ATO Level II: Antiterrorism Level 2 training
Which of the following an ATO responsible for? (Select all the apply.)
*Managing the AT program *Providing and tracking level 1 training for unit personnel *Developing and implementing FPCON requirements
Which of the following are considered tactics of terrorist groups? (Select all that apply.)
*Using a flexible array of means and materials *Attack is the primary type of operation
Why might a potential captor take a victim hostage? (Select all that apply.)
A.) For the publicity the situation would generate B.) Because the victim is in the wrong place at the wrong time C.) Because the victim may be a source of trouble otherwise
Select ALL the correct responses. Which of the following are examples of a "Security Anomaly" and should be reported?
A.) Foreign officials reveal details they should not have known B.) An adversary conducts activities with precision that indicates prior knowledge
The number, size, and the overall structure of the terrorist group cells depends on:
A.) Goals of the terrorist group B.) The security in the group's operating area C.) The abilities of the group's communication network
During an active shooter situation, you should:
A.) Hide B.) Evacuate C.) Take Action
What techniques should a victim use to try and avoid unnecessary violence during capture?
A.) Hide materials indicating affiliation with the U.S. Government for leverage. B.) Resist panicking. C.) Anticipate the captor's efforts to create confusion.
Which of the following are considered common characteristics of terrorist groups?
A.) Highly mobile B.) Operate covertly C.) Urban based
Of the following assessments, which are used to help complete the threat assessment summary? (Select all that apply)
A.) History assessment B.) Intent assessment C.) Collection capabilities assessment
A terrorist threat level is:
A.) Identified as High, Significant, Moderate, or Low B.) An intelligence community judgment about the likelihood of terrorist attacks on U.S. interests OR An indication that a terrorist group is operationally active and targeting U.S. interests
Force Protection Conditions (FPCONs) are:
A.) Identified as Normal, Alpha, Bravo, Charlie, or Delta B.) A system of protective measures used by DoD installations and organizations to guard against and deter terrorist attacks
When law enforcement arrives, you should:
A.) Immediately raise hands and spread fingers B.) Remain calm, and follow officers' instructions
An asset can be defined as anything that ______. (Select all that apply)
A.) Is of value B.) Requires protection
A dirty bomb ______________________. (Select all that apply.)
A.) Is used by terrorists to frighten people and make the land around the explosion unusable for a long period of time B.) Combines conventional explosives with radioactive materials
An AT plan ______________________. (Select all that apply.)
A.) Is written from the Service or Agency level down to the Installation level for permanent operations or locations B.) Contains all of the specific measures that need to be taken in order to establish and maintain an AT program C.) Is incorporated in operation orders for temporary operations or exercises (ALL)
Which of the following are examples of temporary barriers? (Select all that apply.)
A.) Jersey barriers B.) Ropes
Techniques for helping a hostage survivor return to a daily routine include:
A.) Limiting contact with the press. B.) Refraining from making public statements about the captor.
When placing vehicle barriers, consider __________________
A.) Location B.) Aesthetics C.) Safety (ALL OF ABOVE)
Symptoms exhibited when suffering from the Stockholm Syndrome include:
A.) Losing touch with reality B.) Hindering rescue efforts
There are several techniques hostages can use to help them survive a hostage situation. They should:
A.) Maintain a regular exercise routine. B.) Remain constantly alert for any sign of being rescued.
Why do terrorists use a compartmented cell structure? (Select all that apply.)
A.) Makes it difficult to penetrate the entire organization B.) Compromise or loss of one cell does not compromise the other cells
Chemical agents are:
A.) Nerve agents, such as sarin, that interfere with the functioning of the nervous system B.) Identifiable with the sudden onset of symptoms
Select ALL the correct responses. Which of the following are sources of information system change that security-focused configuration management (SecCM) addresses to mitigate risk?
A.) New, enhanced, corrected, or updated hardware and software capabilities. B.) Patches for correcting software flaws and other errors to existing components.
Which of the following are considered common goals of terrorist groups?
A.) Obtaining money and equipment B.) Release of imprisoned comrades C.) Influencing government decisions, legislations, or elections
Which of the following are symptoms that a hostage may be experiencing Stockholm syndrome?
