Risk Management Framework Questions!

Reviewed by Editorial Team
The ProProfs editorial team is comprised of experienced subject matter experts. They've collectively created over 10,000 quizzes and lessons, serving over 100 million users. Our team includes in-house content moderators and subject matter experts, as well as a global network of rigorously trained contributors. All adhere to our comprehensive editorial guidelines, ensuring the delivery of high-quality content.
Learn about Our Editorial Process
| By Johnmears
J
Johnmears
Community Contributor
Quizzes Created: 1 | Total Attempts: 675
| Attempts: 675 | Questions: 30
Please wait...
Question 1 / 30
0 %
0/100
Score 0/100
1. There are two types of authorization decisions that can be rendered by authorizing officials:  (800-37r1)

Explanation

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf Appendix F

Submit
Please wait...
About This Quiz
Risk Management Framework Questions! - Quiz

Explore the Risk Management Framework through targeted questions! Assess your understanding of security assessment, system authorization, and the roles involved in the RMF process. Key for professionals aiming to enhance their knowledge in system security and compliance.

2. In the image below the data within column A is called

Explanation

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

Submit
3. FMT Auto has added a Digital Display Unit to a vehicle, they will not be using any antivirus software on the system because its a standalone system and the AV software would take too much computing power.   The AO is ok with leaving the AV software off the system.  The STEP 3: RISK RESPONSE  for NIST 800-39 would be considered as:

Explanation

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf

Submit
4. NIST initiated the Security Content Automation Protocol (SCAP) project that supports the approach for achieving consistent, cost-effective security control assessments. The primary purpose of SCAP is to

Explanation

800-53a

Submit
5. DSA Ross is disposing of a computer with a CLASSIFICATION of SECRET.    The hard drive on this system will not be reused.  Using NIST 800-88 Which sanitization type should be used for this system.  "Guidelines for Media Sanitization "

Explanation

The correct answer is "Destroying" because when disposing of a computer with a classification of SECRET, it is necessary to completely destroy the hard drive to ensure that no sensitive information can be recovered. Destroying the hard drive ensures that the data cannot be accessed or reconstructed in any way, providing a higher level of security compared to other sanitization methods such as clearing or purging.

Submit
6. Sona is a SharePoint Administrator on a server with data availability impact classified as high, in case there is a hardware issue for redundancy they should be using a:

Explanation

A mirrored site would be the appropriate choice for Sona as a SharePoint Administrator on a server with high data availability impact. A mirrored site is a complete replica of the primary site that is continuously updated in real-time. This ensures that in case of a hardware issue or any other failure, the mirrored site can seamlessly take over and provide uninterrupted access to the data and services. This level of redundancy and synchronization makes it an ideal solution for high availability scenarios.

Submit
7. Test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object

Explanation

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf

Submit
8. Systems that store, communicate, or process trade secrets will generally be assigned at least a _____ confidentiality impact level.

Explanation

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf

Submit
9. 800-37 TASK 1-2 includes (best answer)

Explanation

The correct answer is "Describe the information system (including system boundary) and document the description in the security plan." This answer is the best because it covers both aspects of the task - describing the information system and its boundary, and documenting this description in the security plan. This ensures that all relevant information about the system is captured and documented for future reference and security purposes.

Submit
10.  The authorization package contains the following documents:

Explanation

The correct answer is "Security plan, Security assessment report, and Plan of action and milestones." This is because these three documents are included in the authorization package. The Security plan outlines the security measures and protocols to be implemented. The Security assessment report evaluates the effectiveness of the current security measures. The Plan of action and milestones outlines the steps and timeline for addressing any identified security vulnerabilities. The MOR mentioned in the question is not listed as part of the authorization package.

Submit
11. FISMA requires the Office of Management and Budget (OMB) to define a major incident and directs agencies to report major incidents to Congress within _______of identification.

Explanation

https://www.us-cert.gov/incident-notification-guidelines

Submit
12. Examples of PII Data can include.  (Select all that apply)

Explanation

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf

Submit
13. Mr. Harris, acting AODR, has just approved the Security Plan.  What step is next.

Explanation

After Mr. Harris, acting AODR, has approved the Security Plan, the next step is to implement the plan. This involves putting the plan into action and carrying out the necessary measures and procedures outlined in the plan to ensure the security of the system or organization. Implementing the plan is crucial to effectively address any identified risks and vulnerabilities and to ensure the proper functioning of the security controls.

Submit
14. The legal definitions for Confidentiality, Integrity and Availability are defined within

Explanation

The legal definitions for Confidentiality, Integrity and Availability are defined within the Federal Information Security Management Act 2002. This act establishes policies and guidelines for federal agencies to ensure the security of their information and information systems. It outlines the requirements for protecting the confidentiality, integrity, and availability of sensitive information and provides a framework for managing information security risks.

Submit
15. _______ backup stores files that were created or modified since the last full backup.

Explanation

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf

Submit
16. OMB Memorandum 02-01 (Guidance for Preparing and Submitting Security Plans of Action and Milestones) is used for which part of the RMF Step and Task ?

Explanation

not-available-via-ai

Submit
17. Where would you find the privacy controls in 800-53

Explanation

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

Submit
18. The authorization decision document conveys the final security authorization decision from the authorizing official to the information system owner or common control provider, and other organizational officials, as appropriate. The authorization decision document contains the following information: (Check all that apply)

Explanation

800-37

Submit
19. The senior organizational official with overall organization-wide responsibility for information privacy issues.

