Quiz: Risk Management Framework Questions!

30 Questions | By Johnnymears | Updated: Mar 21, 2022 | Attempts: 362

Questions

Settings

Feedback

During the Quiz End of Quiz

Play as

Quiz Flashcard

Create your own Quiz

Quiz: Risk Management Framework Questions! - Quiz

Questions and Answers

1.

The Security Control Assessor has just completed the Security Assessment Report. What is the next STEP? [800-37r1]
- A.
  
  Authorize the System
- B.
  
  Prepare the POA&M
- C.
  
  Remediate
- D.
  
  Submit the Security Authorization Package
- E.
  
  Review the SAR and get the SCA to do his/her job correctly
2.

The authorization package contains the following documents:
- A.
  
  Security plan;
- B.
  
  Security assessment report; and
- C.
  
  Plan of action and milestones.
- D.
  
  MOR, memorandum on record for your recomendation
3.

Mr. Harris, acting AODR, has just approved the Security Plan. What step is next.
- A.
  
  Categorize
- B.
  
  Implement
- C.
  
  Asses the controls
- D.
  
  Continuous Monitoring
4.

Sonny, The ISSO, wants to go a document that is for National Security System determination. Which document has he sent ?
- A.
  
  800-37
- B.
  
  800-59
- C.
  
  800-60
- D.
  
  800-53
- E.
  
  800-50
5.

During STEP 4 of the RMF process. Which primary role has most of the responsibilities?
- A.
  
  ISSO
- B.
  
  ISO
- C.
  
  SCA
- D.
  
  ISSM
- E.
  
  AO
- F.
  
  CIO
6.

There are two types of authorization decisions that can be rendered by authorizing officials: (800-37r1)
- A.
  
  IATT and IATO
- B.
  
  Authorization to operate; and Denial of authorization to operate.
- C.
  
  ATO and IATT
- D.
  
  ATO and ATO with conditions
7.

DSA Ross is disposing of a computer with a CLASSIFICATION of SECRET. The hard drive on this system will not be reused. Using NIST 800-88 Which sanitization type should be used for this system. "Guidelines for Media Sanitization "
- A.
  
  Disposal
- B.
  
  Clearing
- C.
  
  Purging
- D.
  
  Destroying
8.

Sona is a SharePoint Administrator on a server with data availability impact classified as high, in case there is a hardware issue for redundancy they should be using a:
- A.
  
  Hot Site
- B.
  
  Cold site
- C.
  
  Mobile Site
- D.
  
  Mirrored Site
9.

Fabian has just been appointed to the position of the Security Control Assessor. He downloaded and read NIST Special Publication 800-30 Guide for Conducting Risk Assessments. What is the last step of that process?
- A.
  
  Manage
- B.
  
  Maintain
- C.
  
  Monitor
- D.
  
  Modify
10.

FMT Auto has added a Digital Display Unit to a vehicle, they will not be using any antivirus software on the system because its a standalone system and the AV software would take too much computing power. The AO is ok with leaving the AV software off the system. The STEP 3: RISK RESPONSE for NIST 800-39 would be considered as:
- A.
  
  Risk Avoidance
- B.
  
  Risk Mitigation
- C.
  
  Risk Acceptance
- D.
  
  Risk Sharing or Transfer
11.

Test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object
- A.
  
  Black box
- B.
  
  White box
- C.
  
  Grey box
- D.
  
  Comprehensive
12.

A school has a web with a phone directory of employees‘ names and work phone numbers so that members of the public can contact them directly.In this case, the PII confidentiality impact level would be ____
- A.
  
  Not Applicable
- B.
  
  Low
- C.
  
  Moderate
- D.
  
  Medium
- E.
  
  High
- F.
  
  Other
13.

FISMA requires the Office of Management and Budget (OMB) to define a major incident and directs agencies to report major incidents to Congress within _______of identification.
- A.
  
  30 days
- B.
  
  7 days
- C.
  
  90 days
- D.
  
  4 hours
- E.
  
  24 hours
14.

Systems that store, communicate, or process trade secrets will generally be assigned at least a _____ confidentiality impact level.
- A.
  
  Moderate
- B.
  
  Low
- C.
  
  Medium
- D.
  
  High
15.

_______ backup stores files that were created or modified since the last full backup.
- A.
  
  Full
- B.
  
  As needed
- C.
  
  Incremental
- D.
  
  Differential
16.

The legal definitions for Confidentiality, Integrity and Availability are defined within
- A.
  
  Wikipedia
- B.
  
  Federal Information Security Management Act 2002
- C.
  
  Federal Information Security Management Act 2012
- D.
  
  Federal Information Security Modernization Act 2002
- E.
  
  Federal Information Security Modernization Act 2012
17.

In the image below the data within column A is called
- A.
  
  Qualitative Values
- B.
  
  Quantitative Values
- C.
  
  Semi-Quantitative Values
- D.
  
  Semi Qualitative Values
18.

Where would you find the privacy controls in 800-53
- A.
  
  Appendix G
- B.
  
  Appendix H
- C.
  
  Appendix I
- D.
  
  Appendix J
19.

Basic Testing is also known as
- A.
  
  Black Box testing
- B.
  
  White box testing
- C.
  
  Red box testing
- D.
  
  Grey box testing
20.

The senior organizational official with overall organization-wide responsibility for information privacy issues.
- A.
  
  CIO
- B.
  
  SOAP
- C.
  
  CEO
- D.
  
  SISO
21.

Examples of PII Data can include. (Select all that apply)
- A.
  
  Name, such as full name, maiden name, mother‘s maiden name, or alias
- B.
  
  Personal identification number, such as social security number (SSN), passport number, driver‘s license number, taxpayer identification number, patient identification number, and financial account or credit card number
- C.
  
  Address information, such as street address or email address
- D.
  
  Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, welldefined group of people
- E.
  
  Telephone numbers, including mobile, business, and personal numbers
22.

OMB Memorandum 02-01 (Guidance for Preparing and Submitting Security Plans of Action and Milestones) is used for which part of the RMF Step and Task ?
- A.
  
  Step 1 Task 4
- B.
  
  Step 4 Task 1
- C.
  
  Step 5 Task 1
- D.
  
  Step 3 Task 3
23.

Fabian is doing an assessment. Select the correct POTENTIAL ASSESSMENT METHODS AND OBJECTS: for IR-6(2) INCIDENT REPORTING | VULNERABILITIES RELATED TO INCIDENTS "Organizational processes for incident reporting; automated mechanisms supporting and/or implementing reporting of vulnerabilities associated with security incidents]." Match the the Assessment above with the selection below.
- A.
  
  Examine
- B.
  
  Interview
- C.
  
  Test
- D.
  
  Interrogate
- E.
  
  Assess
24.

The authorization decision document conveys the final security authorization decision from the authorizing official to the information system owner or common control provider, and other organizational officials, as appropriate. The authorization decision document contains the following information: (Check all that apply)
- A.
  
  Authorization decision
- B.
  
  Terms and conditions for the authorization
- C.
  
  Authorization termination date
- D.
  
  The AODR signature
25.

800-37 TASK 1-2 includes (best answer)
- A.
  
  Describe the information system
- B.
  
  Describe the information system (including the system boundary)
- C.
  
  Describe the information system (including system boundary) and document the description in the security plan.
- D.
  
  Categorize