Risk Management Framework Questions!

Approved & Edited by ProProfs Editorial Team
The editorial team at ProProfs Quizzes consists of a select group of subject experts, trivia writers, and quiz masters who have authored over 10,000 quizzes taken by more than 100 million users. This team includes our in-house seasoned quiz moderators and subject matter experts. Our editorial experts, spread across the world, are rigorously trained using our comprehensive guidelines to ensure that you receive the highest quality quizzes.
Learn about Our Editorial Process
| By Johnmears
J
Johnmears
Community Contributor
Quizzes Created: 1 | Total Attempts: 597
Questions: 30 | Attempts: 598

SettingsSettingsSettings
Risk Management Framework Questions! - Quiz

.


Questions and Answers
  • 1. 

    The Security Control Assessor has just completed the Security Assessment Report.  What is the next STEP? [800-37r1]

    • A.

      Authorize the System

    • B.

      Prepare the POA&M

    • C.

      Remediate  

    • D.

      Submit the Security Authorization Package

    • E.

      Review the SAR and get the SCA to do his/her job correctly

    Correct Answer
    A. Authorize the System
    Explanation
    See NIST SP 800-37, Appendix E

    Rate this question:

  • 2. 

     The authorization package contains the following documents:

    • A.

      Security plan;

    • B.

      Security assessment report; and

    • C.

      Plan of action and milestones.

    • D.

      MOR, memorandum on record for your recomendation

    Correct Answer(s)
    A. Security plan;
    B. Security assessment report; and
    C. Plan of action and milestones.
    Explanation
    The correct answer is "Security plan, Security assessment report, and Plan of action and milestones." This is because these three documents are included in the authorization package. The Security plan outlines the security measures and protocols to be implemented. The Security assessment report evaluates the effectiveness of the current security measures. The Plan of action and milestones outlines the steps and timeline for addressing any identified security vulnerabilities. The MOR mentioned in the question is not listed as part of the authorization package.

    Rate this question:

  • 3. 

    Mr. Harris, acting AODR, has just approved the Security Plan.  What step is next.

    • A.

      Categorize

    • B.

      Implement

    • C.

      Asses the controls

    • D.

      Continuous Monitoring

    Correct Answer
    B. Implement
    Explanation
    After Mr. Harris, acting AODR, has approved the Security Plan, the next step is to implement the plan. This involves putting the plan into action and carrying out the necessary measures and procedures outlined in the plan to ensure the security of the system or organization. Implementing the plan is crucial to effectively address any identified risks and vulnerabilities and to ensure the proper functioning of the security controls.

    Rate this question:

  • 4. 

    Sonny, The ISSO, wants to go a document that is for National Security System determination.  Which document has he sent ?

    • A.

      800-37

    • B.

      800-59

    • C.

      800-60

    • D.

      800-53

    • E.

      800-50

    Correct Answer
    B. 800-59
  • 5. 

    During STEP 4 of the RMF process.  Which primary role has most of the responsibilities?

    • A.

      ISSO

    • B.

      ISO

    • C.

      SCA

    • D.

      ISSM

    • E.

      AO

    • F.

      CIO

    Correct Answer
    C. SCA
    Explanation
    During STEP 4 of the RMF process, the primary role with the most responsibilities is the Security Control Assessor (SCA). The SCA is responsible for conducting the assessment of the security controls implemented within the system. They review and evaluate the effectiveness of the controls, identify any vulnerabilities or weaknesses, and provide recommendations for improvement. The SCA plays a crucial role in ensuring that the system meets the required security standards and is adequately protected against potential threats and risks.

    Rate this question:

  • 6. 

    There are two types of authorization decisions that can be rendered by authorizing officials:  (800-37r1)

    • A.

      IATT and IATO

    • B.

      Authorization to operate; and Denial of authorization to operate.

    • C.

      ATO and IATT

    • D.

      ATO and ATO with conditions

    Correct Answer
    B. Authorization to operate; and Denial of authorization to operate.
    Explanation
    https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf Appendix F

    Rate this question:

  • 7. 

    DSA Ross is disposing of a computer with a CLASSIFICATION of SECRET.    The hard drive on this system will not be reused.  Using NIST 800-88 Which sanitization type should be used for this system.  "Guidelines for Media Sanitization "

    • A.

      Disposal

    • B.

      Clearing

    • C.

      Purging

    • D.

