Practice Test 1

Question 1

An event or situation that has the potential for causing undesirable consequences or impact.

A. Threat Event
B. Threat Assessment
C. Threat Source
D. Threat Scenario

Answer 1

A. Threat Event

Question 2

In which type of access control do user ID and password system come under?

A. Administrative
B. Technical
C. Power
D. Physical

Answer 2

B. Technical

Question 3

The Organization Level (Tier 1) strategy addresses/requires……..

A. Assessment of Risks
Evaluation of Risks
Mitigation of Risks
Acceptance of Risk
Monitoring Risk
Risk Management Strategy Oversight

B. Mitigation of Risks
Acceptance of Risk
Monitoring Risk
Risk Management Strategy Oversight
Assessment of Risks
Evaluation of Risks

C. Acceptance of Risk
Assessment of Risks
Evaluation of Risks
Mitigation of Risks
Monitoring Risk
Risk Management Strategy Oversight

D. Evaluation of Risks
Mitigation of Risks
Acceptance of Risk
Monitoring Risk
Assessment of Risks
Risk Management Strategy Oversight

Answer 3

A. Assessment of Risks
Evaluation of Risks
Mitigation of Risks
Acceptance of Risk
Monitoring Risk
Risk Management Strategy Oversight

Question 4

Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.

A. Adversary
B. Enterprise
C. Countermeasures
D. Assurance

Answer 4

A. Adversary

Question 5

Choose from the following options the U.S. government repository of standards-based vulnerability management data where you can easily find the NIST standards for guidance on continuous monitoring.

A. NIST SP 800-37
B. NVD
C. SCAP
D. ISCM

Answer 5

B. NVD (National Vulnerability Database)

Question 6

In the case of a complex information system, where a “leveraged authorization” that involves two agencies will be conducted, what is the minimum number of system boundaries/accreditation requirements boundaries that can exist?

A. Only one
B. Only two, because there are two agencies.
C. At least two
D. A leveraged authorization cannot be conducted with more than one agency involved.

Answer 6

A. Only one.

Question 7

What is the MOST appropriate action to take after weaknesses or deficiencies in controls are corrected?

A. The system is given an Authority to Operate (ATO)
B. The remediated controls are reassessed.
C. The assessment report is generated.
D. The original assessment results are changed.

Answer 7

B. The remediated controls are reassessed.

Question 8

You are the project manager for GHY Project and are working to create a risk response for a negative risk. You and the project team have identified the risk that the project may not complete on time, as required by the management, due to the creation of the user guide for the software you’re creating. You have elected to hire an external writer in order to satisfy the requirements and to alleviate the risk event. What type of risk response have you elected to use in this instance?

A. Sharing
B. Avoidance
C. Transference
D. Exploiting

Answer 8

C. Transference

Question 9

Which of the following are the goals of risk management?
Each correct answer represents a complete solution. Choose three.

A. Finding an economic balance between the impact of the risk and the cost of the countermeasure
B. Identifying the risk
C. Assessing the impact of potential threats
D. Identifying the accused

Answer 9

A. Finding an economic balance between the impact of the risk and the cost of the countermeasure
B. Identifying the risk
C. Assessing the impact of potential threats

Question 10

What would be the impact level due to the loss of CIA that could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations or the nation?

A. Low impact level
B. Medium impact level
C. Moderate impact level
D. High impact level

Answer 10

D. High impact level

Question 11

Which of the following is not an authorization decision identified in the RMF?

A. Authorization to operate
B. Denial of authorization to operate
C. Common control authorization
D. All of the above

Answer 11

D. All of the above

Question 12

Sensitivity of a system based on the _________ processed, stored, and transmitted by the system.

A. Data
B. Program
C. Image
D. Signal

Answer 12

A. Data

Question 13

Which of the following terms related to risk management represents the estimated frequency at which a threat is expected to occur?

