Ch. 1 - Prepare

Question 1

Definition

Security protection commensurate with the risk resulting from the unauthorized access, use, disclosure, disruption, modification or destruction of information. This includes ensuring that information hosted on behalf of an agency and information systems and applications used by the agency operate effectively and provide appropriate confidentiality, ingegrity and availability protections through the application of cost-effective security controls.

A. Security Category
B. Information Security
C. Adequiate Security
D. Security Controls

Answer 1

C. Adequate Security

Question 2

Definition

The process an organization employs to assign security or privacy requirements to an information system or its environment of operation; or to assign controls to specific system elements responsible for providing a security or privacy capability (Ex: router, server, remote sensor).

A. Allocation
B. Authorization Boundary
C. Organization
D. Confidentiality

Answer 2

A. Allocation

Question 3

Definition

The individual, group or organization responsible for conducting a security or privacy assessment.

A. Adequiate Security
B. Assessor
C. Confidentiality
D. Privacy Architect

Answer 3

B. Assessor

Question 4

Definition

System and subsystem components that must be protected, including but not limited to: all hardware, software, data, personnel, supporting physical environment and environmental systems, administrative support and supplies.

A. Authorization Boundary
B. Asset
C. Enterprise
D. Risk

Answer 4

B. Asset

Question 5

All components of an information system to be authorized for operation by an authorizing official. This excludes separately authorized systems to which the information system is connected.

A. Authorization Boundary
B. System Component
C. Authorizing Official (AO)
D. System Boundary

Answer 5

A. Authorization Boundary

Question 6

A senior federal official or executive with the authority to authorize (assume responsibility for) the operation of an information system or the use of a designated set of common controls at an acceptable level of risk to agency operations (including mission, functions, image or reputation), agency assets, individuals, other organizations and the nation.

A. Authorizing Official
B. Organization
C. Risk Executive (Function)
D. Authorizing Official Designated Representative (AO DR)

Answer 6

A. Authorizing Official (AO)

Question 7

An organizational official acting on behalf of an authorizing official in carrying out and coordinating the required activities associated with the authorization process.

A. Authorizing Official (AO)
B. Authorizing Official Designated Representative (AO DR)
C. system Boundary
D. Either the AO or the AO DR

Answer 7

A. Authorizing Official Designated Representative (AO DR)

Question 8

Definition

A combination of mutually reinforcing controls implemented by technical means, physical means and procedural means. Such controls are typically selected to achieve a common information security or privacy purpose.

A. Vulnerability
B. Capability
C. Integrity
D. Availability

Answer 8

B. Capability

Question 9

The senior official that provides advice and other assistance to the head of the agency and other senior management personnel of the agency to ensure that IT is acquired and information resources are managed for the agency in a manner that achieves the agency’s strategic goals and information resources management goals; and is responsible for ensuring agency compliance with, and prompt, efficient, and effective implementation of, the information policies and information resources management responsibilities including the reduction of information collection burdens on the public.

A. Senior Agency Official for Privacy
B. Authorizing Official (AO)
C. Project Manager
D. Chief Information Officer (CIO)

Answer 9

D. Chief Information Officer (CIO)

Question 10

Definition

A software program hosted by an information system.

A. Application
B. Information
C. Enterprise
D. Organization

Answer 10

A. Application

Question 11

Definition

Ensuring timely and reliable access to and use of information.

A. Confidentiality
B. Integrity
C. Assessor
D. Availability

Answer 11

D. Availability

Question 12

See Senior Agency Information Security Officer.

A. System Boundary
B. Chief Information Security Officer (CISO)
C. Designated Approval Authority (DAA)
D. Senior Agency Official for Privacy

Answer 12

B. Chief Information Security Officer (CISO)

Question 13

A security or privacy control that is inherited by multiple information systems or programs.

