ais finals lesson 2

Question 1

responsible for ensuring that the IAP is developed and
implemented in accordance with regulatory and business requirements

Answer 1

Chief executive officer(CEO)

Question 2

plays a crucial role in allocating resources and fostering commitment
to the IAP

Answer 2

Chief executive officer(CEO)

Question 3

what does IAP stands for?

Answer 3

information assurance program

Question 4

AO stands for?

Answer 4

authorizing official

Question 5

ISO stands for?

Answer 5

Information system owner

Question 6

is responsible for the execution of overall IT program and
delegate authority to the CISO for the management of the IAP.

Answer 6

Chief information officer (CIO)

Question 7

is the
focal point for IT management and governance of IT portfolios

Answer 7

CIO

Question 8

carries out the CIO’s security and privacy responsibilities
under FISMA and is responsible for managing the IAP

Answer 8

Chief information security officer

Question 11

FISMA stands for?

Answer 11

Federal Information Security Management Act

Question 12

responsible for:
* Ensuring information security management processes are integrated with
strategic and operational planning processes.
* Ensuring trained personnel sufficient to assist in complying with the
information assurance requirements in related legislation, policies, directives,
instructions, standards, and guidelines.
* Coordinating with senior management to report annually to the head of the
federal agency on the overall effectiveness of IAP, including progress of
remedial actions

Answer 12

CIO

Question 13

is responsible for:
* Developing an organization-wide IAP that provides adequate security for
all information and information systems.
* Centralized reporting of information security-related activities.
* Developing and maintaining information security and privacy policies.
* Defining specific security requirements, tools, templates, and checklists to
support the IAP.
* Ensuring that personnel with significant system security responsibilities
are adequately trained.

Answer 13

CISO

Question 14

s appointed by the CEO and is granted the authority to formally
assume responsibility for operating an information system at an acceptable level
of risk.

Answer 14

Authorizing official

Question 15

has budgetary oversight for an information system and is
responsible for the mission/business operations supported by the system.

Answer 15

Authorizing official

Question 16

approve systems security plans (SSPs), memorandums of agreement or
understanding (MOA/MOU), and plans of action and milestones (POA&Ms

Answer 16

Authorizing official

Question 17

approve systems security plans (SSPs), memorandums of agreement or
understanding (MOA/MOU), and plans of action and milestones (POA&Ms

Answer 17

Authorizing official

Question 18

is responsible for:
* Ensuring the security posture of the Agency’s information systems is
maintained.
* Reviewing security status reports and security documents and determining if
the risk to the Agency of operating the system remains acceptable.
* Reauthorizing information systems when required.
* Assisting in response to security incidents and privacy breaches.
* Appointing, when required, a designated representative to coordinate and
carry out system security responsibilities

Answer 18

Authorizing official

Question 19

is appointed by the CEO and serves as the focal point for the information
system and is the central point of contact during the security authorization process.

Answer 19

Information system owner (ISO)

Question 20

is responsible for:
* Coordinating data protection requirements with Information Owners (IOs) that have
information stored and processed in the system.
* Deciding, in coordination with the IO and Information System Security Officer
(ISSO), who has access to the system. Determining access privileges and rights to
the system.
* Ensuring that system users and support personnel receive the required security
training
(e.g., instruction in the Rules of Behavior).
* Ensuring that the system is compliant with the required security controls.
* Appointing an ISSO for the information system to carry out the day-to-day
security responsibilities.
* Reviewing system security documents (e.g., SSP, POA&M, etc.).
* Ensuring that system-specific security training is provided to the users and
administrators of the systems.
* Ensuring that remediation activities for the system are performed as
needed to maintain the authorization status.
* Appointing an Information System Security Manager (ISSM) to coordinate
system security task and provide oversight responsibilities to ensure security
activities are performed.

Answer 20

ISO

Question 21

is an official with regulatory, management, or operational authority
for specified information and is responsible for establishing the policies and
procedures governing its generation, collection, processing, dissemination,
and disposal.

Answer 21

Information owner (IO)

Question 22

responsible for:
* Providing input to ISOs regarding the security requirements and controls for
the systems where the information is processed, stored, or transmitted.
* Retaining information in accordance with the National Archives and
Records Administration (NARA) record schedule.
* Categorizing the sensitivity level5 of the information stored and
processed in the system.
* Establishing rules for appropriate use and protection of the information.
* Coordinating with the ISO when security requirements change.
* Assisting in the response to security incidents.
* Ensuring that the PII inventory is updated

Answer 22

IO

Question 23

is appointed by the ISO and works closely with the ISO or ISSM to
ensure that the appropriate security posture is maintained for the information
system.