A. Safeguard
B. Single Loss Expectancy (SLE)
C. Exposure Factor (EF)
D. Annualized Rate of Occurrence (ARO)

Answer 13

D. Annualized Rate of Occurrence (ARO)

Question 14

Where would you find standard guidance for determining an organization’s risk appetite?

A. NIST SP 800-39
B. NIST SP 800-50
C. NIST SP 800-37
D. NIST SP 800-53

Answer 14

A. NIST SP 800-39

Question 15

The FISMA defines three security objectives for information and information systems:

A. CONFIDENTIALITY, INTEGRITY and AVAILABILITY
B. INTEGRITY, AVAILABILITY and AUTHENTICITY
C. AVAILABILITY, AUTHENTICITY and CONFIDENTIALITY
D. AUTHENTICITY, CONFIDENTIALITY and INTEGRITY

Answer 15

A. CONFIDENTIALITY, INTEGRITY and AVAILABILITY

Question 16

Which of the following tasks are identified by the Plan of Action and Milestones document? Each correct answer represents a complete solution. Choose all that apply.

A. The plans that need to be implemented
B. The resources needed to accomplish the elements of the plan
C. Any milestones that are needed in meeting the tasks
D. The tasks that are required to be accomplished
E. Scheduled completion dates for the milestones

Answer 16

B. The resources needed to accomplish the elements of the plan
C. Any milestones that are needed in meeting the tasks
D. The tasks that are required to be accomplished
E. Scheduled completion dates for the milestones

Question 17

Authentication ensures that system users are who they say they are. At Colvine Tech, a system user must prove identity by providing an email address, a password, and answer a security question before being given logical access.
What factor of authentication fits this requirement?

A. Multi-factor authentication
B. Authentication and accountability
C. Single-factor authentication
D. Dual-factor authentication

Answer 17

C. Single-factor authentication

Question 18

The ability to quickly adapt and recover from any known or unknown changes to the environment through holistic implementation of risk management, contingency, and continuity planning.

A. Resilience
B. Fragile
C. Inanimate
D. Silence

Answer 18

A. Resilience

Question 19

A written plan for recovering one or more information systems at an alternate facility in response to a major hardware or software failure or destruction of facilities.

A. Disaster Recovery Plan (DRP)
B. Common Vulnerability Scoring System (CVSS)
C. Continuity of Operations Plan (COOP)
D. Common Vulnerability and Exposures (CVE)

Answer 19

A. Disaster Recovery Plan (DRP)

Question 20

The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect, a serious adverse effect, or a severe or catastrophic adverse effect on organizational operations,
organizational assets, or individuals.

A. Potential Impact
B. High Impact
C. Low Impact
D. Moderate Impact

Answer 20

A. Potential Impact

Question 21

Which of the following techniques are used after a security breach and are intended to limit the extent of any damage caused by the incident?

A. Safeguards
B. Preventive controls
C. Detective controls
D. Corrective controls

Answer 21

D. Corrective controls

Question 22

The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed‐upon set of security controls.

A. Authorization (to operate)
B. Systems operated
C. Security Authorization
D. Senior Organizational

Answer 22

A. Authorization (to operate)

Question 23

Which of the following are the common roles with regard to data in an information classification system program?
Each correct answer represents a complete solution. Choose all that apply.

A. Custodian
B. User
C. Security auditor
D. Editor
E. Owner

Answer 23

A. Custodian
B. User
C. Security auditor
E. Owner

Question 24

What RMF artifact establishes the scope of protection for an IS and encompass people, process, and info tech that are part of the system?

A. System Boundary
B. Risk Management Framework
C. Authorize
D. Categorization

Answer 24

A. System Boundary

Question 25

The loss of confidentiality, integrity, or availability that could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a severe degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; 2) results in major damage to organizational assets; 3) results in major financial loss; or 4) results in severe
or catastrophic harm to individuals involving loss of life or serious life-threatening injuries).

A. High Impact
B. Low Impact
C. Medium Impact
D. Moderate Impact

Answer 25

A. High Impact

Question 26

The findings from a security control assessment are documented in which of the following documents?