A.) Perceiving the captor as a victim of circumstance versus an aggressor B.) Identifying with the captor
RAM is the random use of various protective measures in order to:
A.) Rehearse procedures B.) Frustrate terrorist planning C.) Heighten unit awareness
Select ALL the correct responses. To minimize the ability of an Insider Threat to go undetected, you and your coworkers must:
A.) Report all security infractions, violations, or suspicious activity to your supervisor and the Office of Security B.) Follow all security rules and regulations
The ATO is _____________________________________.
A.) Responsible for continuously documenting funding requirements B.) The expert within an organization for generating, prioritizing, and appropriately documenting AT requirements
The ATO is ______________________. (Select all that apply.)
A.) Responsible for making decisions regarding requirement funding B.) The expert within an organization for generating, prioritizing, and appropriately documenting AT requirements
Which of the following are examples of expedient perimeter barriers?
A.) Ropes B.) Jersey wall segments
DoD AT Construction Standards: (Select all that apply.)
A.) Specify design criteria for incorporating threat-based AT requirements B.) Provide minimum construction requirements for new construction and major renovations C.) Mandate Services and/or Agencies establish AT guidelines for new construction to counter terrorism threat capabilities (ALL)
A captor will exert control and dominance over a hostage by:
A.) Taking all of a hostage's life quality aids, such as glasses or hearing aids B.) Confiscating a hostage's personal items, such as a watch or wallet C.) Isolating a hostage from any human contact
Which of the following methodology factors did the DoD take into account?
A.) Terrorist History B.) Terrorist Capabilities C.) Terrorist Intentions
Which of the following statement(s) pertaining to terrorist operations are true?
A.) Terrorist operations are relatively easy to execute because they are relatively easy to command, control, and support. B.) To ensure a sound operation, terrorists rehearse the operation in an environment mirroring the target location. C.) Terrorists select multiple targets as potential locations for the actual operation.
Which of the following statements are true regarding terrorist operations? (Select all that apply.)
A.) Terrorists select multiple targets as potential locations for the actual operation. B.) Terrorist rehearse the operation in an environment mirroring the target location or in the target location itself.
A typical AT program organization includes the following members: (Select all that apply.)
A.) The ATO and the Installation Commander B.) Antiterrorism Executive Committee C.) The Threat Working Group
Training related to the Code of Conduct is conducted at different levels based on:
A.) The amount of sensitive information the Service member has. B.) A potential captor's assessment of the Service member's usefulness. C.) The Service member's susceptibility to capture.
The number, size, and overall structure of terrorist group cells depend upon
A.) The goals of the terrorist group B.) The number of members in the terrorist group C.) The abilities of the group's communication network
If a terrorist group is labeled state-directed:
A.) The group is primarily supported by a country or state B.) Activities are conducted at the direction of the state C.) The group may be an element of the state's security organization
Perspectives to any terrorist event are:
A.) The terrorist perspective that feels killing innocent people is morally justified to achieve objectives B.) The victim perspective that sees terrorist acts as criminal and immoral C.) The general public perspective that either supports or is against the terrorist causes
Different perspectives to any terrorist event include which of the following? (Select all that apply.)
A.) The terrorist perspective that feels killing innocent people is morally justified to achieve objectives. B.) The victim perspective that sees terrorist acts as criminal and immoral. C.) The general public perspective that either supports or opposes the terrorist causes.
Immediately upon capture, the victim must decide to resist the captor, escape the situation, or surrender and cooperate with the captor. Which of the following will influence the victim's decision?
A.) The victim's self-defense and survival skills B.) The number of captors C.) Whether or not the captors are armed
Which of the following are reasons a future captor may have for selecting potential victims?
A.) The victims' nationality B.) The victims' value to their families C.) The victims' financial resources
Which of the following statements are true?
A.) To achieve a chaotic atmosphere, a terrorist group will disrupt lines of communication. B.) Attacks against a state government's security forces are used to erode public confidence. C.) Major acts or a successful terrorist campaign can attract additional support for the group's cause.
When performing a countermeasures cost benefit analysis, which two of the following are good questions to ask?
A.) To what degree does the option delay, deter, detect, defend, or destroy? B.) How does the asset value compare to proposed cost of protection?