Answer 23

information system security officer(ISSO)

Question 24

serves as a principal advisor on all the security related issues
of an information system.

Answer 24

ISSO

Question 25

must have the detailed knowledge and expertise required to manage the security aspects of an information system and is responsible for the day-to-day security operations of a system

Answer 25

ISSO

Question 26

responsible for: * Ensuring system compliance with security policies and procedures. * Managing and controlling changes to the system. * Assessing the security impact of any changes. * Monitoring the system and its environment. * Developing and updating the SSP. * Coordinating with and supporting the ISO with security responsibilities. * Preparing or overseeing the preparation of system security documents7 and security activities. * Developing security policies and procedures that are consistent with IA policies. * Performing or overseeing remediation activities to maintain the authorization status. * Assisting the ISO assemble the security authorization package for submission to the AO. * Assisting in the investigation of security incidents.

Answer 26

ISSO

Question 27

responsible for: * Monitoring compliance with Federal requirement and IA policies. * Providing guidance on the implementation of IA policies. * Providing security and privacy training. * Investigating system security and privacy incidents. * Providing support for audits and reviews. * Managing the vulnerability management program.

Answer 27

IAM

Question 28

serves as the primary liaison for the CISO to individuals with security and privacy responsibilities and supports activities at the IAP level.

Answer 28

Information assurance manager(IAM)

Question 29

coordinates system security task and provide oversight responsibilities to ensure security activities are performed and serves as the liaison between the Information System Security Officer (ISSO) and the Information System Owner (ISO)

Answer 29

information system security manager (ISSM)

Question 30

responsible for: * Providing oversight of system security activities performed by the ISSO. * Acting as the liaison between the IAM and the ISSO. * Monitoring system compliance with Information Assurance policies and federal guidance

Answer 30

ISSM

Question 31

is nominated by the Agency and assists the Contracting Officer (CO)

Answer 31

Contacting officer's repesentative

Question 32

responsible for: Acting as a technical liaison between the CO and the contractor. * Providing technical assistance. * Performing onboarding and off boarding activities for the contractors assigned to the contract. * Ensuring that contractors have the proper background investigations before accessing information or systems. * Ensuring that contractors properly maintain information and information systems in accordance with the IAP.

Answer 32

COR

Question 33

conducts assessments of the security controls employed within or inherited by an information system to determine the overall effectiveness of the controls

Answer 33

security assessment team (SAT)

Question 34

responsible for: * Developing a security assessment plan for each subset of security controls that will be assessed. * Submitting the security assessment plan for approval prior to conducting the assessment. * Conducting the assessment of security controls as defined in the security assessment plan. * Providing an assessment of the severity of weaknesses or deficiencies discovered in the information system. * Recommending corrective actions to address identified vulnerabilities. * Preparing the final security assessment report containing the results and findings from the assessment

Answer 34

SAT

Question 35

It is standard on boarding policy for new employees.

Answer 35

AUP

Question 35

stipulates the constraints and practices that an employee using organizational IT assets must agree to in order to access to the corporate network or the internet

Answer 35

acceptable use policy (AUP)

Question 36

outlines the access available to employees in regards to an organization’s data and information systems.

Answer 36

Access control policy (ACP)

Question 37

items covered in this policy are standards for user access, network access controls, operating system software controls and the complexity of corporate passwords.

Answer 37

ACP

Question 38

Additional supplementary items often outlined include methods for monitoring how corporate systems are accessed and used; how unattended workstations should be secured; and how access is removed when an employee leaves the organization.

Answer 38

ACP

Question 39

example that is available for fair use can be found at this policy is?

Answer 39

SANS

Question 40

An excellent example of this policy is available at IAPP

Answer 40

ACP

Question 41

refers to a formal process for making changes to IT, software development and security services/operations.

Answer 41

change management policy

Question 42

The goal of this program is to increase the awareness and understanding of proposed changes across an organization, and to ensure that all changes are conducted methodically to minimize any adverse impact on services and customers

Answer 42

Change management policy

Question 43

typically high-level policies that can cover a large number of security controls.

Answer 43

information security policy

Question 44

It is issued by the company to ensure that all employees who use information technology assets within the breadth of the organization, or its networks, comply with its stated rules and guidelines.

