Risk Management Framework Questions!

1. There are two types of authorization decisions that can be rendered by authorizing officials: (800-37r1)

IATT and IATO

Authorization to operate; and Denial of authorization to operate.

ATO and IATT

ATO and ATO with conditions

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf Appendix F

Explanation

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf Appendix F

2. In the image below the data within column A is called

Qualitative Values

Quantitative Values

Semi-Quantitative Values

Semi Qualitative Values

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

Explanation

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

3. FMT Auto has added a Digital Display Unit to a vehicle, they will not be using any antivirus software on the system because its a standalone system and the AV software would take too much computing power. The AO is ok with leaving the AV software off the system. The STEP 3: RISK RESPONSE for NIST 800-39 would be considered as:

Risk Avoidance

Risk Mitigation

Risk Acceptance

Risk Sharing or Transfer

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf

Explanation

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf

4. NIST initiated the Security Content Automation Protocol (SCAP) project that supports the approach for achieving consistent, cost-effective security control assessments. The primary purpose of SCAP is to

Standardize the format and nomenclature used for communicating information about configurations and security flaws.

Do vulnerability scans

Do STIG checks

Do SCA Automation checking

800-53a

Explanation

800-53a

5. DSA Ross is disposing of a computer with a CLASSIFICATION of SECRET. The hard drive on this system will not be reused. Using NIST 800-88 Which sanitization type should be used for this system. "Guidelines for Media Sanitization "

Disposal

Clearing

Purging

Destroying

The correct answer is "Destroying" because when disposing of a computer with a classification of SECRET, it is necessary to completely destroy the hard drive to ensure that no sensitive information can be recovered. Destroying the hard drive ensures that the data cannot be accessed or reconstructed in any way, providing a higher level of security compared to other sanitization methods such as clearing or purging.

Explanation

The correct answer is "Destroying" because when disposing of a computer with a classification of SECRET, it is necessary to completely destroy the hard drive to ensure that no sensitive information can be recovered. Destroying the hard drive ensures that the data cannot be accessed or reconstructed in any way, providing a higher level of security compared to other sanitization methods such as clearing or purging.

6. Sona is a SharePoint Administrator on a server with data availability impact classified as high, in case there is a hardware issue for redundancy they should be using a:

Hot Site

Cold site

Mobile Site

Mirrored Site

A mirrored site would be the appropriate choice for Sona as a SharePoint Administrator on a server with high data availability impact. A mirrored site is a complete replica of the primary site that is continuously updated in real-time. This ensures that in case of a hardware issue or any other failure, the mirrored site can seamlessly take over and provide uninterrupted access to the data and services. This level of redundancy and synchronization makes it an ideal solution for high availability scenarios.

Explanation

A mirrored site would be the appropriate choice for Sona as a SharePoint Administrator on a server with high data availability impact. A mirrored site is a complete replica of the primary site that is continuously updated in real-time. This ensures that in case of a hardware issue or any other failure, the mirrored site can seamlessly take over and provide uninterrupted access to the data and services. This level of redundancy and synchronization makes it an ideal solution for high availability scenarios.

7. Test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object

Black box

White box

Grey box

Comprehensive

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf

Explanation

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf

8. Systems that store, communicate, or process trade secrets will generally be assigned at least a _____ confidentiality impact level.

Moderate

Low

Medium

High

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf

Explanation

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf

9. 800-37 TASK 1-2 includes (best answer)

Describe the information system

Describe the information system (including the system boundary)

Describe the information system (including system boundary) and document the description in the security plan.

Categorize

The correct answer is "Describe the information system (including system boundary) and document the description in the security plan." This answer is the best because it covers both aspects of the task - describing the information system and its boundary, and documenting this description in the security plan. This ensures that all relevant information about the system is captured and documented for future reference and security purposes.

Explanation

The correct answer is "Describe the information system (including system boundary) and document the description in the security plan." This answer is the best because it covers both aspects of the task - describing the information system and its boundary, and documenting this description in the security plan. This ensures that all relevant information about the system is captured and documented for future reference and security purposes.

10. The authorization package contains the following documents:

Security plan;

Security assessment report; and

Plan of action and milestones.

MOR, memorandum on record for your recomendation

The correct answer is "Security plan, Security assessment report, and Plan of action and milestones." This is because these three documents are included in the authorization package. The Security plan outlines the security measures and protocols to be implemented. The Security assessment report evaluates the effectiveness of the current security measures. The Plan of action and milestones outlines the steps and timeline for addressing any identified security vulnerabilities. The MOR mentioned in the question is not listed as part of the authorization package.

Explanation

The correct answer is "Security plan, Security assessment report, and Plan of action and milestones." This is because these three documents are included in the authorization package. The Security plan outlines the security measures and protocols to be implemented. The Security assessment report evaluates the effectiveness of the current security measures. The Plan of action and milestones outlines the steps and timeline for addressing any identified security vulnerabilities. The MOR mentioned in the question is not listed as part of the authorization package.

Submit

11. FISMA requires the Office of Management and Budget (OMB) to define a major incident and directs agencies to report major incidents to Congress within _______of identification.