Select ALL the correct responses. Which of the following are key information provided in a security audit trail analysis?
A.) Unsuccessful accesses to security-relevant objects and directories B.) Successful and unsuccessful logons/logoffs C.) Denial of access for excessive logon attempts
Which of the following are common characteristics of a ramming attack? (Select all that apply.)
A.)Targeting of Public venues B.) Lack of observable indicators immediately before the attack
Select ALL the correct responses. Which of the following are requirements for audits as outlined in the National Industrial Security Program Operating Manual (NISPOM)?
A:) Audit trail contents must be protected against unauthorized access, modification, or deletion. B.) Audit trail analysis and reporting of security events must be performed at least weekly.
This security Configuration Management (CM) control includes physical and logical access controls and prevents the installation of software and firmware unless verified with an approved certificate.
Access Restrictions for Change
Which of the following configuration management controls supporting continuous monitoring activities focuses on physical and logical access controls, workflow automation, media libraries, abstract layers, and change windows and supports auditing of the enforcement actions?
Access Restrictions for Change
Which of the following is a risk management role in continuous monitoring (CM)?
Addressing risks from an information system and platform information technology system perspective to ensure a process for analyzing threats and vulnerabilities is in place, defining the impact, and identifying countermeasures.
Which paragraph of the AT plan defines the requirements for supporting the AT Plan?
Administration and Logistics
An insider threat could pose a threat to:
All of the above
Collection methods of operation frequently used by Foreign Intelligence Entities to collect information from DoD on the critical technology being produced within the cleared defense contractor facilities we support include:
All of the above
Cyber Vulnerabilities to DoD Systems may include:
All of the above
During a Risk Assessment, which element(s) must be considered to make well-informed decisions?
All of the above
Exploitable weaknesses considered by a Foreign Intelligence Service when considering a source for recruitment may include:
All of the above
Security functions that must be performed for a physical security system to protect DoD assets include
All of the above
Specific guidance for captured U.S. military personnel applies to situations in which they:
All of the above
The following actions can potentially reduce or compromise your network security and place in jeopardy the lives of our men and women:
All of the above
Which of the following are consider common goals of terrorist groups?
All of the above
Which of the following are potential indicators of an insider threat?
All of the above
Which of the following are reasons why AT plan exercises are important?
All of the above
Which of the following are sources of insider security problems?
All of the above
Which of the following is considered a common characteristic of terrorist groups?
Being highly mobile
Why would an interim facility security clearance be granted instead of a final facility security clearance?
Because final eligibility determinations for all key management personnel have not yet been completed
In a parent-subsidiary relationship where both the parent and the subsidiary require a facility security clearance, but only the subsidiary is required to store classified information, who must execute DD Form 441?
Both the parent and the subsidiary must execute their own DD Form 441.
The evaluation of which of these identifies key management personnel?
Business structure
Which of the following is NOT a good interview question for determining an adversary's history?
Does the adversary have the weapons or tools for exploiting or attacking an asset?
Which AT plan exercise(s) uses scenario driven events to test specific portions of the AT plan?
Drill
If a hostage senses or realizes a rescue attempt is imminent, the hostage should:
Drop to the floor and remain still until rescuers provide instructions
Which of the following requires that individual's actions on an information system be auditable?
National Industrial Security Program Operating Manual (NISPOM), Chapter 8.
Facility M has a facility security clearance at the Confidential level. It has not performed work on an active classified contract in 12 months but expects to begin performance of work on a classified contract next month. What action needs to be taken regarding its facility security clearance?
No action is necessary
Does being processed for a facility security clearance have a direct cost to the contractor?
No, there is no direct cost to the contractor for being processed for a facility security clearance
A contractor with a cleared facility recently sold some of its shares of stock, but the sale did not result in a change in majority ownership stakes. Does this need to be reported to the facility's Industrial Security Representative as a change condition?
No, this does not need to be reported
Can a final facility security clearance be issued if all the key management personnel involved with the facility security clearance request process have not yet received final eligibility determinations for access to classified information?
No. All the involved key management personnel must have final personnel security clearance determinations in order for the facility to be issued a final facility security clearance.
When determining an adversary's capability, which of the following collection methods includes resources such as newspapers, internet, magazines, and conventions, FOIA requests, seminars, and exhibits?
