Prepare

Question 1

Security protections commensurate with the risk resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.

Answer 1

Adequate Security

Question 2

The process an organization employs to assign security or privacy requirements to an information system or its environment of operation; or to assign controls to specific system elements responsible for providing a security or privacy capability (e.g., router, server, remote sensor).

Answer 2

Allocation

Question 3

A software program hosted by an information system.

Answer 3

Application

Question 4

The individual, group, or organization responsible for conducting a security or privacy assessment.

Answer 4

Assessor

Question 5

System and subsystem components that must be protected, including but not limited to: all hardware, software, data, personnel, supporting physical environment and environmental systems, administrative support and supplies.

Answer 5

Asset

Question 6

All components of an information system to be authorized for operation by an authorizing official.

This excludes separately authorized systems to which the information system is connected.

Answer 6

Authorization Boundary

Question 7

A senior federal official or executive with the authority to authorize (i.e., assume responsibility for) the operation of an information system or the use of a designated set of common controls at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, and the nation.

Answer 7

Authorizing Official

Question 8

An organizational official acting on behalf of an authorizing official in carrying out and coordinating the required activities associated with the authorization process.

Answer 8

Authorizing Official Designated Representative

Question 9

Ensuring timely and reliable access to and use of information.

Answer 9

Availability

Question 10

A combination of mutually reinforcing controls implemented by technical means, physical means, and procedural means. Such controls are typically selected to achieve a common information security or privacy purpose.

Answer 10

Capability

Question 11

The senior official that provides advice and other assistance to the head of the agency and other senior management personnel of the agency to ensure that IT is acquired and information resources are managed for the agency in a manner that achieves the agency’s strategic goals and information resources management goals; and is responsible for ensuring agency compliance with, and prompt, efficient, and effective implementation of, the information policies and information resources management responsibilities, including the reduction of information collection burdens on the public.

Answer 11

Chief Information Officer

Question 12

Another name for “Chief Information Security Officer.”

Answer 12

Senior Agency Information Security Officer

Question 13

A security or privacy control that is inherited by multiple information systems or programs.

Answer 13

Common Control

Question 14

An organizational official responsible for the development, implementation, assessment, and monitoring of common controls.

Answer 14

Common Control Provider

Question 15

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Answer 15

Confidentiality

Question 16

Maintaining ongoing awareness to support organizational risk decisions.

Answer 16

Continuous Monitoring

Question 17

A program established to collect information in accordance with pre-established metrics, utilizing information readily available in part through implemented security controls.

Answer 17

Continuous Monitoring Program

Question 18

The individual, group, or organization responsible for conducting a control assessment.

Answer 18

Assessor

Question 19

An organization with a defined mission/goal and a defined boundary, using systems to execute that mission, and with responsibility for managing its own risks and performance.

Answer 19

Enterprise

Question 20

A strategic information asset base, which defines the mission; the information necessary to perform the mission; the technologies necessary to perform the mission; and the transitional processes for implementing new technologies in response to changing mission needs; and includes a baseline architecture; a target architecture; and a sequencing plan.

Answer 20

Enterprise Architecture

Question 21

The physical surroundings in which an information system processes, stores, and transmits information.

Answer 21

Environment of Operation

Question 22

A business-based framework for government-wide improvement developed by the Office of Management and Budget that is intended to facilitate efforts to transform the federal government to one that is citizen-centered, results-oriented, and market-based.

Answer 22

Federal Enterprise Architecture

Question 23

An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.

Answer 23

Federal Information System

Question 24

With respect to security, the effect on organizational operations, organizational assets, individuals, other organizations, or the nation (including the national security interests of the United States) of a loss of confidentiality, integrity, or availability of information or a system.

Answer 24

Impact

Question 25

Another name for “Impact Level.”

Answer 25

Impact Value

Question 26

The assessed worst-case potential impact that could result from a compromise of the confidentiality, integrity, or availability of information expressed as a value of low, moderate or high.

Answer 26

Impact Value

Question 27

Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, electronic, or audiovisual forms.

Answer 27

Information

Question 28

The stages through which information passes, typically characterized as creation or collection, processing, dissemination, use, storage, and disposition, to include destruction and deletion.

Answer 28

Information Life Cycle

Question 29

Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.

Answer 29

Information Owner

Question 30

The protection of information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity and availability.

Answer 30

Information Security

Question 31

An embedded, integral part of the enterprise architecture that describes the structure and behavior of the enterprise security processes, security systems, personnel and organizational subunits, showing their alignment with the enterprise’s mission and strategic plans.

Answer 31

Information Security Architecture

Question 32

The risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or systems.

Answer 32

Information Security Risk

Question 33

An agency official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination and disposal.

Answer 33

Information Steward

Question 34

A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of information.

Answer 34

Information System

Question 35

Any services, equipment, or interconnected system(s) or subsystem(s) of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency.

Answer 35

Information Technology

Question 36

For purposes of this definition, such services or equipment if used by the agency directly or is used by a contractor under a contract with the agency that requires its use; or to a significant extent, its use in the performance of a service or the furnishing of a product.

Answer 36

Information Technology

Question 37

Ensuring that information hosted on behalf of an agency and information systems and applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and availability protections through the application of cost-effective security controls.

Answer 37

Adequate Security

Question 38

With respect to privacy, the adverse effects that individuals could experience when an information system processes their PII.

Answer 38

Impact

Question 39

A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor-sensitive, security management) defined by an organization or in some instances, by a specific law, executive order, directive, policy, or regulation.