A. Continuous Monitoring
B. Common Control (CC)
C. Information Owner or Steward
D. Residual Risk

Answer 13

B. Common Control (CC)

Question 14

An organizational official responsible for the development, implementation, assessment and monitoring of common controls (i.e., controls inheritable by organizational systems).

A. Information Owner
B. Control Assessor
C. Risk Executive (Function)
D. Common Control Provider (CCP)

Answer 14

D. Common Control Provider (CCP)

Question 15

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

A. Confidentiality
B. Allocation
C. Availability
D. Integrity

Answer 15

A. Confidentiality

Question 16

Maintaining ongoing awareness to support organizational risk decisions.

A. Risk Mitigation
B. Continuous Monitoring
C. Residual Risk
D. Security Certification

Answer 16

B. Continuous Monitoring

Question 17

A program established to collect information in accordance with preestablished metrics, utilizing information readily available in part through implemented security controls. Note: Privacy and security continuous monitoring strategies and programs can be the same or different strategies and programs.

A. Privacy Requirement
B. Information Life Cycle
C. Continuous Monitoring Program
D. Privacy Plan

Answer 17

C. Continuous Monitoring Program

Question 18

An organizational official responsible for the development, implementation, assessment and monitoring of common controls (i.e., controls inheritable by organizational systems).

A. Risk Executive (Function)
B. Common Control Provider (CCP)
C. Information Owner
D. Control Assessor

Answer 18

B. Common Control Provider (CCP)

Question 19

See security control and privacy control.

A. Vulnerability
B. Integrity
C. Security Objective
D. Control

Answer 19

D. Control

Question 20

The individual, group or organization responsible for conducting a control assessment. See assessor.

A. System Security Officer
B. Privacy Control
C. Control Assessor
D. Security Risk

Answer 20

C. Control Assessor

Question 21

An organization with a defined mission/goal and a defined boundary, using systems to execute that mission, and with responsibility for managing its own risks and performance. An enterprise may consist of all or some of the following business aspects: acquisition, program management, human resources, financial management, security, as well as systems, information and mission management. See organization.

A. Management Information
B. Organization
C. Application
D. Enterprise

Answer 21

D. Enterprise

Question 22

A strategic information asset base, which defines the mission; the information necessary to perform the mission; the technologies necessary to perform the mission; and the transitional processes for implementing new technologies in response to changing mission needs; and includes a baseline architecture; a target architecture; and a sequencing plan.

A. Information Security Architecture
B. Allocation
C. Enterprise Architecture
D. Security Requirement

Answer 22

C. Enterprise Architecture

Question 23

The physical surroundings in which an information system processes, stores and transmits information.

A. Environment of Operation
B. Enterprise Architecture
C. Information
D. Security Controls

Answer 23

A. Environment of Operation

Question 24

A business-based framework for government-wide improvement developed by the Office of Management and Budget that is intended to facilitate efforts to transform the federal government to one that is citizen-centered, results-oriented and market-based.

A. System Boundary
B. Federal Information System
C. Federal Enterprise Architecture (FEA)
D. The Open Group Architecture Framework (TOGAF)

Answer 24

C. Federal Enterprise Architecture (FEA)

Question 25

An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.

A. Federal Information System
B. System Component
C. Information Owner
D. Information Security Management System (ISMS)

Answer 25

A. Federal Information System

Question 26

With respect to security, the effect on organizational operations, organizational assets, individuals, other organizations or the nation (including the national security interests of the United States) of a loss of confidentiality, integrity, or availability of information or a system. With respect to privacy, the adverse effects that individuals could experience when an information system processes their PII.

A. Threat
B. Vulnerability
C. Impact
D. Risk

Answer 26

C. Impact

Question 27

Any communication or representation of knowledge such as facts, data or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, electronic or audiovisual forms.

A. Application
B. Information
C. Organization
D. Control

Answer 27

B. Information

Question 28

The stages through which information passes, typically characterized as creation or collection, processing, dissemination, use, storage and disposition, to include destruction and deletion. “Life cycle” typically appears as two words in NIST publications, but as one word in ISO standards.