A. Security Assessment Plan (SAP)
B. Plan of Action & Milestones (POA&M)
C. Security Assessment Report (SAR)
D. System Security and Privacy Plan

Answer 26

C. Security Assessment Report (SAR)

Question 27

The security control type for an information system that primarily are implemented and executed by people (as opposed to systems).

A. Operational
B. Technical
C. Organizational
D. Implementation

Answer 27

A. Operational

Question 28

The security controls for an information system that primarily are implemented by people (as opposed to systems) are known as

A. Management controls
B. Operational controls
C. Technical controls
D. Logical controls

Answer 28

B. Operational controls

Question 29

The authorizing official may determine that additional information supporting the authorization package is needed. The additional documentation may include all but one of the following.

A. Plan of action and milestones
B. Risk assessments
C. Contingency plans
D. Supply chain risk management plans

Answer 29

A. Plan of action and milestones

Question 30

A business‐based framework for government wide improvement developed by the Office of Management and Budget that is intended to facilitate efforts to transform the federal government to one that is citizen‐ centered, results‐oriented, and market‐based.

A. Federal Enterprise Architecture
B. Net-Centric Architecture
C. Industry Standard Architecture
D. Enterprise Architecture

Answer 30

A. Federal Enterprise Architecture

Question 31

You are working as a project manager in your organization. You are nearing the final stages of project execution and looking towards the final risk monitoring and controlling activities.
For your project archives, which one of the following is an output of risk monitoring and control?

A. Quantitative risk analysis
B. Qualitative risk analysis
C. Requested changes
D. Risk audits

Answer 31

C. Requested changes

Question 32

Defining the types of information needed by the organization to successfully carry out identified missions and business processes as well as defining the organization’s internal and external information flows.

A. NIST SP 800-60
B. NIST SP 800-57
C. NIST SP 800-50
D. NIST SP 800-37

Answer 32

A. NIST SP 800-60

Question 33

The set of minimum-security controls defined for a low-impact, moderate‐impact, or high‐impact information system.

A. Security Control Baseline
B. Minimum Security Baselines
C. None of these
D. Revised Control Baseline

Answer 33

A. Security Control Baseline

Question 34

The security category of information 1 is determined to be: Confidentiality, low; Integrity, moderate; and availability, Moderate. The security category for information 2 is determined to be: confidentiality, Not Applicable, Integrity, Low; and availability, Moderate. What is the overall security category?

A. Security Category information type = (confidentiality, NOT APPLICABLE), (integrity, LOW), (availability,
MODERATE)

B. Security Category information type = (confidentiality, LOW), (integrity, LOW), (availability,
MODERATE)

C. Security Category information type = (confidentiality, NOT APPLICABLE), (integrity, MODERATE),
(availability, HIGH)

D. Security Category information type = (confidentiality, LOW), (integrity, MODERATE), (availability,
MODERATE)

Answer 34

D. Security Category information type = (confidentiality, LOW), (integrity, MODERATE), (availability,
MODERATE)

Question 35

The emphasis of the revised NIST SP 800-37 process is on………….
Choose all that apply.

A. Building information security controls into government information systems by applying up-to-date management, operational and technical security controls.
B. Maintaining awareness of the security posture of information systems through the application of “enhanced monitoring processes.”
C. Providing senior leaders essential information to facilitate decision making with regard to risk acceptance.
D. Creating secured environment to provide guidance to individuals involved in security information systems.
E. Developing leadership to use, analyze and manage technical security of government information systems.

Answer 35

A. Building information security controls into government information systems by applying up-to-date management, operational and technical security controls.
B. Maintaining awareness of the security posture of information systems through the application of “enhanced monitoring processes.”
C. Providing senior leaders essential information to facilitate decision making with regard to risk acceptance.

Question 36

Which of the following is NOT an objective of the security program?

A. Security plan
B. Security education
C. Security organization
D. Information classification

Answer 36

A. Security plan

Question 37

Certification and Accreditation (C&A or CnA) is a process for implementing information security. Which of the following is the correct order of C&A phases in a DITSCAP assessment?

