Information Security Risk Management: A Q&A Guide Based on NIST SP 800 Series, Exams of Business Accounting

A series of questions and answers related to information security risk management, focusing on nist sp 800 series publications. it covers key roles and responsibilities within the risk management framework (rmf), including the information system owner, authorizing official, and security control assessor. The questions delve into various aspects of risk assessment, mitigation, and authorization, providing valuable insights into the practical application of nist standards and guidelines. the content is suitable for students and professionals seeking to understand the intricacies of information security management and compliance.

Typology: Exams

2024/2025

Available from 05/23/2025

locaz-turus-1
locaz-turus-1 🇺🇸

5

(1)

13K documents

1 / 11

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CAP Practice Exam
Which one the following roles is responsible for testing the non technical controls in an
information system? correct answer Security Control Assessor
Which reference provides detailed guidance on risk mitigation for the State Department?
correct answer SP 800-53 Security and Privacy Controls for Federal Information Systems and
Organizations
Which of the following roles has the responsibility to ensure that the enterprise architecture
supports the mission and business processes? correct answer a. Information Security Architect
During which step of the Risk Management Framework (RMF) does the Information System
Owner register the information system? correct answer Categorize Information System
Who signs the authorization decision letter? correct answer Authorizing Official
Who develops and maintains information security policies, procedures, and control techniques
to address all applicable requirements? correct answer b. Chief Information Officer
A weakness in an information system, system security procedures, internal controls, or
implementation that could be exploited by a threat source is the definition of which key term?
correct answer Vulnerability
Who procures, develops, integrates, or modifies an information system? correct answer
Information System Owner
Who has the responsibility to prepare the plan of action and milestones based on the findings
and recommendations of the security assessment report? correct answer Common Control
Provider
pf3
pf4
pf5
pf8
pf9
pfa

Partial preview of the text

Download Information Security Risk Management: A Q&A Guide Based on NIST SP 800 Series and more Exams Business Accounting in PDF only on Docsity!

CAP Practice Exam Which one the following roles is responsible for testing the non technical controls in an‐ information system? correct answer Security Control Assessor Which reference provides detailed guidance on risk mitigation for the State Department? correct answer SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations Which of the following roles has the responsibility to ensure that the enterprise architecture supports the mission and business processes? correct answer a. Information Security Architect During which step of the Risk Management Framework (RMF) does the Information System Owner register the information system? correct answer Categorize Information System Who signs the authorization decision letter? correct answer Authorizing Official Who develops and maintains information security policies, procedures, and control techniques to address all applicable requirements? correct answer b. Chief Information Officer A weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source is the definition of which key term? correct answer Vulnerability Who procures, develops, integrates, or modifies an information system? correct answer Information System Owner Who has the responsibility to prepare the plan of action and milestones based on the findings and recommendations of the security assessment report? correct answer Common Control Provider

You have just completed the Risk Assessment defined by NIST SP 800 30. What reference‐ identifies the risk management strategy alternatives that can be applied to the information system? correct answer NIST SP 800- In which phase of the NIST SP 800 30 process does one produce the first full Risk Assessment‐ Report (RAR)? correct answer Step 2 Which step of the NIST SP 800 30 process would most likely identify the CVE database as a risk‐ assessment information source? correct answer Step 2 Organizations should view assessments as an information gathering activity, not as a security producing activity. In accordance with NIST SP 800 53A, security control assessments create the‐ following benefits: identify potential problems or shortfalls in the organization's implementation of the NIST Risk Management Framework; support budgetary decisions and capital investment processes, and: correct answer Support information system authorization decisions. The last step in the Risk Assessment process model is called? correct answer Maintain When using NIST SP 800 53A, during which SDLC phase are security assessments used to‐ increase confidence or assurance that the security controls are working correctly for a system? correct answer Development, Implementation, and Operations and Maintenance Which of these is a valid response to address risk? correct answer Accept the risk to the system OMB Circular A 130 states information security must: correct answer Be risk-based, and cost‐ effective In accordance with Public Law 107 347, Executive Agencies must: correct answer Authorize‐ system processing prior to operation

The security assessment plan provides: correct answer The objectives for the security control assessment and a detailed roadmap of how to conduct such an assessment. The main purpose of System Authorization is: correct answer Acceptance and management of risk Security control assessment is: correct answer Evaluation of technical and non-technical controls NIST SP 800 18, Guide for Developing Security Plans describes the purpose of a security plan is‐ to provide an overview of the system requirements, and: correct answer The controls in place The goals of NIST SP 800 39 include: encourage senior leaders to recognize the importance of‐ engaging in the management of risk; encourage senior leaders to understand the role of information security in managing overall organization risk, and? correct answer Help individuals with information system implementation and operational responsibilities understand how the information security issues associated with their systems translate into organizational security concerns You have just completed the final Security Assessment Report, which RMF Step and SDLC phase are you about to enter? correct answer RMF Step 5, and the Implementation phase. Title III of the E Government Act, known as the Federal Information Security Management Act‐ (FISMA), states that effective information security programs include: correct answer Periodic assessment of risk In accordance with NIST SP 800 37, what follows the Implement Security Control step? correct‐ answer Assess Security Controls Who serves as principal staff advisor to the Information System Owner on all matters involving the security of the information system? correct answer Information System Security Officer