      Destroying

    Correct Answer
    D. Destroying
    Explanation
    The correct answer is "Destroying" because when disposing of a computer with a classification of SECRET, it is necessary to completely destroy the hard drive to ensure that no sensitive information can be recovered. Destroying the hard drive ensures that the data cannot be accessed or reconstructed in any way, providing a higher level of security compared to other sanitization methods such as clearing or purging.

    Rate this question:

  • 8. 

    Sona is a SharePoint Administrator on a server with data availability impact classified as high, in case there is a hardware issue for redundancy they should be using a:

    • A.

      Hot Site

    • B.

      Cold site

    • C.

      Mobile Site

    • D.

      Mirrored Site

    Correct Answer
    D. Mirrored Site
    Explanation
    A mirrored site would be the appropriate choice for Sona as a SharePoint Administrator on a server with high data availability impact. A mirrored site is a complete replica of the primary site that is continuously updated in real-time. This ensures that in case of a hardware issue or any other failure, the mirrored site can seamlessly take over and provide uninterrupted access to the data and services. This level of redundancy and synchronization makes it an ideal solution for high availability scenarios.

    Rate this question:

  • 9. 

    Fabian has just been appointed to the position of the Security Control Assessor.  He downloaded and read NIST Special Publication 800-30 Guide for Conducting Risk Assessments.  What is the last step of that process?

    • A.

      Manage

    • B.

      Maintain

    • C.

      Monitor

    • D.

      Modify

    Correct Answer
    B. Maintain
    Explanation
    After Fabian has conducted the risk assessments, the last step in the process is to maintain. This means that he needs to continuously monitor and update the risk assessment to ensure that it remains accurate and relevant over time. This includes reviewing and revising the assessment as needed, implementing any necessary controls or mitigation strategies, and regularly reassessing the risks to ensure they are effectively managed. By maintaining the risk assessment, Fabian can ensure that the organization's security controls are up to date and aligned with the current threat landscape.

    Rate this question:

  • 10. 

    FMT Auto has added a Digital Display Unit to a vehicle, they will not be using any antivirus software on the system because its a standalone system and the AV software would take too much computing power.   The AO is ok with leaving the AV software off the system.  The STEP 3: RISK RESPONSE  for NIST 800-39 would be considered as:

    • A.

      Risk Avoidance

    • B.

      Risk Mitigation

    • C.

      Risk Acceptance

    • D.

      Risk Sharing or Transfer

    Correct Answer
    C. Risk Acceptance
    Explanation
    https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf

    Rate this question:

  • 11. 

    Test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object

    • A.

      Black box

    • B.

      White box

    • C.

      Grey box

    • D.

      Comprehensive

    Correct Answer
    C. Grey box
    Explanation
    https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf

    Rate this question:

  • 12. 

    A school has a web with a phone directory of employees‘ names and work phone numbers so that members of the public can contact them directly.In this case, the PII confidentiality impact level would be ____

    • A.

      Not Applicable

    • B.

      Low

    • C.

      Moderate

    • D.

      Medium

    • E.

      High

    • F.

      Other

    Correct Answer
    A. Not Applicable
    Explanation
    https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf

    Rate this question:

  • 13. 

    FISMA requires the Office of Management and Budget (OMB) to define a major incident and directs agencies to report major incidents to Congress within _______of identification.

    • A.

      30 days

    • B.

      7 days

    • C.

      90 days

    • D.

      4 hours

    • E.

      24 hours

    Correct Answer
    B. 7 days
    Explanation
    https://www.us-cert.gov/incident-notification-guidelines

    Rate this question:

  • 14. 

    Systems that store, communicate, or process trade secrets will generally be assigned at least a _____ confidentiality impact level.

    • A.

      Moderate

    • B.

      Low

    • C.

      Medium

    • D.

      High

    Correct Answer
    A. Moderate
    Explanation
    https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf

    Rate this question:

  • 15. 

    _______ backup stores files that were created or modified since the last full backup.

    • A.

      Full

    • B.

      As needed

    • C.

      Incremental

    • D.

      Differential

    Correct Answer
    D. Differential
    Explanation
    https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf

    Rate this question:

  • 16. 

    The legal definitions for Confidentiality, Integrity and Availability are defined within

    • A.

      Wikipedia

    • B.

      Federal Information Security Management Act 2002

    • C.

      Federal Information Security Management Act 2012

    • D.