A. Definition, Validation, Verification, and Post Accreditation
B. Verification, Definition, Validation, and Post Accreditation
C. Verification, Validation, Definition, and Post Accreditation
D. Definition, Verification, Validation, and Post Accreditation

Answer 37

D. Definition, Verification, Validation, and Post Accreditation

Question 38

Prepare, Categorize, select, and implement are steps or phases of the risk management framework which can be described as

A. The certification phase of the system authorization plan
B. The pre-certification phase of the system authorization plan
C. The authorization phase of the system authorization plan
D. The post-authorization phase of the system authorization plan

Answer 38

B. The pre-certification phase of the system authorization plan

Question 39

A citizen of the United States or an alien lawfully admitted for permanent residence. Agencies may, consistent with individual practice, choose to extend the protections of the Privacy‐Act and E
Government Act to businesses, sole proprietors, aliens, etc.

A. Individual
B. Combined
C. Private
D. Mixed

Answer 39

A. Individual

Question 40

The property of being genuine and being able to be verified and trusted, confidence in the validity of a transmission, a message, or message originator.

A. Authenticity
B. Validity
C. Complexity
D. Responsibility

Answer 40

A. Authenticity

Question 41

In which of the following elements of security does the object retain its veracity and is intentionally modified by the authorized subjects?

A. Integrity
B. Nonrepudiation
C. Availability
D. Confidentiality

Answer 41

A. Integrity

Question 42

What is the purpose of a Privacy impact assessment?

A. To determine the extent to which proposed or actual changes to the system or its environment of operation can affect or have affected the system’s security posture.
B. To determine the level of impact of the violation of the confidentiality of PII.
C. To determine if the information system processes PII.
D. To determine the level of violation of CIA.

Answer 42

B. To determine the level of impact of the violation of the confidentiality of PII.

Question 43

A discrete set of resources organized for the collection, processing, maintenance, or disposition of information best describes one of the following

A. An information system
B. General Support System (GSS)
C. An IT infrastructure
D. A Major Application

Answer 43

A. An information system

Question 44

Who is primarily responsible for the withdrawal and decommissioning of and information system?

A. Security Architect
B. Senior Information System Security Officer
C. Information System Security Engineer
D. Information System Owner

Answer 44

D. Information System Owner

Question 45

Tailoring refers to the process by which a security control baseline is modified based on all but one of the following:

A. The security categorization of the information system
B. The application of scoping guidance
C. The specification of compensating controls
D. The specification of organization-defined parameters in controls via explicit assignment and selection statements.

Answer 45

A. The security categorization of the information system

Question 46

Which of the following statements about the authentication concept of information security management is true?

A. It determines the actions and behaviors of a single individual within a system and identifies that particular individual.
B. It ensures that modifications are not made to data by unauthorized personnel or processes.
C. It establishes the identity of users and ensures that the users are who they say they are.
D. It ensures the reliable and timely access to resources.

Answer 46

C. It establishes the identity of users and ensures that the users are who they say they are.

Question 47

What is the first SDLC phase; which maps to the first two RMF steps (Categorization, Select Controls)?

A. Initiation
B. Categorization
C. Implementation
D. Disposition

Answer 47

A. Initiation

Question 48

True or False; After an ATO is granted, ongoing continuous monitoring is performed on all identified security controls as well as physical environment, etc.

A. True
B. False

Answer 48

A. True

Question 49

The security control assessor for Colvine Tech will be conducting a comprehensive level assessment on an information system at Colvine Tech. Which controls must be assessed separately, not by the assessor for Colvine Tech?

A. Common Controls
B. Management controls
C. Failed controls
D. Alternative controls

Answer 49

A. Common Controls

Question 50

What is the comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

A. Certification
B. Examination
C. Operation
D. Information

Answer 50

A. Certification

Question 51

A security assessment plan comprises of all of the following except one

A. Scope
B. Methodology
C. Recommendations for remediation
D. Rules of engagement

Answer 51

C. Recommendations for remediation

Question 52

Which NIST special configuration provides guidance on security-focused configuration management?