30 days

7 days

90 days

4 hours

24 hours

https://www.us-cert.gov/incident-notification-guidelines

Explanation

https://www.us-cert.gov/incident-notification-guidelines

12. Examples of PII Data can include. (Select all that apply)

Name, such as full name, maiden name, mother‘s maiden name, or alias

Address information, such as street address or email address

Telephone numbers, including mobile, business, and personal numbers

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf

Explanation

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf

Submit

13. Mr. Harris, acting AODR, has just approved the Security Plan. What step is next.

Categorize

Implement

Asses the controls

Continuous Monitoring

After Mr. Harris, acting AODR, has approved the Security Plan, the next step is to implement the plan. This involves putting the plan into action and carrying out the necessary measures and procedures outlined in the plan to ensure the security of the system or organization. Implementing the plan is crucial to effectively address any identified risks and vulnerabilities and to ensure the proper functioning of the security controls.

Explanation

After Mr. Harris, acting AODR, has approved the Security Plan, the next step is to implement the plan. This involves putting the plan into action and carrying out the necessary measures and procedures outlined in the plan to ensure the security of the system or organization. Implementing the plan is crucial to effectively address any identified risks and vulnerabilities and to ensure the proper functioning of the security controls.

14. The legal definitions for Confidentiality, Integrity and Availability are defined within

Wikipedia

Federal Information Security Management Act 2002

Federal Information Security Management Act 2012

Federal Information Security Modernization Act 2002

Federal Information Security Modernization Act 2012

The legal definitions for Confidentiality, Integrity and Availability are defined within the Federal Information Security Management Act 2002. This act establishes policies and guidelines for federal agencies to ensure the security of their information and information systems. It outlines the requirements for protecting the confidentiality, integrity, and availability of sensitive information and provides a framework for managing information security risks.

Explanation

The legal definitions for Confidentiality, Integrity and Availability are defined within the Federal Information Security Management Act 2002. This act establishes policies and guidelines for federal agencies to ensure the security of their information and information systems. It outlines the requirements for protecting the confidentiality, integrity, and availability of sensitive information and provides a framework for managing information security risks.

15. _______ backup stores files that were created or modified since the last full backup.

Full

As needed

Incremental

Differential

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf

Explanation

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf

16. OMB Memorandum 02-01 (Guidance for Preparing and Submitting Security Plans of Action and Milestones) is used for which part of the RMF Step and Task ?

Step 1 Task 4

Step 4 Task 1

Step 5 Task 1

Step 3 Task 3

not-available-via-ai

Explanation

not-available-via-ai

17. Where would you find the privacy controls in 800-53

Appendix G

Appendix H

Appendix I

Appendix J

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

Explanation

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

18. The authorization decision document conveys the final security authorization decision from the authorizing official to the information system owner or common control provider, and other organizational officials, as appropriate. The authorization decision document contains the following information: (Check all that apply)

Authorization decision

Terms and conditions for the authorization

Authorization termination date

The AODR signature

800-37

Explanation

800-37

Submit

19. The senior organizational official with overall organization-wide responsibility for information privacy issues.

CIO

SOAP

CEO

SISO

not-available-via-ai

Explanation

not-available-via-ai

20. Basic Testing is also known as

Black Box testing

White box testing

Red box testing

Grey box testing

Black Box testing refers to a software testing technique where the internal structure, design, and implementation of the system being tested are not known to the tester. The tester focuses on the inputs and outputs of the system, without any knowledge of its internal workings. This type of testing is often used to validate the functionality and behavior of the system from an end-user perspective. Therefore, Basic Testing is also known as Black Box testing.

Explanation

Black Box testing refers to a software testing technique where the internal structure, design, and implementation of the system being tested are not known to the tester. The tester focuses on the inputs and outputs of the system, without any knowledge of its internal workings. This type of testing is often used to validate the functionality and behavior of the system from an end-user perspective. Therefore, Basic Testing is also known as Black Box testing.

21. The Security Control Assessor has just completed the Security Assessment Report. What is the next STEP? [800-37r1]

Authorize the System

Prepare the POA&M

Remediate

Submit the Security Authorization Package

Review the SAR and get the SCA to do his/her job correctly

See NIST SP 800-37, Appendix E

Explanation

See NIST SP 800-37, Appendix E

22. During STEP 4 of the RMF process. Which primary role has most of the responsibilities?

ISSO

ISO

SCA

ISSM

AO

CIO

During STEP 4 of the RMF process, the primary role with the most responsibilities is the Security Control Assessor (SCA). The SCA is responsible for conducting the assessment of the security controls implemented within the system. They review and evaluate the effectiveness of the controls, identify any vulnerabilities or weaknesses, and provide recommendations for improvement. The SCA plays a crucial role in ensuring that the system meets the required security standards and is adequately protected against potential threats and risks.