      Federal Information Security Modernization Act 2002

    • E.

      Federal Information Security Modernization Act 2012

    Correct Answer
    B. Federal Information Security Management Act 2002
    Explanation
    The legal definitions for Confidentiality, Integrity and Availability are defined within the Federal Information Security Management Act 2002. This act establishes policies and guidelines for federal agencies to ensure the security of their information and information systems. It outlines the requirements for protecting the confidentiality, integrity, and availability of sensitive information and provides a framework for managing information security risks.

    Rate this question:

  • 17. 

    In the image below the data within column A is called

    • A.

      Qualitative Values

    • B.

      Quantitative Values

    • C.

      Semi-Quantitative Values

    • D.

      Semi Qualitative Values

    Correct Answer
    A. Qualitative Values
    Explanation
    https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

    Rate this question:

  • 18. 

    Where would you find the privacy controls in 800-53

    • A.

      Appendix G

    • B.

      Appendix H

    • C.

      Appendix I

    • D.

      Appendix J

    Correct Answer
    D. Appendix J
    Explanation
    https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

    Rate this question:

  • 19. 

    Basic Testing is also known as

    • A.

      Black Box testing

    • B.

      White box testing

    • C.

      Red box testing

    • D.

      Grey box testing

    Correct Answer
    A. Black Box testing
    Explanation
    Black Box testing refers to a software testing technique where the internal structure, design, and implementation of the system being tested are not known to the tester. The tester focuses on the inputs and outputs of the system, without any knowledge of its internal workings. This type of testing is often used to validate the functionality and behavior of the system from an end-user perspective. Therefore, Basic Testing is also known as Black Box testing.

    Rate this question:

  • 20. 

    The senior organizational official with overall organization-wide responsibility for information privacy issues.

    • A.

      CIO

    • B.

      SOAP

    • C.

      CEO

    • D.

      SISO

    Correct Answer
    B. SOAP
  • 21. 

    Examples of PII Data can include.  (Select all that apply)

    • A.

      Name, such as full name, maiden name, mother‘s maiden name, or alias

    • B.

      Personal identification number, such as social security number (SSN), passport number, driver‘s license number, taxpayer identification number, patient identification number, and financial account or credit card number

    • C.

      Address information, such as street address or email address

    • D.

      Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, welldefined group of people

    • E.

      Telephone numbers, including mobile, business, and personal numbers

    Correct Answer(s)
    A. Name, such as full name, maiden name, mother‘s maiden name, or alias
    B. Personal identification number, such as social security number (SSN), passport number, driver‘s license number, taxpayer identification number, patient identification number, and financial account or credit card number
    C. Address information, such as street address or email address
    D. Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, welldefined group of people
    E. TelepHone numbers, including mobile, business, and personal numbers
    Explanation
    https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf

    Rate this question:

  • 22. 

    OMB Memorandum 02-01 (Guidance for Preparing and Submitting Security Plans of Action and Milestones) is used for which part of the RMF Step and Task ?

    • A.

      Step 1 Task 4

    • B.

      Step 4 Task 1

    • C.

      Step 5 Task 1

    • D.

      Step 3 Task 3

    Correct Answer
    C. Step 5 Task 1
  • 23. 

    Fabian is doing an assessment.  Select the correct POTENTIAL ASSESSMENT METHODS AND OBJECTS: for IR-6(2) INCIDENT REPORTING  |  VULNERABILITIES RELATED TO INCIDENTS    "Organizational processes for incident reporting; automated mechanisms supporting and/or implementing reporting of vulnerabilities associated with security incidents]." Match the the Assessment above with the selection below.  

    • A.

      Examine

    • B.

      Interview

    • C.

      Test

    • D.

      Interrogate

    • E.

      Assess

    Correct Answer
    C. Test
    Explanation
    The correct answer is "Test" because in order to assess the organizational processes for incident reporting and automated mechanisms, it is necessary to conduct tests to evaluate their effectiveness and functionality. Testing can help identify any vulnerabilities or weaknesses in the systems and processes being used for incident reporting, and provide valuable insights for improvement.

    Rate this question:

  • 24. 

    The authorization decision document conveys the final security authorization decision from the authorizing official to the information system owner or common control provider, and other organizational officials, as appropriate. The authorization decision document contains the following information: (Check all that apply)

    • A.

      Authorization decision

    • B.

      Terms and conditions for the authorization

    • C.