As described by NIST SP 800-39, the Risk Executive's role includes: promote the cooperation and collaboration among authorizing officials; provides senior leaders input and oversight for all risk management and information security activities, and? correct answer Identifies the overall risk posture based on the aggregated risk from each information system. Who is responsible for ensuring that configuration and change control processes are followed? correct answer Information System Owner Which of the following is NOT evaluated as part of assessing security risk? correct answer Monitor changes over time Who is responsible for managing, coordinating, and overseeing all risk management activities, agency wide? correct answer Risk Executive‐ What does NIST SP 800 39 provide as the two factors affecting trustworthiness of an‐ information system? correct answer Security functionality and security assurance Which of the following should be the MAIN consideration when establishing a trust relationship between two information systems? correct answer Business/Mission needs Who provides an independent assessment of the system security plan? correct answer Security Control Assessor Who is responsible for identifying mission and operational requirements? correct answer Authorizing Official The federal Risk Management Framework has six steps, in Task 2-2, which roles are primary, and what is the SDLC phase? correct answer CIO, CISO, CCP, and ISA; and the Initiate phase. Who is primarily responsible for supporting the System Authorization process during the Implementation phase of the SDLC? correct answer Security Control Assessor

In accordance with NIST SP 800 59, a National Security System must meet which one of the‐ following criteria? correct answer Critical to the direct fulfillment of military or intelligence missions NIST SP 800 39 proscribes that the assessor's findings should be: correct answer Factual and‐ unbiased OMB's Business Reference Model (BRM) describes four business areas containing 39 types of information. Which of the following roles will be the PRIMARY user of this reference? correct answer Information Owner as part of the NIST SP 800 60 analysis‐ Personally Identifiable Information will be categorized at what minimum level? correct answer Moderate for Confidentiality During the SP 800 60 analysis, which two values are considered by the security objectives?‐ correct answer Data sensitivity, and criticality When doing cost benefit analysis for proposed new controls or enhanced controls, which of the‐ following is NOT considered? correct answer Estimating the length of time to implement the new or enhanced controls Residual risk can be defined as: correct answer The risk remaining after the implementation of new or enhanced controls During the FIPS 199 analysis the Information System Owner determines the system High Water Mark. How is the high water mark used in the system authorization process? correct answer It establishes the minimum baseline controls that MUST be employed to protect the information system

What risk management activity occurs during the Implementation phase of the System Development Life Cycle? correct answer Risk management supports the assessment of the system implementation against the requirements What is the definition of a threat? correct answer Any circumstance or event with the potential to create adverse impacts Which organization created the FISMA requirement requiring System Authorization? correct answer Congress Security commensurate with risk, including the magnitude of harm, defines: correct answer Adequate Security Which of the following is required by OMB A 130? correct answer Certification and‐ Accreditation at least every three years In accordance with (IAW) NIST SP 800 64, which of the following is NOT part of the System‐ Development Life Cycle? correct answer Program Startup Phase Which security control identifies the organizational roles and responsibilities, how coordination of security is implemented, identifies the declared common controls, and should be protected from unauthorized disclosure and modification? correct answer PM-1 Information Security Program Plan Compensating controls are: correct answer Used in place of, or to augment, specific controls NIST SP 800 37 provides a process for: correct answer System Authorization‐ What is the purpose of scoping guidance? correct answer To establish and express guidance on tailoring the security control baseline

Which of the following roles reviews the reports provided by the Information System Security Officer once the System Authorization has been granted? correct answer Authorizing Official From a system authorization perspective, why are potential system software patches tested prior to deployment into an operational environment? correct answer To identify potential security impacts that may be caused by the patch Why is configuration management a concern during the continuous monitoring phase of NIST SP 800 37? correct answer To ensure that risks from new threats can be evaluated.‐ NIST SP 800-55 defines key performance measures as? correct answer Measures of effectiveness, measures of efficiency, and impact measures. During the Continuous Monitoring Phase of NIST SP 800 37, the Information System Security‐ Officer is NOT concerned with the following? correct answer Are the controls operating within the established budget? Why might the POAM need to be updated when the system completes security control testing in RMF Step 6? correct answer New vulnerabilities might have been identified that could not be corrected. Which of the following is a goal of FISMA? correct answer Complete, reliable, and trustworthy information for Authorizing Officials. Reauthorization of a system every three years is required, except when: correct answer Robust continuous monitoring exists for the system, and the residual risk equals acceptable range Which of the following roles should NEVER be combined with the role of Authorizing Official? correct answer Information System Owner

The Authoring Official's Designated Representative may perform all of the following, except? correct answer Sign the authorization decision document Information is categorized using NIST SP 800 60 based on: correct answer Mission impact‐ Trade Secrets are categorized as: correct answer Moderate for confidentiality In RMF Step 2, the system specific controls are determined by: correct answer Information System Owner, working with the Information Security Architect In accordance with NIST SP 800 53, the security control classes are based on? correct answer‐ Operational, Management, and Technical NIST SP 800 53 describes a family of controls as: correct answer A grouping of like controls‐ covering the same subject Organizations are encouraged to develop a broad based, organization wide strategy for‐ ‐ conducting security assessments, facilitating more cost effective and consistent assessments‐ across the inventory of information systems. Which of the following is FALSE when considering how to accomplish this objective? correct answer The Risk Management Framework cannot be used on multiple systems.