Explanation

During STEP 4 of the RMF process, the primary role with the most responsibilities is the Security Control Assessor (SCA). The SCA is responsible for conducting the assessment of the security controls implemented within the system. They review and evaluate the effectiveness of the controls, identify any vulnerabilities or weaknesses, and provide recommendations for improvement. The SCA plays a crucial role in ensuring that the system meets the required security standards and is adequately protected against potential threats and risks.

23. Organizations may define event-driven triggers (i.e., indicators and/or prompts that cause a pre-defined organizational reaction) for both ongoing authorization and reauthorization. Event-driven triggers include, but are not limited to: (Select all that apply)

New threat/vulnerability/impact information

An increased number of findings, weaknesses, and/or deficiencies from the continuous monitoring program

New missions/business requirements

A change in the Authorizing Official

A significant change in risk assessment findings

Significant changes to the information system, common controls, or the environment of operation

Organizational thresholds being exceeded.

Organizations may define event-driven triggers for both ongoing authorization and reauthorization. These triggers can include new threat/vulnerability/impact information, an increased number of findings, weaknesses, and/or deficiencies from the continuous monitoring program, new missions/business requirements, a change in the Authorizing Official, a significant change in risk assessment findings, significant changes to the information system, common controls, or the environment of operation, and organizational thresholds being exceeded. These triggers serve as indicators or prompts that cause a pre-defined organizational reaction, ensuring that the authorization and reauthorization processes are aligned with any changes or developments within the organization or its environment.

Explanation

Organizations may define event-driven triggers for both ongoing authorization and reauthorization. These triggers can include new threat/vulnerability/impact information, an increased number of findings, weaknesses, and/or deficiencies from the continuous monitoring program, new missions/business requirements, a change in the Authorizing Official, a significant change in risk assessment findings, significant changes to the information system, common controls, or the environment of operation, and organizational thresholds being exceeded. These triggers serve as indicators or prompts that cause a pre-defined organizational reaction, ensuring that the authorization and reauthorization processes are aligned with any changes or developments within the organization or its environment.

Submit

24. A school has a web with a phone directory of employees' names and work phone numbers so that members of the public can contact them directly.In this case, the PII confidentiality impact level would be ____

Not Applicable

Low

Moderate

Medium

High

Other

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf

Explanation

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf

25. Sonny, The ISSO, wants to go a document that is for National Security System determination. Which document has he sent ?

800-37

800-59

800-60

800-53

800-50

not-available-via-ai

Explanation

not-available-via-ai

26. Fabian is doing an assessment. Select the correct POTENTIAL ASSESSMENT METHODS AND OBJECTS: for IR-6(2) INCIDENT REPORTING | VULNERABILITIES RELATED TO INCIDENTS "Organizational processes for incident reporting; automated mechanisms supporting and/or implementing reporting of vulnerabilities associated with security incidents]." Match the the Assessment above with the selection below.

Examine

Interview

Test

Interrogate

Assess

The correct answer is "Test" because in order to assess the organizational processes for incident reporting and automated mechanisms, it is necessary to conduct tests to evaluate their effectiveness and functionality. Testing can help identify any vulnerabilities or weaknesses in the systems and processes being used for incident reporting, and provide valuable insights for improvement.

Explanation

The correct answer is "Test" because in order to assess the organizational processes for incident reporting and automated mechanisms, it is necessary to conduct tests to evaluate their effectiveness and functionality. Testing can help identify any vulnerabilities or weaknesses in the systems and processes being used for incident reporting, and provide valuable insights for improvement.

27. Fabian has just been appointed to the position of the Security Control Assessor. He downloaded and read NIST Special Publication 800-30 Guide for Conducting Risk Assessments. What is the last step of that process?

Manage

Maintain

Monitor

Modify

After Fabian has conducted the risk assessments, the last step in the process is to maintain. This means that he needs to continuously monitor and update the risk assessment to ensure that it remains accurate and relevant over time. This includes reviewing and revising the assessment as needed, implementing any necessary controls or mitigation strategies, and regularly reassessing the risks to ensure they are effectively managed. By maintaining the risk assessment, Fabian can ensure that the organization's security controls are up to date and aligned with the current threat landscape.

Explanation

After Fabian has conducted the risk assessments, the last step in the process is to maintain. This means that he needs to continuously monitor and update the risk assessment to ensure that it remains accurate and relevant over time. This includes reviewing and revising the assessment as needed, implementing any necessary controls or mitigation strategies, and regularly reassessing the risks to ensure they are effectively managed. By maintaining the risk assessment, Fabian can ensure that the organization's security controls are up to date and aligned with the current threat landscape.

28. Regardless of the task ordering, the last step before an information system is placed into operation is

Remediation

SAP

SAR

Authorize

Remediation is the correct answer because it refers to the process of resolving any issues or problems identified in the information system before it is put into operation. This step ensures that the system is functioning properly and any potential risks or vulnerabilities have been addressed. It is the final step in the implementation process before the system is authorized and made available for use.

Explanation

Remediation is the correct answer because it refers to the process of resolving any issues or problems identified in the information system before it is put into operation. This step ensures that the system is functioning properly and any potential risks or vulnerabilities have been addressed. It is the final step in the implementation process before the system is authorized and made available for use.