Which of the following groups represents the most likely source of an asset loss through the inappropriate use of computers? A. Employees B. Hackers C. Visitors D. Customers A. Employees FISMA charges which one of the following agencies with the responsibility of overseeing the security policies and practices of all agencies of the executive branch of the Federal government? A. Office of Management and Budget (OMB) B. National Institute of Standards and Technology (NIST) C. National Security Agency (NSA) D. Department of Justice A. Office of Management and Budget (OMB) Which one of the following publications provides details of the monitoring security control? A. NIST SP 800 53 B. NIST SP 800 42 C. NIST SP 800 37 D. NIST SP 800 41 C. NIST SP 800 37 Which of the following statements about Discretionary Access Control List (DACL) is true? A. It is a list containing user accounts, groups, and computers that are allowed (or denied) access to the object. B. It specifies whether an audit activity should be performed when an object attempts to access a resource. C. It is a unique number that identifies a user, group, and computer account. D. It is a rule list containing access control entries. A. It is a list containing user accounts, groups, and computers that are allowed (or denied) access to the object. FIPS Publication 199 defines three levels of potential impact to the compromise of confidentiality, integrity, and availability. These levels are: A. Minimum, Normal, Maximum B. Low, Moderate, High C. Unclassified, Confidential, Secret D. Confidential, Secret, Top Secret B. Low, Moderate, High Which of the following individuals is responsible for monitoring the information system environment that can negatively impact the security of the system and its accreditation? A. Chief Information Security Officer B. Chief Information Officer C. Chief Risk Officer D. Information System Owner D. Information System Owner Which of the following professionals plays the role of a monitor and takes part in the organizations configuration management process? A. Senior Agency Information Security Officer B. Authorizing Official C. Common Control Provider D. Chief Information Officer C. Common Control Provider Which of the following is not a standard phase in the System Authorization Process? A. Pre certification B. Post authorization C. Post certification D. Certification C. Post certification What is the potential impact if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States? A. Low B. Moderate C. High D. Limited A. Low An assessment procedure consists of a set of which things, each with an associated set of potential assessment methods and assessment objects? A. Assessment objectives B. Security controls C. Operational requirements D. Assessment objects A. Assessment objectives This process is used to determine if the security controls in the information system continue to be effective over time in light of the inevitable changes that occur in the system as well as the environment in which the system operates between authorization decisions. A. Continuous monitoring B. Configuration management C. Vulnerability assessment D. Certification and accreditation A. Continuous monitoring Who does an organization require that is capable of conducting an impartial assessment of security controls employed within or inherited by an information system? A. Vendor assessor B. Technical expert C. Authorization assessor D. Independent assessor D. Independent assessor Which of the following NIST documents provides a guideline for identifying an information system as a National Security System? A. NIST SP 800 59 B. NIST SP 800 53 C. NIST SP 800 60 D. NIST SP 800 37 A. NIST SP 800 59 Subsequent to a security breach, which of the following techniques are used with the intention to limit the extent of damage caused by the incident? A. Corrective controls B. Preventive controls C. Change controls D. Incident controls A. Corrective controls What process should be initiated when changes to the information system negatively impact the security of the system or when a period of time has elapsed as specified by agency or federal policy? A. IS audit B. Systems acquisition C. Reauthorization D. Reclassification of data C. Reauthorization Which of the following documents can be best aid in selecting controls to be monitored? A. NIST SP 800 37 B. FISMA C. FIPS 199 D. NIST SP 800 18 C. FIPS 199 Applying the first three steps in the RMF to legacy systems can be viewed in what way to determine if the necessary and sufficient security controls have been appropriately selected and allocated? A. Sequential B. Level of effort C. Gap analysis D. Common control C. Gap analysis In which type of access control do user ID and password system come under? A. Physical B. Administrative C. Power D. Technical D. Technical Which role in the security authorization process is responsible for organizational information systems? A. IS program manager B. Designated authorizing official C. Certification agent D. User representative B. Designated authorizing official What assessment procedure is designed to work with and complement the assessment procedures to contribute to the grounds for confidence in the effectiveness of the security controls employed in the information system? A. Extended B. Subordinate C. Based D. Cross control A. Extended Why would the authorization decision issue a determination of Not Authorized? A. If the system is not authorized (NA) to process classified information. B. If it is deemed that the agency level risk is unacceptably high. C. If the system is mission critical and requires an interim authority to operate. D. The information system is always accredited without any restrictions or limitations on its operation. B. If it is deemed that the agency level risk is unacceptably high. Which of the following persons is responsible for testing and verifying whether the security policy is properly implemented and the derived security solutions are adequate or not? A. Data owner B. Data custodian C. User D. Auditor D. Auditor FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls have been implemented? A. Level 2 B. Level 1 C. Level 5 D. Level 3 D. Level 3 When does monitoring security controls take place? A. Before the initial system certification B. After the initial system security authorization C. Before and after the initial system security accreditation D. During the system design phase B. After the initial system security authorization NIST SP 800 53A defines three types of interview depending on the level of assessment conducted. Which of the following NIST SP 800 53A interviews consists of informal and ad hoc interviews? A. Substantial B. Abbreviated C. Comprehensive D. Significant B. Abbreviated The British Standard BS7799 was the basis for which of the following standards? A. ISO/IEC 154508 B. ISO/IEC 17799 C. ICO/ICE 17799 D. Executive Order (E.O.) 13231 B. ISO/IEC 17799 If an organization shares financial and personal details of a client to other companies without prior consent of the individuals that organization is violating what following Internet law? A. Security law B. Copyright law C. Privacy law D. Trademark law C. Privacy law Which of the following NIST Special Publication documents provides a guideline on network security testing? A. NIST SP 800 53A B. NIST SP 800 53 C. NIST SP 800 42 D. NIST SP 800 