      Authorization termination date

    • D.

      The AODR signature

    Correct Answer(s)
    A. Authorization decision
    B. Terms and conditions for the authorization
    C. Authorization termination date
    Explanation
    800-37

    Rate this question:

  • 25. 

    800-37 TASK 1-2 includes (best answer)

    • A.

      Describe the information system

    • B.

      Describe the information system (including the system boundary)

    • C.

      Describe the information system (including system boundary) and document the description in the security plan.

    • D.

      Categorize

    Correct Answer
    C. Describe the information system (including system boundary) and document the description in the security plan.
    Explanation
    The correct answer is "Describe the information system (including system boundary) and document the description in the security plan." This answer is the best because it covers both aspects of the task - describing the information system and its boundary, and documenting this description in the security plan. This ensures that all relevant information about the system is captured and documented for future reference and security purposes.

    Rate this question:

  • 26. 

    There are five phases in the SDLC including (Select all that apply)

    • A.

      Planning

    • B.

      Configuration

    • C.

      Termination

    • D.

      Initiation

    • E.

      Development and acquisition

    • F.

      Implementation

    • G.

      Operation and maintenance

    • H.

      Disposal

    Correct Answer(s)
    D. Initiation
    E. Development and acquisition
    F. Implementation
    G. Operation and maintenance
    H. Disposal
    Explanation
    800-37 Appendix H

    Rate this question:

  • 27. 

    Organizations may define event-driven triggers (i.e., indicators and/or prompts that cause a pre-defined organizational reaction) for both ongoing authorization and reauthorization. Event-driven triggers include, but are not limited to: (Select all that apply)

    • A.

      New threat/vulnerability/impact information

    • B.

      An increased number of findings, weaknesses, and/or deficiencies from the continuous monitoring program

    • C.

      New missions/business requirements

    • D.

      A change in the Authorizing Official

    • E.

      A significant change in risk assessment findings

    • F.

      Significant changes to the information system, common controls, or the environment of operation

    • G.

      Organizational thresholds being exceeded.

    Correct Answer(s)
    A. New threat/vulnerability/impact information
    B. An increased number of findings, weaknesses, and/or deficiencies from the continuous monitoring program
    C. New missions/business requirements
    D. A change in the Authorizing Official
    E. A significant change in risk assessment findings
    F. Significant changes to the information system, common controls, or the environment of operation
    G. Organizational thresholds being exceeded.
    Explanation
    Organizations may define event-driven triggers for both ongoing authorization and reauthorization. These triggers can include new threat/vulnerability/impact information, an increased number of findings, weaknesses, and/or deficiencies from the continuous monitoring program, new missions/business requirements, a change in the Authorizing Official, a significant change in risk assessment findings, significant changes to the information system, common controls, or the environment of operation, and organizational thresholds being exceeded. These triggers serve as indicators or prompts that cause a pre-defined organizational reaction, ensuring that the authorization and reauthorization processes are aligned with any changes or developments within the organization or its environment.

    Rate this question:

  • 28. 

    NIST initiated the Security Content Automation Protocol (SCAP) project that supports the approach for achieving consistent, cost-effective security control assessments. The primary purpose of SCAP is to

    • A.

      Standardize the format and nomenclature used for communicating information about configurations and security flaws.

    • B.

      Do vulnerability scans

    • C.

      Do STIG checks

    • D.

      Do SCA Automation checking

    Correct Answer
    A. Standardize the format and nomenclature used for communicating information about configurations and security flaws.
    Explanation
    800-53a

    Rate this question:

  • 29. 

    Regardless of the task ordering, the last step before an information system is placed into operation is 

    • A.

      Remediation

    • B.

      SAP

    • C.

      SAR

    • D.

      Authorize

    Correct Answer
    A. Remediation
    Explanation
    Remediation is the correct answer because it refers to the process of resolving any issues or problems identified in the information system before it is put into operation. This step ensures that the system is functioning properly and any potential risks or vulnerabilities have been addressed. It is the final step in the implementation process before the system is authorized and made available for use.

    Rate this question:

Quiz Review Timeline +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

  • Current Version
  • Nov 16, 2023
    Quiz Edited by
    ProProfs Editorial Team
  • Jan 16, 2020
    Quiz Created by
    Johnmears
Back to Top Back to top
Advertisement
×

Wait!
Here's an interesting quiz for you.

We have other quizzes matching your interest.