OSINT
The patch management process integrates with SecCM when performing a Security Impact Analysis to determine whether unanticipated effects from a patch resulted in a change to existing security controls.
Phase 4: Monitoring
Terrorists collect information from media and internet research.
Phase I: Broad Target Selection
Terrorists gather information on security measures and observable routines.
Phase II: Intelligence Gathering and Surveillance
Terrorists determine the weapon or attack method.
Phase IV: Pre-Attack Surveillance and Planning
Terrorists deploy into the target area.
Phase V: Attack Rehearsal
Analyzing an asset in an unprotected state first and then analyzing the asset considering the current countermeasures is called ______ analysis.
Regressive
Which of the following terrorist group goals is generally accomplished through skyjacking and hostage taking?
Release of incarcerated comrades
DoD personnel who suspect a coworker of possible espionage should:
Report directly to your CI or Security Office
A Threat Assessment (TA)
Results from a threat analysis and must be performed annually at the installation level.
Match the type of Terrorist attack with its description Raid Assassination Ambush Seizure Bombing Hijacking Sabotage
Surprise attack on a defined target Murder of a prominent person usual f/political reasons Sudden attack from a concealed position Occupying and holding a prominent building Most common type of terrorist attack Forceful seizure of a surface vehicle Weaken an entity through disruption or destruction
Hostage Barricade
The seizure of a facility to include taking all persons inside hostage.
Kidnapping
The unlawful seizure and detainment of a person, where the person is usually held for ransom.
Criminal, terrorist, insider, and natural disasters are examples of categories of ______.
Threats
Which of the following is an example of how counterintelligence and cybersecurity personnel support continuous monitoring?
Through aggregation and analysis of Suspicious Network Activity via cyber intrusion, viruses, malware, backdoor attacks, acquisition of user names and passwords, and similar targeting, the DSS CI Directorate produces and disseminates reports on trends in cyberattacks and espionage.
Which of the following describes how the Information System Continuous Monitoring (ISCM) strategy supports the Tier 1 ORGANIZATION approach to risk management?
Tier 1 ISCM strategies focus on how the organization plans to assess, respond to, and monitor risk as well as the oversight required to ensure that the risk management strategy is effective.
Which of the following describes how the Information System Continuous Monitoring (ISCM) strategy supports the Tier 2 MISSION/BUSINESS PROCESSES approach to risk management?
Tier 2 ISCM strategies focus on the controls that address the establishment and management of the organization's information security program, including establishing the minimum frequency with which each security control or metric is to be assessed or monitored.
ISCM strategy at this level is focused on ensuring that all system-level security controls are implemented correctly, operate as intended, produce the desired outcome with respect to meeting the security requirements for the system, and continue to be effective over time.
Tier 3
At what tier of the Risk Management Framework does continuous monitoring take place?
Tier 3 - the Information System level
The fifth and final step in the risk management process is to determine countermeasure options. Which of the following is the goal of this step?
To identify potential countermeasures for reducing an asset's vulnerabilities and overall risk to the asset
"Insider threat" is that an insider will, by acts of commission or omission, intentionally or unintentionally, use their authorized access to do harm to the security of the U.S.
True
An active shooter is an individual actively engaged in killing or attempting to kill people in a confined and populated area.
True
Elicitation is an effective means of information collection by an insider. When done well, elicitation can seem like simple small talk.
True
Failure to report suspicious behaviors or possible insider threat indicators could result in punitive or disciplinary actions.
True
Failure to submit paperwork for security clearance investigations for key management personnel in a timely manner may result in the discontinuance of the facility security clearance request process.
True
Known or suspected espionage should always be reported to the FBI.
True
One step in regressive analysis is reevaluating an asset's vulnerabilities.
True
Personnel who fail to report CI Activities of concern as outlined in Enclosure 4 of DoD Directive 5240.06 are subject to appropriate disciplinary action under regulations.
True
The five general areas open to potential asset vulnerabilities include: human, operational, information, facility, and equipment. True or false?
True
To be eligible for consideration for a facility security clearance, a contractor must be physically located within the U.S. or its territories.
True
You should use the intent, capability, and history charts to create the Threat Assessment Summary Chart.