A. Impact Assessment
B. Information Steward
C. Information Life Cycle
D. Term of Agreement

Answer 28

C. Information Life Cycle

Question 29

Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination and disposal.

A. Information Owner
B. Authorizing Official (AO)
C. Confidentiality
D. Senior Agency Official for Privacy

Answer 29

A. Information Owner

Question 30

See Information Owner and Information Steward.

A. Information Owner or Steward
B. Information Security
C. Mission or Business Owner
D. Security or Privacy Architect

Answer 30

A. Information Owner or Steward

Question 31

The protection of information and systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability.

A. Adequate Security
B. Security Controls
C. Information Security
D. Risk Management

Answer 31

C. Information Security

Question 32

An embedded, integral part of the enterprise architecture that describes the structure and behavior of the enterprise security processes, security systems, personnel and organizational subunits, showing their alignment with the enterprise’s mission and strategic plans. See security architecture.

A. Integrity
B. Information Type
C. Information Security Architecture
D. Privacy Architecture

Answer 32

C. Information Security Architecture

Question 33

Compilation of processes and management structure that preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.

A. System Development Life Cycle (SDLC)
B. Cyber Security Framework (CSF)
C. Security Architecture
D. Information Security Management System (ISMS)

Answer 33

D. Information Security Management System (ISMS)

The ISO 27001 standard defines the components of the ISMS.

Question 34

The risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations and the nation due to the potential for unauthorized access, use, disclosure, disruption, modification or destruction of information and/or systems.

A. Privacy Risk
B. Threat
C. Risk Management
D. Information Security Risk

Answer 34

D. Information Security Risk

Question 35

An agency official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination and disposal.

A. Information Steward
B. Privacy Control
C. Data Steward
D. Information Security Architecture

Answer 35

A. Information Steward

Question 36

A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of information.

A. Application
B. System Component
C. Organization
D. Information System

Answer 36

D. Information System

Question 37

Any services, equipment, or interconnected system(s) or subsystem(s) of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data or information by the agency. For purposes of this definition, such services or equipment if used by the agency directly or if used by a contractor under a contract with the agency that requires its use; or to a significant extent, its use in the performance of a service or the furnishing of a product. Information technology includes computers, ancillary equipment (including imaging peripherals, input, output and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including cloud computing and help-desk services or other professional services which support any point of the life cycle of the equipment or service) and related resources. Information technology does not include any equipment that is acquired by a contractor incidental to a contract which does not require its use.

A. Running your application at your site
B. Information Technology (IT)
C. Information Systems (IS)
D. Payroll

Answer 37

B. Information Technology (IT)

Question 38

A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor-sensitive, security management) defined by an organization or in some instances, by a specific law, executive order, directive, policy or regulation.

A. Categorization
B. Information Type
C. Capability
D. Confidentiality

Answer 38

B. Information Type

Question 39

Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.

A. Information Security
B. Confidentiality
C. Availability
D. Integrity

Answer 39

D. Integrity

Question 40

An entity of any size, complexity, or positioning within an organizational structure (e.g., federal agencies, private enterprises, academic institutions, state, local, or tribal governments or, as appropriate, any of their operational elements).

A. Enterprise
B. Information
C. Organization
D. Application

Answer 40

C. Organization

Question 41

Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.

A. General Data Protection Regulation (GDPR)
B. Personally Identifiable Information (PII)
C. Social Security Number (SSN)
D. Identification

Answer 41

B. Personally Identifiable Information (PII)

Question 42

Individual, group or organization responsible for ensuring that the system privacy requirements necessary to protect individuals’ privacy are adequately addressed in all aspects of enterprise architecture including reference models, segment and solution architectures, and information systems processing PII.