A. NIST SP 800-128
B. NIST SP 800-37
C. NIST SP 800-30
D. NIST SP 800-137

Answer 52

A. NIST SP 800-128

Question 53

The authorization boundary of a system undergoing assessment comprises of:

A. The information System (IS) elements to be authorized for operation.
B. Any elements or systems specified by the Chief Information Owner (CIO).
C. Any components found within the given Internet Protocol (IP) range.
D. The information System (IS) elements to be authorized for operation as well as interconnected systems.

Answer 53

A. The information System (IS) elements to be authorized for operation.

Question 54

Which of the following BEST describes the objective of a Security Assessment Plan?

A. It provides a detailed roadmap for how the assessment will be conducted.
B. It provides an assessment process for the integration of software and hardware.
C. It describes how to verify the change control and Configuration Management (CM) practices.
D. It ensures that changes made during system development are included in security assessments.

Answer 54

A. It provides a detailed roadmap for how the assessment will be conducted.

Question 55

You are the project manager for a construction project. The project includes a work that involves very high financial risks. You decide to insure processes so that any ill happening can be compensated.
Which type of strategies have you used to deal with the risks involved with that particular work?

A. Transfer
B. Mitigate
C. Accept
D. Avoid

Answer 55

A. Transfer

Question 56

Security categorization of a National Security System must consider the security categories of all information types resident on it.

A. True
B. False

Answer 56

A. True

Question 57

The Security Category that primarily deals with preserving authorized restrictions on information access and disclosure.

A. Confidentiality
B. Availability
C. Integrity
D. Authenticity

Answer 57

A. Confidentiality

Question 58

As indicated in NIST SP 800-37, and NIST SP 800-53 the RMF provides architectural description inputs to the risk management strategy, including mission/business processes, FEA reference models, segment and solution architecture and:

A. Information security requirements
B. Information system boundaries
C. Laws, directives and policy guidance
D. Strategic goals and objectives

Answer 58

C. Laws, directives and policy guidance

Question 59

An interconnected set of information resources under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, and people.

A. General Support System
B. Recovery Point Objective
C. Internal Security Testing
D. Recovery Point Objective

Answer 59

A. General Support System

Question 60

Who has the responsibility to review and ensure that only substantive items are incorporated in the plan of action and milestones?

A. Information System Owner
B. Common Control Provider
C. Authorizing Official
D. Information Owner

Answer 60

C. Authorizing Official

Question 61

An application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application.

A. Major Application
B. Humble Application
C. Slight Application
D. Worthless Application

Answer 61

A. Major Application

Note: All federal applications require some level of protection. Certain applications, because of the information in them, however, require special management oversight and should be treated as major.
Adequate security for other applications should be provided by security of the systems in which they operate.

Question 62

Which of the following governance bodies directs and coordinates implementations of the information security program?

A. Information Security Steering Committee
B. Senior Management
C. Business Unit Manager
D. Chief Information Security Officer

Answer 62

D. Chief Information Security Officer

Question 63

Not all deficiencies in controls or lack of security protections are vulnerabilities. Vulnerabilities in control can be defined as:

A. Only deficiencies that can be exploited
B. Missing patches
C. All deficiencies in the controls
D. Acceptable risks to the organization

Answer 63

A. Only deficiencies that can be exploited

Question 64

Which of the following is a standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system?

A. FITSAF
B. TCSEC
C. FIPS
D. SSAA

Answer 64

B. TCSEC

Question 65

The scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation and maintenance, and ultimately its disposal that instigates another system initiation best describes

A. Information system
B. System Development Life Cycle (SDLC)
C. Authorization Process
D. IT infrastructure

Answer 65

B. System Development Life Cycle (SDLC)

Question 66

A fundamental of Risk Management per NIST SP 800-37 is the integration of information security requirements into an organization’s what?