Answer 44

information security policy

Question 45

This policy is designed for employees to recognize that there are rules that they will be held accountable to with regard to the sensitivity of the corporate information and IT assets

Answer 45

information security policy

Question 46

is an organized approach to how the company will manage an incident and remediate the impact to operations

Answer 46

incident response policy

Question 47

It’s the one policy CISOs hope to never have to use.

Answer 47

Incident response policy

Question 48

the goal of this policy is to describe the process of handling an incident with respect to limiting the damage to business operations, customers and reducing recovery time and costs.

Answer 48

incident response policy

Question 49

a document which outlines and defines acceptable methods of remotely connecting to an organization's internal networks.

Answer 49

remote access policy

Question 50

This policy is a requirement for organizations that have dispersed networks with the ability to extend into insecure network locations, such as the local coffee house or unmanaged home networks

Answer 50

remote access policy

Question 51

a document that is used to formally outline how employees can use the business’ chosen electronic communication medium.

Answer 51

email/communication policy

Question 52

The primary goal of this policy is to provide guidelines to employees on what is considered the acceptable and unacceptable use of any corporate communication technology

Answer 52

email/communication policy

Question 53

generally include both cybersecurity and IT teams’ input and will be developed as part of the larger business continuity plan

Answer 53

disaster recovery plan

Question 54

will coordinate efforts across the organization and will use the disaster recovery plan to restore hardware, applications and data deemed essential for business continuity

Answer 54

business continuity plan (BCP)

Question 55

are unique to each business because they describe how the organization will operate in an emergency

Answer 55

BCP

Question 56

it can be as broad as you want it to be from everything related to IT security and the security of related physical assets, but enforceable in its full scope.

Answer 56

information assurance policy

Question 57

the purpose of this policy is to Create an overall approach to information security.

Answer 57

information assurance policy

Question 58

the purpose of this policy is to detect and preempt information security breaches such as misuse of networks, data, applications, and computer systems

Answer 58

information assurance policy

Question 59

the purpose of this policy is to maintain the reputation of the organization, and uphold ethical and legal responsibilities.

Answer 59

information assurance policy

Question 60

the purpose of this policy is to respect customer rights, including how to react to inquiries and complaints about noncompliance.

Answer 60

information assurance policy

Question 61

what are the three main objective of information security?

Answer 61

confidentiality integrity availability

Question 62

only individuals with authorization can should access data and information assets

Answer 62

confidentiality

Question 63

data should be intact, accurate and complete, and IT systems must be kept operational

Answer 63

integrity

Question 64

users should be able to access information or systems when needed

Answer 64

availability

Question 65

—a senior manager may have the authority to decide what data can be shared and with whom.

Answer 65

hierarchical pattern

Question 66

users are only able to access company networks and servers via unique logins that demand authentication, including passwords, biometrics, ID cards, or tokens. You should monitor all systems and record all login attempts

Answer 66

network security policy

Question 67

The policy should classify data into categories, which may include “top secret”, “secret”, “confidential” and “public”. Your objective in classifying data is: * To ensure that sensitive data cannot be accessed by individuals with lower clearance levels. * To protect highly important data, and avoid needless security measures for unimportant data.

Answer 67

read

Question 68

systems that store personal data, or other sensitive data, must be protected according to organizational standards, best practices, industry compliance standards and relevant regulations. Most security standards require, at a minimum, encryption, a firewall, and antimalware protection

Answer 68

data protection regulations

Question 69

encrypt data backup according to industry best practices. Securely store backup media, or move backup to secure cloud storage.

Answer 69

Data back up

Question 70

only transfer data via secure protocols. Encrypt any information copied to portable devices or transmitted across a public network.

Answer 70

movement of data

Question 71

place a special emphasis on the dangers of social engineering attacks (such as phishing emails). Make employees responsible for noticing, preventing and reporting such attacks.

Answer 71

Social engineering

Question 72

—secure laptops with a cable lock. Shred documents that are no longer needed. Keep printer areas clean so documents do not fall into the wrong hands.

Answer 72

clean desk policy

Question 73

9 Best Practices for Drafting Information Security Policies

Answer 73

. Information and data classification . IT operations and administration . Security incident response plan SaaS and cloud policy Acceptable use policies (AUPs) Identity and access management (IAM) regulations Data security policy— Privacy regulations— Personal and mobile devices—