A. Control Assessor
B. Privacy Architect
C. System Privacy Officer
D. Security Architect

Answer 42

B. Privacy Architect

Question 43

An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s privacy protection processes, technical measures, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans.

A. Privacy Architecture
B. Privacy Requirement
C. Security Architecture
D. Information Security Architecture

Answer 43

A. Privacy Architecture

Question 44

The administrative, technical, and physical safeguards employed within an agency to ensure compliance with applicable privacy requirements and manage privacy risks. Note: Controls can be selected to achieve multiple objectives; those controls that are selected to achieve both security and privacy objectives require a degree of collaboration between the organization’s information security program and privacy program.

A. Privacy Requirement
B. Privacy Control
C. Safety Control
D. Security Controls

Answer 44

B. Privacy Control

Question 45

Information that describes the privacy posture of an information system or organization.

A. Sensitive Information
B. Privacy Requirement
C. Security Objective
D. Privacy Information

Answer 45

D. Privacy Information

Question 46

A formal document that details the privacy controls selected for an information system or environment of operation that are in place or planned, to meet applicable privacy requirements and manage privacy risks, details how the controls have been implemented, and describes the methodologies and metrics that will be used to assess the controls.

A. Privacy Plan
B. Disaster-Recovery Plan
C. Privacy Requirement
D. Security Plan

Answer 46

A. Privacy Plan

Question 47

A requirement that applies to an information system or an organization that is derived from applicable laws, executive orders, directives, policies, standards, regulations, procedures and/or mission/business needs with respect to privacy. Note: The term privacy requirement can be used in a variety of contexts from high-level policy activities to low-level implementation activities in system development and engineering disciplines.

A. Privacy Control
B. Privacy Requirement
C. Privacy Architecture
D. Security Requirement

Answer 47

B. Privacy Requirement

The term privacy requirement can be used in a variety of contexts from high-level policy activities to low-level implementation activities in system development and engineering disciplines.

Question 48

Risk to an individual or individuals associated with the agency’s creation, collection, use, processing, storage, maintenance, dissemination, disclosure and disposal of their PII. See risk.

A. Residual Risk
B. Privacy Risk
C. Security Risk
D. Integrity Risk

Answer 48

B. Privacy Risk

Question 49

Portion of risk remaining after security measures have been applied.

A. Vulnerability
B. Risk Assessment
C. Inherent Risk
D. Residual Risk

Answer 49

D. Residual Risk

Question 50

A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically is a function of: (i) the adverse impact, or magnitude of harm, that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.

A. Asset
B. Threat
C. Risk
D. Vulnerability

Answer 50

C. Risk

Question 51

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations and the nation, resulting from the operation of a system.

A. Risk Assessment
B. Risk Analysis
C. Residual Risk
D. Risk Response

Answer 51

A. Risk Assessment

Question 52

An individual or group within an organization, led by the senior accountable official for risk management, that helps to ensure that security risk considerations for individual systems, to include the authorization decisions for those systems, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its missions and business functions; and managing risk from individual systems is consistent across the organization, reflects organizational risk tolerance and is considered along with other organizational risks affecting mission/business success.

A. Common Control Provider (CCP)
B. Risk Executive (Function)
C. Systems Security or Privacy Engineer
D. System Development Life Cycle (SDLC)

Answer 52

B. Risk Executive (Function)

Question 53

The program and supporting processes to manage risk to agency operations (including mission, functions, image, reputation), agency assets, individuals, other organizations and the nation, and includes establishing the context for risk-related activities; assessing risk; responding to risk once determined; and monitoring risk over time.

A. Information Owner
B. Risk Management
C. Risk Analysis
D. Risk Control

Answer 53

B. Risk Management

Question 54

Prioritizing, evaluating and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.

A. Security Requirement
B. Adequate Security
C. Risk Mitigation
D. Capability

Answer 54

C. Risk Mitigation

Question 55

Accepting, avoiding, mitigating, sharing or transferring risk to agency operations, agency assets, individuals, other organizations or the nation.

