Ch. 3 - Select

Question 1

A combination of mutually reinforcing controls implemented by technical means, physical means and procedural means. Such controls are typically selected to achieve a common information security or privacy purpose.

A. Control
B. Capability
C. Privacy Control
D. Hybrid Control

Answer 1

B. Capability

Question 2

A security or privacy control that is inherited by multiple information systems or programs.

A. Crossbar Control
B. Common Control
C. Compensating Controls
D. Hybrid Control

Answer 2

B. Common Control

Question 3

The security and privacy controls implemented in lieu of the controls in the baselines described in NIST Special Publication 800-53 that provide equivalent or comparable protection for a system or organization.

A. Common Control
B. Preventive Controls
C. Compensating Controls
D. System-Specific Control

Answer 3

C. Compensating Controls

Question 4

Maintaining ongoing awareness to support organizational risk decisions.

A. Control Baseline
B. Common Control
C. Continuous Monitoring
D. Environment of Operation

Answer 4

C. Continuous Monitoring

Question 5

The set of controls that are applicable to information or an information system to meet legal, regulatory or policy requirements, as well as address protection needs for the purpose of managing risk.

A. Change Management
B. Control Enhancement
C. Control Baseline
D. Control Revalidation

Answer 5

C. Control Baseline

Question 6

Augmentation of a control to build in additional, but related, functionality to the control, increase the strength of the control or add assurance to the control.

A. Hybrid Control
B. Control Baseline
C. Control Enhancement
D. Compensating Controls

Answer 6

C. Control Enhancement

Question 7

The physical surroundings in which an information system processes, stores and transmits information.

A. Organizational-Defined Control Parameter
B. Security Control Baseline
C. Environment of Operation
D. Information and Information Flows

Answer 7

C. Environment of Operation

Question 8

A security or privacy control that is implemented for an information system in part as a common control and in part as a system-specific control.

A. Common Control
B. Tele-Op Control
C. System-Specific Control
D. Hybrid Control

Answer 8

D. Hybrid Control

Question 9

A situation in which a system or application receives protection from controls (or portions of controls) that are developed, implemented, assessed, authorized and monitored by entities other than those responsible for the system or application; entities either internal or external to the organization where the system or application resides.

A. Inheritance
B. Capability
C. Adaptation
D. Tailoring

Answer 9

A. Inheritance

Question 10

The variable part of a control or control enhancement that can be instantiated by an organization during the tailoring process by either assigning an organization-defined value or selecting a value from a predefined list provided as part of the control or control enhancement.

A. Organizational Tailored Control Baseline
B. Security Control Baseline
C. Common Control
D. Organization-Defined Control Parameter

Answer 10

D. Organization-Defined Control Parameter

Question 11

A control baseline tailored for a defined notional (type of) information system using overlays and/or system-specific control tailoring and intended for use in selecting controls for multiple systems within one or more organizations.

A. Organization Defined Control Parameter
B. Organizational Tailored Control
C. Hybrid Control
D. System-Specific Control

Answer 11

B. Organizational Tailored Control

Question 12

A specification of security or privacy controls, control enhancements, supplemental guidance and other supporting information employed during the tailoring process, that is intended to complement (and further refine) security control baselines. The overlay specification may be more stringent or less stringent than the original security control baseline specification and can be applied to multiple information systems.

A. Diffusion
B. Thermal Barrier
C. Overlay
D. Tailoring

Answer 12

C. Overlay

Question 13

The administrative, technical and physical safeguards employed within an agency to ensure compliance with applicable privacy requirements and manage privacy risks. Note: Controls can be selected to achieve multiple objectives; those controls that are selected to achieve both security and privacy objectives require a degree of collaboration between the organization’s information security program and privacy program.

A. Security Audit
B. Security Control
C. Common Control
D. Privacy Control

Answer 13

D. Privacy Control

Note: Controls can be selected to achieve multiple objectives; those controls that are selected to achieve both security and privacy objectives require a degree of collaboration between the organization’s information security program and privacy program.