True
Which of the following are types of biological agents? (Select all that apply.)
Viruses Toxins
Persons, facilities, materials, information, and activities are categories of ______.
Vulnerabilites
One way to describe asset value is:
What is the impact of an undesirable event?
When measuring an impact and assigning a value to an undesirable event, which one of the following SME interview questions will help guide you?
What undesirable events regarding a particular asset concern the asset owner?
Training conducted in a clandestine fashion at the cell level by members is referred to as:
internal training
The formula R=I [T x V] is used for calculating a risk rating. What risk factors do R, I, T, and V represent?
return, impact, threat, vulnerability
Facility U has a facility security clearance at the Secret level. It has not performed work on an active classified contract in 12 months and does not expect to perform work on a classified contract in the near future. What action needs to be taken regarding its facility security clearance?
It should be administratively terminated
Which of the following configuration management controls supporting continuous monitoring activities focuses on configuring the IS to provide only essential capabilities to limit risk and to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling?
Least Functionality
A business that has one or more owners, usually known as members, which may be individuals or corporations, is a _____.
Limited liability company
There are several techniques hostages can use to help them survive a hostage situation. They should:
Maintain a regular exercise routine
To be an "Insider Threat" a person MUST knowingly cause malicious damage to their organization.
False
What is the risk rating of an asset with an impact of 10, a threat rating of .12 and a vulnerability rating of .40?
48
Which of the following are "foundation documents" for building an AT Program? (Select all that apply.)
? *DoD Instruction O-200.16 (NOT 1,3,4) *DoD Regulation 5200.8-R DoDM 5200.01 *DoD Instruction 2000.12
As part of assessing the existence of a terrorist threat, the DoD anaylzed a terrorist group's actual record of conducting an attack, and their ability and desire to conduct future attacks. Which of the following methodology factors did the DoD take into account? (Select all that apply.)
? *Terrorist history and intentions *Terrorist targets Terrorist operational capabilities (NOT ALL)
When documenting requirements, it is important to address_______________. (Select all that apply.)
? *The impact if a resource is funded *What resource is needed and how it fits into the AT plan *Why the resource is needed. (Not just first 2, NOT ALL)
What resources are available to develop an AT plan?
? DoD ATO Guide *DoDi 2000.12 *DoDI O-2000.16, Vol 1&2 DoDM 5205.07 (NOT ALL) (NOT 2&3)
What must be addressed in an AT plan? (Select all that Apply.)
? Intellegence Coordination Exercise and training Organization Chart (not just last 3) (NOT ALL)
Which of the following statement(s) are true?
? The purpose of the criticality Assessment is to provide a prioritized list of assets based on the necessity for mission completion. *The criticality assessment only focuses on assets located on the installation. NOT Criticality assessments assist the commander in making resource allocation decisions designed to protect people and assets from possible terrorist attacks. NOT All of the above
Seizure
?Occupying and holding a prominent building
An adversary uses technical countermeasures to block a previously undisclosed or classified U.S. intercept technology. This is an example of:
A Security Anomaly
A DD Form 441-1 is required to be executed for _____.
A division or branch within a multiple facility organization
Ambush
A sudden attack made from a concealed position on a previously defined target.
Raid
A surprise attack by a small armed force on a previously defined target.
Which of the following describes the relationship between configuration management controls and continuous monitoring?
A well-defined configuration management process that integrates continuous monitoring ensures that the required adjustments to the system configuration do not adversely affect the security of the information system.
The anger and frustration hostage survivors experience may sometimes be directed toward the:
A.) DoD B.) U.S. Government
If a hostage senses or realizes a rescue attempt is imminent, the hostage should:
A.) Drop to the floor. B.) Remain still until rescuers provide instructions.
The criteria used to determine the level of vulnerability include which of the following? (Select all that apply)
A.) Effectiveness of the countermeasures B.) Quality C.) Quality
Which of the following are security-focused configuration management (SecCM) roles in risk management?
A.) Ensuring that adjustments to the system configuration do not adversely affect the security of the information system B.) Establishing configuration baselines and tracking, controlling, and managing aspects of business development C.) Ensuring that adjustments to the system configuration do not adversely affect the organizations operations
Which of the following statements are true? (Select all that apply.)