A. Risk Assessment
B. Security Requirement
C. Risk Response
D. Event Identification

Answer 55

C. Risk Response

Question 56

Individual, group or organization responsible for ensuring that the information security requirements necessary to protect the organization’s core missions and business processes are adequately addressed in all aspects of enterprise architecture including reference models, segment and solution architectures, and the resulting information systems supporting those missions and business processes.

A. Security Requirement
B. Security Architect
C. Privacy Architect
D. Information System Security Engineer

Answer 56

B. Security Architect

Question 57

An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s security processes, information security systems, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans. See information security architecture.

A. Security Architecture
B. Risk Assessment
C. Security Requirement
D. Security Controls

Answer 57

A. Security Architecture

Question 58

The management, operational and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity and availability of the system and its information.

A. Adequate Security
B. Security Requirement
C. Information System
D. Security Controls

Answer 58

D. Security Controls

Question 59

Confidentiality, integrity or availability.

A. Privacy Information
B. Security Controls
C. Security Objective
D. Security Requirement

Answer 59

C. Security Objective

Question 60

A requirement levied on an information system or an organization that is derived from applicable laws, executive orders, directives, policies, standards, instructions, regulations, procedures and/or mission/business needs to ensure the confidentiality, integrity and availability of information that is being processed, stored or transmitted. Note: Security requirements can be used in a variety of contexts from high-level policy activities to low-level implementation activities in system development and engineering disciplines.

A. Operational Requirement
B. Security Objective
C. Adequate Security
D. Security Requirement

Answer 60

D. Security Requirement

Security requirements can be used in a variety of contexts from high-level policy activities to low-level implementation activities in system development and engineering disciplines.

Question 61

Risk that arises through the loss of confidentiality, integrity, or availability of information or systems, and that considers impacts to the organization (including assets, mission, functions, image or reputation), individuals, other organizations and the nation.

A. Privacy Risk
B. Impact
C. Security Risk
D. Vulnerability

Answer 61

C. Security Risk

Question 62

The senior official, designated by the head of each agency, who has vision into all areas of the organization, and is responsible for alignment of information security management processes with strategic, operational and budgetary planning processes.

A. Senior Agency Official for Privacy
B. Chief Information Officer
C. Information Steward
D. Senior Accountable Official for Risk Management

Answer 62

D. Senior Accountable Official for Risk Management

Question 63

Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners and information system security officers.

A. Senior Agency Information Security Officer
B. Authorizing Official Designated Representative
C. Security Objective
D. Senior Agency Official for Privacy

Answer 63

A. Senior Agency Information Security Officer

Question 64

The senior official, designated by the head of each agency, who has agency-wide responsibility for privacy, including implementation of privacy protections; compliance with federal laws, regulations and policies relating to privacy; management of privacy risks at the agency; and a central policymaking role in the agency’s development and evaluation of legislative, regulatory and other policy proposals.

A. Information Owner
B. Senior Agency Information Security Officer
C. Privacy Requirement
D. Senior Agency Official for Privacy

Answer 64

D. Senior Agency Official for Privacy

Question 65

Any organized assembly of resources and procedures united and regulated by interaction or interdependence to accomplish a set of specific functions. See information system. Note: Systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems. Combination of interacting elements organized to achieve one or more stated purposes. Note 1: There are many types of systems. Examples include: general and special-purpose information systems; command, control and communication systems; crypto modules; central processing unit and graphics processor boards; industrial/process control systems; flight control systems; weapons, targeting and fire control systems; medical devices and treatment systems; financial, banking and merchandising transaction systems; and social networking systems. Note 2: The interacting elements in the definition of system include hardware, software, data, humans, processes, facilities, materials and naturally occurring physical entities. Note 3: System of systems is included in the definition of system.