Question 14

A collection of controls specifically assembled or brought together by a group, organization or community of interest to address the privacy protection needs of individuals.

A. Security Control Baseline
B. Privacy Control Baseline
C. Tailored Control Baseline
D. Privacy Plan

Answer 14

B. Privacy Control Baseline

Question 15

A formal document that details the privacy controls selected for an information system or environment of operation that are in place or planned for meeting applicable privacy requirements and managing privacy risks; details how the controls have been implemented; and describes the methodologies and metrics that will be used to assess the controls.

A. Backup Site Plan
B. Privacy Plan
C. Privacy Requirement
D. Security Plan

Answer 15

B. Privacy Plan

Question 16

The safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity and availability of the system and its information.

A. System-Specific Control
B. Privacy Control
C. Security Control
D. Administrative Control

Answer 16

C. Security Control

Question 17

The set of minimum-security controls defined for a low-impact, moderate-impact or high-impact information system.

A. Security Control Baseline
B. System-Specific Control
C. Common Control
D. Hybrid Control

Answer 17

A. Security Control Baseline

Question 18

Confidentiality, integrity or availability.

A. Security Objective
B. Security Control
C. Security Requirement
D. Security Category

Answer 18

A. Security Objective

Question 19

Any organized assembly of resources and procedures united and regulated by interaction or interdependence to accomplish a set of specific functions.

A. Privacy Plan
B. System Element
C. System
D. System Component

Answer 19

C. System

Note: Systems also include specialized systems such as industrial/process control systems, telephone switching and private branch exchange (PBX) systems and environmental control systems. Combination of interacting elements organized to achieve one or more stated purposes.
Note 1: There are many types of systems. Examples include: general and special-purpose information systems; command, control and communication systems; crypto modules; central processing unit and graphics processor boards; industrial/process control systems; flight control systems; weapons, targeting and fire control systems; medical devices and treatment systems; financial, banking and merchandising transaction systems; and social networking systems. Note 2: The interacting elements in the definition of system include hardware, software, data, humans, processes, facilities, materials and naturally occurring physical entities.
Note 3: System of systems is included in the definition of system.

Question 20

A discrete identifiable information technology asset that represents a building block of a system and may include hardware, software and firmware.

A. System-Specific Control
B. Hybrid Control
C. Standard Command Port
D. System Component

Answer 20

D. System Component

Question 21

Member of a set of elements that constitute a system.

A. System Component
B. System
C. System Element
D. Privacy Plan

Answer 21

C. System Element

Note 1: A system element can be a discrete component, product, service, subsystem, system, infrastructure or enterprise.
Note 2: Each element of the system is implemented to fulfill specified requirements.
Note 3: The recursive nature of the term allows the term system to apply equally when referring to a discrete component or to a large, complex, geographically distributed system-of-systems.
Note 4: System elements are implemented by: hardware, software and firmware that perform operations on data/information; physical structures, devices and components in the environment of operation; and the people, processes and procedures for operating, sustaining and supporting the system elements.
Note 5: System elements and information resources (as defined at 44 U.S.C. Sec. 3502 and in this document) are interchangeable terms as used in this document.

Question 22

A security or privacy control for an information system that is implemented at the system level and is not inherited by any other information system.

A. Hybrid Control
B. System-Specific Control
C. Common Control
D. System Component

Answer 22

B. System-Specific Control

Question 23

A set of controls resulting from the application of tailoring guidance to a control baseline.

A. Hybrid Control
B. Tailored Control Baseline
C. Tailoring
D. Scoping Control

Answer 23

B. Tailored Control Baseline

Question 24

The process by which security control baselines are modified by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning specific values to agency-defined control parameters, supplementing baselines with additional controls or control enhancements and providing additional specification information for control implementation.

A. Common Control
B. Tailoring
C. Baseline
D. Overlay

Answer 24

B. Tailoring

The tailoring process may also be applied to privacy controls.