Answer 39

Information Type

Question 40

Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

Answer 40

Integrity

Question 41

An entity of any size, complexity, or positioning within an organizational structure (e.g., federal agencies, private enterprises, academic institutions, state, local, or tribal governments or, as appropriate, any of their operational elements).

Answer 41

Organization

Question 42

Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.

Answer 42

Personally Identifiable Information (PII)

Question 43

Individual, group, or organization responsible for ensuring that the system privacy requirements necessary to protect individuals’ privacy are adequately addressed in all aspects of enterprise architecture including reference models, segment and solution architectures, and information systems processing PII.

Answer 43

Privacy Architect

Question 44

An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s privacy protection processes, technical measures, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans.

Answer 44

Privacy Architecture

Question 45

An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s privacy protection processes, technical measures, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans.

Answer 45

Privacy Control

Question 46

Information that describes the privacy posture of an information system or organization.

Answer 46

Privacy Information

Question 47

A formal document that details the privacy controls selected for an information system or environment of operation that are in place or planned for meeting applicable privacy requirements and managing privacy risks, details how the controls have been implemented, and describes the methodologies and metrics that will be used to assess the controls.

Answer 47

Privacy Plan

Question 48

A requirement that applies to an information system or an organization that is derived from applicable laws, executive orders, directives, policies, standards, regulations, procedures, and/or mission/business needs with respect to privacy.

Answer 48

Privacy Requirement

Question 49

Risk to an individual or individuals associated with the agency’s creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of their PII.

Answer 49

Privacy Risk

Question 50

Portion of risk remaining after security measures have been applied.

Answer 50

Residual Risk

Question 51

A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically is a function of:

(i) the adverse impact, or magnitude of harm, that would arise if the circumstance or event occurs.

(ii) the likelihood of occurrence.

Answer 51

Risk

Question 52

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the nation, resulting from the operation of a system.

Answer 52

Risk Assessment

Question 53

An individual or group within an organization, led by the senior accountable official for risk management, that helps to ensure that security risk considerations for individual systems, to include the authorization decisions for those systems, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its missions and business functions; and managing risk from individual systems is consistent across the organization, reflects organizational risk tolerance, and is considered along with other organizational risks affecting mission/business success.

Answer 53

Risk Executive (Function)

Question 54

The program and supporting processes to manage risk to agency operations (including mission, functions, image, reputation), agency assets, individuals, other organizations, and the nation, and includes: establishing the context for risk-related activities; assessing risk; responding to risk once determined; and monitoring risk over time.

Answer 54

Risk Management

Question 55

Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.

Answer 55

Risk Mitigation

Question 56

Accepting, avoiding, mitigating, sharing, or transferring risk to agency operations, agency assets, individuals, other organizations, or the nation.

Answer 56

Risk Response

Question 57

Individual, group or organization responsible for ensuring that the information security requirements necessary to protect the organization’s core missions and business processes are adequately addressed in all aspects of enterprise architecture including reference models, segment and solution architectures, and the resulting information systems supporting those missions and business processes.

Answer 57

Security Architect

Question 58

An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s security processes, information security systems, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans.

Answer 58

Security Architecture

Question 59

The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.

Answer 59

Security Controls

Question 60

(i.) Confidentiality
(ii.) Integrity
(iii.) Availability

Answer 60

Security Objective

Question 61

A requirement levied on an information system or an organization that is derived from applicable laws, executive orders, directives, policies, standards, instructions, regulations, procedures, and/or mission/business needs to ensure the confidentiality, integrity, and availability of information that is being processed, stored, or transmitted.

Answer 61

Security Requirement

Question 62

Risk that arises through the loss of confidentiality, integrity, or availability of information or systems and that considers impacts to the organization (including assets, mission, functions, image, or reputation), individuals, other organizations, and the nation.

Answer 62

Security Risk

Question 63

The senior official, designated by the head of each agency, who has vision into all areas of the organization and is responsible for alignment of information security management processes with strategic, operational, and budgetary planning processes.

Answer 63

Senior Accountable Official for Risk Management

Question 64

Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers.

Answer 64

Senior Agency Information Security Officer

Question 65

The senior official, designated by the head of each agency, who has agency-wide responsibility for privacy, including implementation of privacy protections; compliance with federal laws, regulations and policies relating to privacy; management of privacy risks at the agency; and a central policymaking role in the agency’s development and evaluation of legislative, regulatory, and other policy proposals.

Answer 65

Senior Agency Official for Privacy

Question 66

Any organized assembly of resources and procedures united and regulated by interaction or interdependence to accomplish a set of specific functions.

Answer 66

System

Question 67

Another name for “Authorization Boundary.”

Answer 67

System Boundary

Question 68

A discrete identifiable information technology asset that represents a building block of a system and may include hardware, software, and firmware.

Answer 68

System Component

Question 69

The scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation.

Answer 69

System Development Life Cycle (SDLC)

Question 70

Member of a set of elements that constitute a system.

Answer 70

System Element

Question 71

Individual assigned responsibility for conducting systems privacy engineering activities.

Answer 71

Systems Privacy Engineer

Question 72

Individual with assigned responsibility for maintaining the appropriate operational privacy posture for a system or program.

Answer 72

Systems Privacy Officer

Question 73

Individual assigned responsibility for conducting systems security engineering activities.

Answer 73

Systems Security Engineer

Question 74

Individual with assigned responsibility for maintaining the appropriate operational security posture for an information system or program.

Answer 74

Systems Security Officer

Question 75

Individual, or (system) process acting on behalf of an individual, authorized to access a system.

Answer 75

System User

Question 76

Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the nation through a system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

Answer 76

Threat

Question 77

The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability.

Answer 77

Threat Source

Question 78

Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

Answer 78

Vulnerability