A. System Element
B. Risk Executive (Function)
C. System Development Life Cycle (SDLC)
D. System

Answer 65

D. System

Note: Systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems. Combination of interacting elements organized to achieve one or more stated purposes.
Note 1: There are many types of systems. Examples include: general and special-purpose information systems; command, control and communication systems; crypto modules; central processing unit and graphics processor boards; industrial/process control systems; flight control systems; weapons, targeting and fire control systems; medical devices and treatment systems; financial, banking and merchandising transaction systems; and social networking systems. Note 2: The interacting elements in the definition of system include hardware, software, data, humans, processes, facilities, materials and naturally occurring physical entities.
Note 3: System of systems is included in the definition of system.

Question 66

See authorization boundary.

A. System Security Officer
B. System Boundary
C. Authorization Boundary
D. System Component

Answer 66

B. System Boundary

Question 67

A discrete identifiable information technology asset that represents a building block of a system and may include hardware, software and firmware.

A. Common Criteria
B. Information System
C. Environment
D. System Component

Answer 67

D. System Component

Question 68

The scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance and ultimately its disposal that instigates another system initiation.

A. System Development Life Cycle (SDLC)
B. System User
C. System Boundary
D. Information System

Answer 68

A. System Development Life Cycle (SDLC)

Question 69

Member of a set of elements that constitute a system.

A. System Security Officer
B. System Privacy Officer
C. System Element
D. System Boundary

Answer 69

C. System Element

Note 1: A system element can be a discrete component, product, service, subsystem, system, infrastructure or enterprise.
Note 2: Each element of the system is implemented to fulfill specified requirements.
Note 3: The recursive nature of the term allows the term system to apply equally when referring to a discrete component or to a large, complex, geographically distributed system-of-systems.
Note 4: System elements are implemented by: hardware, software and firmware that perform operations on data/information; physical structures, devices and components in the environment of operation; and the people, processes and procedures for operating, sustaining and supporting the system elements.
Note 5: System elements and information resources (as defined at 44 U.S.C. Sec. 3502 and in this document) are interchangeable terms as used in this document.

Question 70

Individual with assigned responsibility for maintaining the appropriate operational privacy posture for a system or program.

A. Systems Privacy Engineer
B. System Security Officer
C. System Privacy Officer
D. Senior Agency Official for Privacy

Answer 70

C. System Privacy Officer

Question 71

Individual with assigned responsibility for maintaining the appropriate operational security posture for an information system or program.

A. Systems Security Engineer
B. System Privacy Officer
C. System Security Officer
D. System Boundary

Answer 71

C. System Security Officer

Question 72

Individual, or (system) process acting on behalf of an individual, authorized to access a system.

A. Data Security Officer
B. System Component
C. Systems Analyst
D. System User

Answer 72

D. System User

Question 73

Individual assigned responsibility for conducting systems privacy engineering activities.

A. System Privacy Officer
B. Privacy Risk
C. Systems Privacy Engineer
D. Systems Security Engineer

Answer 73

C. Systems Privacy Engineer

Question 74

Individual assigned responsibility for conducting systems security engineering activities.

A. Control Assessor
B. System Security Officer
C. System Privacy Officer
D. Systems Security Engineer

Answer 74

D. Systems Security Engineer

Question 75

Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations or the nation through a system via unauthorized access, destruction, disclosure, modification of information and/or denial of service.

A. Risk
B. Impact
C. Vulnerability
D. Threat

Answer 75

D. Threat

Question 76

The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability.

A. Impact
B. Vulnerability
C. Threat Event
D. Threat Source

Answer 76

D. Threat Source

Question 77

Weakness in an information system, system security procedures, internal controls or implementation that could be exploited or triggered by a threat source.

A. Risk
B. Vulnerability
C. Availability
D. Assessor

Answer 77

B. Vulnerability

Note: The term weakness is synonymous with deficiency. Weakness may result in security and/or privacy risks.