditation boundary is determined during the creation of the security plan. System certification is the desired end result of the assessment. Identification of the types of controls is also done during the creation of the security plan. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- pg 30 (Supplemental Guidance, pp 1) Knowledge Area Assess Security Controls
Ongoing security control assessment strategies should include reviews of the - common, inherited and non-logical security controls. - enterprise level polices controls, the local physical security controls and the network security controls. - technical, operational, logical and non-logical security controls - technical, management, and operational security controls employed within and inherited by the information system.
Correct Answer technical, management, and operational security controls employed within and inherited by the information system. Answer Explanation Security controls are defined as technical, management and operational. Security controls can be inherited from another organization. All of those controls need to be continuously reviewed. The other selections do not include all the types of security controls (technical, management, and operational security controls and inherited) that need ongoing assessments. Reference Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- page 38 Knowledge Area Understand The Security Authorization Of Information Systems
Information system boundaries are established in coordination with the security categorization process and a. after the security control assessment. b. during the Business Impact Analysis (BIA). c. before the development of security plans. d. while performing continuous monitoring.
Correct Answer - before the development of security plans. Answer Explanation - Well-defined boundaries establish the scope of protection for organizational information systems (i.e., what the organization agrees to protect under its direct management control or within the scope of its responsibilities) and include the people, processes, and information technologies that are part of the systems supporting the organization's missions and business processes. Information system boundaries are established in coordination with the security categorization process and before the development of security plans. The establishment of boundaries should be defined prior to the other answers. Reference - Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37) February 22,2010. Rev. 1 Final: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1- page 10 Knowledge Area - Categorize Information Systems