37 C. NIST SP 800 42 How many steps are defined in the RMF process? A. Three B. Four C. Six D. Five C. Six Which of the following statements about the authentication concept of information security management is true? A. It ensures that modifications are not made to data by unauthorized personnel or processes. B. It determines the actions and behaviors of a single individual within a system and identifies that particular individual. C. It ensures the reliable and timely access to resources. D. It establishes the identity of users and ensures that the users are who they say they are. D. It establishes the identity of users and ensures that the users are who they say they are. Which of the following classification levels defines the information that, if disclosed to the unauthorized parties, could be reasonably expected to cause exceptionally grave damage to the national security? A. Top Secret information B. Secret information C. Confidential information D. Unclassified information A. Top Secret information Which of the following statements best describes the difference between the role of a data owner and the role of a data custodian? A. The data owner implements the information classification scheme after the initial assignment by the custodian. B. The custodian implements the information classification scheme after the initial assignment by the operations manager. C. The data custodian implements the information classification scheme after the initial assignment by the data owner. D. The custodian makes the initial information classification assignments and the operations manager implements the scheme. C. The data custodian implements the information classification scheme after the initial assignment by the data owner. FIPS 200 provides how many minimum security requirements for federal information and information systems? The requirements represent a broad based, balanced information security program that addresses the management, operational, and technical aspects of protecting the CIA of federal information and information systems. A. 5 B. 17 C. 21 D. 10 B. 17 This stakeholders involvement is required to determine acceptable residual risk and also advises the development team if the risks associated with eventual operation of the system appear to be unacceptable. A. Authorization Official B. Acceptance Official C. Accreditation Officer D. Assessment Officer C. Accreditation Officer Security categorization of an National Security System must consider the security categories of all information types resident on it. A. True A. True During the security impact analysis vulnerabilities were uncovered in the information system. Which of the following documents should address the outstanding items? A. Plan of action and milestones B. System security plan C. System discrepancy plan D. System deficiency plan A. Plan of action and milestones Which of the following governance bodies directs and coordinates implementations of the information security program? A. Chief Information Security Officer B. Information Security Steering Committee C. Senior Management D. Business Unit Manager A. Chief Information Security Officer The authorization decision document conveys the final security authorization decision from the authorizing official to the information system owner. The authorization decision document contains all of the following information except? A. Authorization decision B. Terms and conditions for the authorization C. Approving revisions to the SSAA D. Authorization termination date C. Approving revisions to the SSAA Which of the following acts is used to recognize the importance of information security to the economic and national security interests of the United States? A. FISMA B. Computer Fraud and Abuse Act C. Lanham Act D. Computer Misuse Act A. FISMA The security authorization package contains multiple key documents enabling the authorization officials to make risk based authorization decisions. Which of the following documents is not part of the package? A. The security plan B. The security assessment report C. The plan of action and milestones D. The security service level agreements D. The security service level agreements Which of the following would be an accurate description of the role of the ISSO in the RMF process? A. The ISSO determines whether a system is ready for certification and conducts the certification process. B. The operational interests of system users are vested in the ISSO. C. The ISSO coordinates all aspects of the system from initial concept through development to implementation and system maintenance. D. The ISSO is responsible to the DAA for maintaining the appropriate operational security posture for an information system or program. D. The ISSO is responsible to the DAA for maintaining the appropriate operational security posture for an information system or program. Which of the following activities is not a element of monitoring security controls? A. Operation and maintenance B. Security control monitoring and impact analyses C. Status reporting and documentation D. Configuration management and control A. Operation and maintenance The guidelines in this publication apply to the security controls defined in NIST Special Publication 800 53 in an effort to enable more consistent, comparable, and repeatable assessments of security controls. A. SP 800 53 B. SP 800 53A C. SP 800 37 D. FIPS 200 B. SP 800 53A Change management is initiated under which phase? A. Select security controls B. Categorize information system C. Authorize information system D. Monitor security controls D. Monitor security controls Who is primarily responsible for categorizing the Information System? A. IS program manager B. CIO C. Information system owner D. System architect C. Information system owner What is the potential impact if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States? A. Low B. Moderate C. Severe D. High D. High Concerning residual risk which of the following statements is true? A. It is a weakness or lack of control that can be exploited by a risk. B. It is an indicator of threats coupled with vulnerability. C. It is the possible risk after implementing all security measures. D. It is the possible risk prior to implementing all security measures. C. It is the possible risk after implementing all security measures. FISMA assigned the responsibility for developing standards to be used by all Federal agencies to categorize all information and information systems to which one of the following organizations? A. OMB B. NIST C. NSA D. DoD B. NIST This is a standard that sets essential requirements for assessing the effectiveness of computer security controls built into a computer system? A. FITSAF B. TCSEC C. FIPS D. SSAA B. TCSEC The first item listed in the system security plan is the system name and identifier. As required in OMB Circular A 11, each system should be assigned a name and unique identifier. The assignment of a unique identifier supports the agency's ability to do what? A. Collect agency information and security metrics specific to the system. B. Establish budget auditability. C. Identify risks associated to location. D. Create an RTM. A. Collect agency information and security metrics specific to the system. |
Which one of the following publications provides details of the monitoring security control?
Urheberrechte © © 2024 ketiadaan Inc.