A.) A sudden onset of symptoms is a characteristic of chemical agents. B.) Terrorists will likely use small quantities of chemical agents in a highly populated area where the potential for exposure is the greatest.
Terrorist groups labeled by their political affiliation:
A.) Are considered to be political extremists B.) Consist of young members, generally between 19 and 35 years old
Which of the following statements illustrate the correct application of the DoD Code of Conduct?
A.) As a hostage, Service members should not, under any circumstances, support or encourage their captors. B.) Service members on assignment in an area prone to terrorist activity shall follow the appropriate counter-terrorism measures.
Select ALL the correct responses. Which of the following describe how audit logs support continuous monitoring?
A.) Audit logs are essential in continuous monitoring because they record system activity, application processes, and user activity. B.) Audit logs are essential in continuous monitoring because they can be used to detect security violations, performance problems, and flaws in applications.
Select ALL the correct responses. Which of the following are requirements for audits as outlined in the National Industrial Security Program Operating Manual (NISPOM)?
A.) Audit trail contents must be protected against unauthorized access, modification, or deletion. B.) Audit records must address individual accountability with unique identification and periodic testing of the security posture by the ISSO or ISSM.
An intelligence cell of a terrorist group:
A.) Collects target-specific information B.) Provides OPSEC
Select ALL the correct responses. Which of the following describe continuous monitoring capabilities for detecting threats and mitigating vulnerabilities?
A.) Conducting frequent audits B.) Not relying on firewalls to protect against all attacks
Which of the following statement(s) are true?
A.) DoD 5200.8-R addresses the physical security of personnel, installations, operations, and assets of DoD Components B.) Physical Security measures are a combination of active or passive systems, devices, and security personnel used to protect a security interest from possible threats.
FPCON BRAVO will apply when:
An increased threat of terrorist activity exists
Which of the following statements defines an adversary?
Any individual, group, organization, or government that conducts activities, or has the intention and capability to conduct activities detrimental to assets.
Which of the following may be reasons for a hostage situation ending with little to no harm to the hostage?
Authorities may achieve a successful negotiation with the captors resulting in the release of the hostage.
To minimize the insider threat, practice:
Awareness, Prevention, and Deterrence
Match the following types of vehicle barriers with their description. Expedient barries Active barriers Moveable Fixed Passive Portable
Comprised of material used for other purposes require action by personnel or equipment for entry May required heavy equipment to be relocated permanently installed rely on weight to prevent entry may be relocated quickly
This security Configuration Management (CM) control involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications.
Configuration Change Control
This security Configuration Management (CM) control applies to the parameters that can be changed in hardware, software, or firmware components that affect the security posture and/or funtionality of the system, including registry settings, account/directory permission setting, and settings for functions, ports and protocols.
Configuration Settings
Which of the following describes continuous monitoring supports interoperability, operational resilience, and operational reciprocity?
Continuous monitoring capabilities and tools ensure cybersecurity products operate in a net-centric manner to enhance the exchange of data and shared security policies.
Which of the following describes the role of counterintelligence and cybersecurity in identifying threats to DoD information systems?
Counterintelligence and cybersecurity personnel share and report unauthorized accesses attempts, denial of service attacks, exfiltrated data, and other threats/vulnerabilities.
After you've completed all other steps, what final chart would you use to summarize and record your information in order to get the total cost for all countermeasures?
Countermeasure Analysis Chart
If the sponsor is a cleared prime contractor, a copy of which document should be enclosed with the sponsorship letter?
DD Form 254
The ability of each existing countermeasure to prevent or minimize a specific type of attack defines what vulnerability criteria?
Effectiveness
_____ may terminate the DD Form 441 by written notice 30 days in advance of the requested termination.
Either the government or the contractor
This is used to collect documentation regarding FOCI, KMP Lists, SF-328 and other facility documents to the DSS.
Electronic Facility Clearance (e-FCL) System
The destruction of oil fields or attacks on oil tankers.
Environmental Destruction
The terrorist's objectives are controlled and/or condoned by an established state.
Establishment
Which paragraph of the AT plan lists the specific tasks for each subordinate unit?