A. Software Development Life-Cycle
B. Risk Management Framework
C. National Institute of Standards and Technology
D. Chief Information Officer

Answer 66

A. Software Development Life-Cycle

Question 67

Which of the following access control models uses a predefined set of access privileges for an object of a system?

A. Discretionary Access Control
B. Mandatory Access Control
C. Policy Access Control
D. Role-Based Access Control

Answer 67

B. Mandatory Access Control

Question 68

Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management is the title of what requirement?

A. OMB memorandum M-11-33, FY 2011
B. Clinger-Cohen Act
C. OMB Circular A-130, Appendix III, 1997
D. FISMA, 2002

Answer 68

A. OMB memorandum M-11-33, FY 2011

Question 69

According to U.S. Department of Defense (DoD) Instruction 8500.2, there are eight Information Assurance (IA) areas, and the controls are referred to as IA controls.
Which of the following are among the eight areas of IA defined by DoD?
Each correct answer represents a complete solution. Choose all that apply.

A. VI Vulnerability and Incident Management
B. DC Security Design & Configuration
C. EC Enclave and Computing Environment
D. Information systems acquisition, development, and maintenance

Answer 69

A. VI Vulnerability and Incident Management

Question 70

Interrelationships of system authorization processes.

A. 1. System Security Authorization Project Planning.
2. System Inventory Process.
3. Assess Sensitivity and Criticality
4. Develop System Security Plan
5. Coordinate Security for Interconnected Systems.
6. Apply Minimum Security Baselines.
7. Assess Risk
8. Develop Security Procedures
9. Conduct Certification Testing
10. Plan for Remediation
11. Create System Authorization Documentation
12. Document the Accreditation Decision
B. 1. System Security Authorization Project Planning.
2. System Inventory Process.
3. Assess Sensitivity and Criticality
4. Develop System Security Plan
5. Create System Authorization Documentation
6. Document the Accreditation Decision
7. Assess Risk
8. Apply Minimum Security Baselines.
9. Develop Security Procedures
10. Conduct Certification Testing
11. Coordinate Security for Interconnected Systems.
12. Plan for Remediation
C. 1. Coordinate Security for Interconnected Systems.
2. Apply Minimum Security Baselines.
3. Assess Risk
4. Develop Security Procedures
5. Document the Accreditation Decision
6. System Inventory Process.
7. Create System Authorization Documentation
8. Develop System Security Plan
9. Conduct Certification Testing
10. System Security Authorization Project Planning.
D. 1. Conduct Certification Testing
2. Plan for Remediation
3. Create System Authorization Documentation
4. Document the Accreditation Decision
5. System Inventory Process.
6. Coordinate Security for Interconnected Systems.
7. Assess Risk
8. Develop System Security Plan
9. System Security Authorization Project Planning.
10. Apply Minimum Security Baselines.

Answer 70

A. 1. System Security Authorization Project Planning.
2. System Inventory Process.
3. Assess Sensitivity and Criticality
4. Develop System Security Plan
5. Coordinate Security for Interconnected Systems.
6. Apply Minimum Security Baselines.
7. Assess Risk
8. Develop Security Procedures
9. Conduct Certification Testing
10. Plan for Remediation
11. Create System Authorization Documentation
12. Document the Accreditation Decision

Question 71

NIST SP 800-37 provides guidance for applying RMF to all of which type of information systems for design, development, implementation, operation, maintenance and development?

A. Federal
B. Detach
C. Sell
D. Forfeit

Answer 71

A. Federal

Question 72

The official primarily responsibility for security of an Info System, who establishes sensitivity level and types of controls required to protect the IS and initiates system authorization activities.

A. Information System Owner
B. System Development Life-Cycle
C. Risk Management Framework
D. Designated Representative

Answer 72

A. Information System Owner

Question 73

Is it a good or bad idea for the inspecting team to work with host staff to correct weaknesses on the spot when possible?

A. Good
B. Bad
C. Harmful
D. Offensive

Answer 73

A. Good

Question 74

Which NIST Special publication provides guidance on security assessment reports?