Execution
When determining an adversary's history, the fact that the adversary might attempt an attack at a foreseeable future event is irrelevant.
False
When determining the cost associated with a loss, only monetary loss is considered in the risk management process. True or false?
False
Within a multiple facility organization, only the home office facility is required to have a CAGE code.
False
You are the one who decides what constitutes an acceptable level of risk for an organization's assets.
False
The Combating Terrorism Readiness Initiatives Fund (CbT RIF):
Finances emergent or emergency high-priority combating terrorism requirements
In addition to completing an SF-86, an individual being investigated for a personnel security clearance must also submit which form?
Fingerprint card
Which of the following fundamental concepts does continuous monitoring support that means DoD information technology is managed to minimize shared risk by ensuring the security posture of one system is not undermined by vulnerabilities of interconnected systems?
Interoperability and operational reciprocity
Which of the following statements is true?
Invalidation of a facility security clearance is an interim measure allowing a contractor to correct negative security circumstances.
Which of the following describes continuous monitoring capabilities for detecting threats and mitigating vulnerabilities?
Investigation into events of unauthorized downloads or uploads of sensitive data; unexplained storage of encrypted data; and unauthorized use of removable media or other transfer devices.
Training conducted in a clandestine fashion at the cell level by members of the terrorist group within the targeted country is considered ______________________.
Internal training
As long as a contractor has a bona fide classified procurement need, it can make the request for its own facility security clearance.
False
If a coworker seeks additional information outside the scope of his or her responsibility, this is always a sign that the individual is an insider threat.
False
Removing classification markings from a document is not necessarily considered a possible insider threat indicator and should not be reported to the security office unless there are other suspicious behaviors displayed.
False
The smaller the risk area shared by assets, threats, and vulnerabilities, the higher the risk level.
False
The time to implement and oversee the countermeasure, the time to prepare for its implementation, and any time required for follow-up and evaluation have no impact when determining the cost of a countermeasure.
False
When an operative travels abroad to a training camp, then returns home to put their training into practice, this is considered:
External training
A coworker, who may be of Middle Eastern descent and often speaks in Farsi from his work telephone, is considered suspicious behavior and should always be reported to the security officer.
False
A post office box is an acceptable address to include on the sponsorship letter for the uncleared contractor facility.
False
There are six steps in the analytical risk management process. True or false?
False
A terrorist threat level is ________________. (Select all that apply)
Identified as High, Significant, Moderate, or Low.
Which of the following describes the relationship between configuration management controls and continuous monitoring?
Implementing information system changes almost always results in some adjustment to the system configuration that requires continuous monitoring of security controls.
A state-supported terrorist group operates:
Independently, but receives some support from governments
A State-supported terrorist group operates:
Independently, but receives substantial outside support
This is used by DSS to document Industrial security actions regarding contractor facilities.
Industrial Security Facilities Database (ISFD)
Who evaluates information related to a prospective contractor facility?
Industrial Security Representative
Who works with a contractor facility to ensure that their security program meets NISP requirements?
Industrial Security Representative
Which of the following ensures that a process is in place for authorized users to report all cybersecurity-related events and potential threats and vulnerabilities and initiates protective or corrective measures when a cybersecurity incident or vulnerability is discovered?
Information System Security Officer
Assassination
One of the oldest terrorist tactics, it means murdering someone in a surprise attack, usually with small arms or bombs.
Poor tradecraft practices are an example of a/an ______ vulnerability.
Operational
A business comprised of two separate and distinct companies that have formed a relationship where one company establishes or takes control of a smaller company is a _____.
Parent-Subsidiary
The terrorist's objectives are to overthrow the existing government, particularly in the area of operations.
Revolutionary
Which of the following is a role of risk management in continuous monitoring?
Risk management in continuous monitoring ensures that information security solutions are broad-based, consensus-driven, and address the ongoing needs of and risks to the government and industry.
The deliberate weakening of another entity through subversion, obstruction, disruption, and/or destruction.
Sabotage
Match each phase of a terrorist operation with its description Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Phase 7
Screen potential targets Observe routines and security measures Consider attractiveness of target Determine weapon type and attack method Deploy into the target area Neutralize reaction forces & security measures Evade response forces
Which of the following describes how audit logs support continuous monitoring?