A. NIST SP 800-18
B. NIST SP 800-53A
C. NIST SP 800-53
D. NIST SP 800-37

Answer 74

B. NIST SP 800-53A

Question 75

When carrying out ongoing risk response, the effectiveness of new, modified, enhanced, or added controls must be…

A. Verified
B. Reassessed
C. Examined
D. Tested

Answer 75

B. Reassessed

Question 76

In what step of the RMF process would you create the SSP?

A. Step 1 (Categorization)
B. Step 2 (Recommendations)
C. Step 3 (Mitigation)
D. Step 4 (Determination)

Answer 76

A. Step 1 (Categorization)

Question 77

Which organization is responsible for procurement, development, integration, modification, operation, maintenance, and disposal of an Information System?

A. Information System Owner
B. Information system security engineer (ISSE)
C. Chief Information Officer (CIO)
D. Information security architect

Answer 77

A. Information System Owner

Question 78

An assessment procedure consists of a set of which things, each with an associated set of potential assessment methods and assessment objects?

A. Assessment objectives
B. Security controls
C. Operational requirements
D. Assessment objects

Answer 78

A. Assessment objectives

Question 79

The authorization decision document conveys the final security authorization decision from the authorizing official to the information system owner. The authorization decision document contains all of the following information except?

A. Authorization decision
B. Terms and conditions for the authorization
C. Approving revisions to the SSAA
D. Authorization termination date

Answer 79

C. Approving revisions to the SSAA

Question 80

During the security impact analysis vulnerabilities were uncovered in the information system. Which of the following documents should address the outstanding items?

A. Plan of action and milestones
B. System security plan
C. System discrepancy plan
D. System deficiency plan

Answer 80

A. Plan of action and milestones

Question 81

Failure to authorize an operational system to process demonstrates that management has not exercised due care in protecting the system in the event of a security incident. Which of the following Acts has been violated?

A. Clinger-Cohen Act of 1996
B. Computer security Act of 1987
C. FISMA, 2002
D. FIPS 102

Answer 81

C. FISMA, 2002

Question 82

Guarding against improper information modification or destruction and includes ensuring information non‐ repudiation and authenticity.

A. Integrity
B. Authenticity
C. Confidentiality
D. Availability

Answer 82

A. Integrity

Question 83

When an Information System Owner applies a risk-based approach to his selection of specific controls; his adjustment is called __________. The revised/tailored control baseline is documented in the system security plan.

A. Tailoring
B. Failing
C. Scoping
D. Passing

Answer 83

A. Tailoring

Question 84

Office of Management and Budget (OMB) works directly for?

A. White house Staff
B. Black house Staff
C. Without Staff
D. None of These

Answer 84

A. White house Staff

Question 85

Which of the following individuals is responsible for ensuring the security posture of the organization’s information system?

A. Authorizing Official
B. Chief Information Officer
C. Security Control Assessor
D. Common Control Provider

Answer 85

A. Authorizing Official

Question 86

Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Synonymous with
security controls and countermeasures.

A. Safeguards
B. Subsystem
C. Tailored Security
D. Control Baseline

Answer 86

A. Safeguards

Question 87

What is the purpose of the assess step?

A. To find and remediate system vulnerabilities.
B. To determine if the selected controls are implemented correctly, functioning as required, and producing the desired outcome.
C. To identify and eliminate risk factors.
D. To logically test and evaluate information systems.

Answer 87

B. To determine if the selected controls are implemented correctly, functioning as required, and producing the desired outcome.

Question 88

Which of the following BEST defines the purpose of security assessment?

A. To determine if the remaining known vulnerability pose an acceptable level of risk.
B. To determine the extent to which the security controls are implemented correctly and operating as intended.
C. To perform oversight and monitor the security controls in the information system (IS).
D. To perform initial risk estimate and security categorization of the information system (IS).

Answer 88

B. To determine the extent to which the security controls are implemented correctly and operating as intended.

Question 89

The point in time to which data must be recovered after an outage.