Security auditing is a fundamental activity in continuous monitoring in order to determine what activities occurred and which user or process was responsible for them on an information system.
Which of the following Event Viewer Logs provides an audit of a user's log-on events and are classified as successful or failed attempts?
Security event log
Which of the following are the initial steps for finding the Security Event Log on a computer running Windows 7?
Select Control Panel from the Windows Start menu and then select the System and Security link
Which funding category does a resource fall in if it is important to the mission, but has a low vulnerability?
Should fund
The terrorist threat level that indicates that anti-U.S. terrorists are present with limited operational activity.
Significant
Given the information system continuous monitoring (ISCM) process, in which step is security-related information required for metrics, assessments, and reporting collected and, where possible, the collection, analysis, and reporting of data is automated?
Step 3: Implement an ISCM program
During which of the following Risk Management Framework steps does continuous monitoring take place?
Step 6, monitor the security controls
The terrorist's objectives are to influence an unwilling government or group into making political, social, or economic changes.
Sub-revolutionary
This security Configuration Management (CM) control ensures that software use complies with contract agreements and copyright laws, tracks usage, and is not used for unauthorized distribution, display, performance, or reproduction.
Software Usage Restrictions
Offers or Invitations for cultural exchanges, individual-to-individual exchanges, or ambassador programs are indicators of this collection method:
Solicitation and Marketing of Services
Once a contractor has met all the eligibility requirements, which of the following are key evaluation areas examined when determining whether to issue a facility security clearance?
Sponsorship, DD Form 441, key management personnel
In the case of a multiple facility organization, which facility should complete the SF-328?
The home office facility
Which of the following would not be considered a possible indicator of recruitment?
Termination notice to go work for a competing company
Which of the following statement(s) are true
The Commander is responsible for the development of the AT plan. The ATO is responsible for writing the AT plan. The ATO working group is responsible for leveraging the capabilities of the organization's AT Working Group to assist with creating the AT plan. (ALL)
Which of the following statement(s) are true?
The Commander uses a Vulnerability Assessment to determine the susceptibility of assets to attack from threats.
Which of the following describes the role of the National Industrial Security Program (NISP) in continuous monitoring?
The NISP ensures that monitoring requirements, restrictions, and safeguards that industry must follow are in place before any classified work may begin.
Which of the following identifies how the Risk Management Framework (RMF) supports risk management?
The RMF process emphasizes continuous monitoring and timely correction of deficiencies.
Which of the following identifies how the Risk Management Framework (RMF) supports risk management?
The RMF process ensures traceability and transparency across all levels of the organization.
Whose CAGE code should be provided in the sponsorship letter?
The cleared prime contractor sponsoring the facility security clearance request and the uncleared contractor being sponsored, if it has one
Hijacking
The forceful seizure of a surface vehicle, its passengers, and/or its cargo.
Skyjacking
The forceful seizure of an aircraft, its passengers, and cargo.
Bombing
The most common type of terrorist attack because of the relatively low risk of injury to the terrorist.
When an uncleared parent with a cleared subsidiary does not require access to classified information, which of the following actions is required?
The parent will be formally excluded from all access to classified information.
Which of the following describes the how the patch management process integrates with security-focused configuration management (SecCM)?
The patch management process integrates with SecCM when performing a Security Impact Analysis to determine whether unanticipated effects from a patch resulted in a change to existing security controls.
Which of the following describes the how the patch management process integrates with security-focused configuration management (SecCM)?
The patch management process integrates with SecCM when updating the baseline configuration to the current patch level and then testing and approving patches as part of the configuration change control process.
________________ is the least expensive countermeasure to implement?
Written Procedure
The Facility Security Officer of a cleared contractor facility has recently retired. The new FSO is currently cleared but has no security experience. Does this need to be reported to the facility's Industrial Security Representative as a change condition?
Yes, this is a reportable change
An unwitting insider is best described as:
a person with access to information who unknowingly reveals more than they should to persons without a need to know
Risk management is defined as the process of selecting and implementing ______ to achieve an acceptable level of risk at an acceptable cost.
countermeasures
Which of the following is a secure website designed to facilitate the processing of standard investigative forms used when conducting background investigations?
e-QIP