A. Recovery Point Objective (RPO)
B. Active Security Testing (AST)
C. Internal Security Testing (IST)
D. General Support System (GSS)

Answer 89

A. Recovery Point Objective (RPO)

Question 90

In which of the RMF phases (task 3) is the conduct remediation actions based on the results of ongoing monitoring activities, assessment of risk and outstanding items in the POA&M and milestones.

A. RMF Step 6, Monitor
B. RMF Step 6, Authorize
C. RMF Step 6, Implement
D. RMF Step 5, Authorize

Answer 90

A. RMF Step 6, Monitor

Question 91

Why is the early selection of assessors important to organizations implementing a systems security engineering approach?

A. Early selection of assessors assess all implement security controls.
B. Early selection of assessors support verification and validation activities that occur throughout the system life cycle.
C. Early selection of assessors violates security requirements.
D. Early selection of assessors complete security control assessments in a timely manner.

Answer 91

B. Early selection of assessors support verification and validation activities that occur throughout the system life cycle.

Question 92

Which of the following DITSCAP phases validates that the preceding work has produced an IS that operates in a specified computing environment?

A. Phase 4
B. Phase 3
C. Phase 2
D. Phase 1

Answer 92

B. Phase 3

Question 93

Sam is the project manager of a construction project in south Florid
a. This area of the United States is prone to hurricanes during certain parts of the year. As part of the project plan Sam and the project team acknowledge the possibility of hurricanes and the damage the hurricane could have on the project’s deliverables, the schedule of the project, and the overall cost of the project.
Once Sam and the project stakeholders acknowledge the risk of the hurricane, they go on planning the project as if the risk is not likely to happen. What type of risk response is Sam using?

A. Mitigation
B. Avoidance
C. Passive acceptance
D. Active acceptance

Answer 93

C. Passive acceptance

Question 94

The registration of the system directly follows which Risk Management Framework (RMF) task?

A. Categorize the system
B. Describe the system
C. Review and approve the system security plan
D. Select security controls

Answer 94

B. Describe the system

Question 95

Which of the following is an official authorization decision that is focused on specific controls implemented in a defined environment of operation to support one or more systems residing within the
environment?

A. Authority to test
B. Facility authorization
C. Type authorization
D. Joint authorization

Answer 95

B. Facility authorization

Question 96

The initial security plan for a new application has been approved. What is the next activity in the Risk Management Framework?

A. Asses a selected subset of the security controls inherited by the information system.
B. Assemble the security authorization package.
C. Implement the security controls specified in the system security plan.
D. Develop a strategy for the continuous monitoring of security control effectiveness.

Answer 96

C. Implement the security controls specified in the system security plan.

Question 97

What are the phases of the System Development Life Cycle?

A. 1. Initiation
2. Acquisition/Development
3. Implementation
4. Operations/maintenance
5. Disposition
B. 1. Acquisition/Development
2. Implementation
3. Operations/maintenance
4. Disposition
5. Initiation
C. 1. Initiation
2. Disposition
3. Implementation
4. Acquisition/Development
5. Initiation
D. 1. Implementation
2. Operations/maintenance
3. Disposition
4. Acquisition/Development
5. Initiation

Answer 97

A. 1. Initiation
2. Acquisition/Development
3. Implementation
4. Operations/maintenance
5. Disposition

Question 98

NIST SP 800-37 defines this role as an organizational official responsible for the development, implementation, assessment, and monitoring of common controls (i.e., security controls inherited by
information systems).

A. Common Controls Provider
B. Implement Controls
C. Security Controls
D. Common Controls

Answer 98

A. Common Controls Provider

Question 99

The security controls for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, and firmware components of the system are known as

A. Operational controls
B. Physical controls
C. Technical controls
D. Management controls

Answer 99

C. Technical controls

Question 100

Test Results should be shown as “meeting standards” or “not meeting standards”; or in short ________, _______.

A. Pass, fail
B. Yes, no
C. True, false
D. Good, bad

Answer 100

A. Pass, fail