Explanation

not-available-via-ai

Submit
20. Basic Testing is also known as

Explanation

Black Box testing refers to a software testing technique where the internal structure, design, and implementation of the system being tested are not known to the tester. The tester focuses on the inputs and outputs of the system, without any knowledge of its internal workings. This type of testing is often used to validate the functionality and behavior of the system from an end-user perspective. Therefore, Basic Testing is also known as Black Box testing.

Submit
21. The Security Control Assessor has just completed the Security Assessment Report.  What is the next STEP? [800-37r1]

Explanation

See NIST SP 800-37, Appendix E

Submit
22. During STEP 4 of the RMF process.  Which primary role has most of the responsibilities?

Explanation

During STEP 4 of the RMF process, the primary role with the most responsibilities is the Security Control Assessor (SCA). The SCA is responsible for conducting the assessment of the security controls implemented within the system. They review and evaluate the effectiveness of the controls, identify any vulnerabilities or weaknesses, and provide recommendations for improvement. The SCA plays a crucial role in ensuring that the system meets the required security standards and is adequately protected against potential threats and risks.

Submit
23. Organizations may define event-driven triggers (i.e., indicators and/or prompts that cause a pre-defined organizational reaction) for both ongoing authorization and reauthorization. Event-driven triggers include, but are not limited to: (Select all that apply)

Explanation

Organizations may define event-driven triggers for both ongoing authorization and reauthorization. These triggers can include new threat/vulnerability/impact information, an increased number of findings, weaknesses, and/or deficiencies from the continuous monitoring program, new missions/business requirements, a change in the Authorizing Official, a significant change in risk assessment findings, significant changes to the information system, common controls, or the environment of operation, and organizational thresholds being exceeded. These triggers serve as indicators or prompts that cause a pre-defined organizational reaction, ensuring that the authorization and reauthorization processes are aligned with any changes or developments within the organization or its environment.

Submit
24. A school has a web with a phone directory of employees' names and work phone numbers so that members of the public can contact them directly.In this case, the PII confidentiality impact level would be ____

Explanation

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf

Submit
25. Sonny, The ISSO, wants to go a document that is for National Security System determination.  Which document has he sent ?

Explanation

not-available-via-ai

Submit
26. Fabian is doing an assessment.  Select the correct POTENTIAL ASSESSMENT METHODS AND OBJECTS: for IR-6(2) INCIDENT REPORTING  |  VULNERABILITIES RELATED TO INCIDENTS    "Organizational processes for incident reporting; automated mechanisms supporting and/or implementing reporting of vulnerabilities associated with security incidents]." Match the the Assessment above with the selection below.  

Explanation

The correct answer is "Test" because in order to assess the organizational processes for incident reporting and automated mechanisms, it is necessary to conduct tests to evaluate their effectiveness and functionality. Testing can help identify any vulnerabilities or weaknesses in the systems and processes being used for incident reporting, and provide valuable insights for improvement.

Submit
27. Fabian has just been appointed to the position of the Security Control Assessor.  He downloaded and read NIST Special Publication 800-30 Guide for Conducting Risk Assessments.  What is the last step of that process?

Explanation

After Fabian has conducted the risk assessments, the last step in the process is to maintain. This means that he needs to continuously monitor and update the risk assessment to ensure that it remains accurate and relevant over time. This includes reviewing and revising the assessment as needed, implementing any necessary controls or mitigation strategies, and regularly reassessing the risks to ensure they are effectively managed. By maintaining the risk assessment, Fabian can ensure that the organization's security controls are up to date and aligned with the current threat landscape.

Submit
28. Regardless of the task ordering, the last step before an information system is placed into operation is 

Explanation

Remediation is the correct answer because it refers to the process of resolving any issues or problems identified in the information system before it is put into operation. This step ensures that the system is functioning properly and any potential risks or vulnerabilities have been addressed. It is the final step in the implementation process before the system is authorized and made available for use.

Submit
29. There are five phases in the SDLC including (Select all that apply)

Explanation

800-37 Appendix H

Submit
30. Match the following

Explanation

https://csrc.nist.gov/publications/sp800

Submit
View My Results

Quiz Review Timeline (Updated): Nov 16, 2023 +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

  • Current Version
  • Nov 16, 2023
    Quiz Edited by
    ProProfs Editorial Team
  • Jan 16, 2020
    Quiz Created by
    Johnmears
Cancel
  • All
    All (30)
  • Unanswered
    Unanswered ()
  • Answered
    Answered ()
There are two types of authorization decisions that can be rendered by...
In the image below the data within column A is called
FMT Auto has added a Digital Display Unit to a vehicle, they will not...
NIST initiated the Security Content Automation Protocol (SCAP) project...
DSA Ross is disposing of a computer with a CLASSIFICATION of SECRET....
Sona is a SharePoint Administrator on a server with data availability...
Test methodology that assumes some knowledge of the internal structure...
Systems that store, communicate, or process trade secrets will...
800-37 TASK 1-2 includes (best answer)
 The authorization package contains the following documents:
FISMA requires the Office of Management and Budget (OMB) to define a...
Examples of PII Data can include.  (Select all that apply)
Mr. Harris, acting AODR, has just approved the Security Plan. ...
The legal definitions for Confidentiality, Integrity and Availability...
_______ backup stores files that were created or modified since the...
OMB Memorandum 02-01 (Guidance for Preparing and Submitting Security...
Where would you find the privacy controls in 800-53
The authorization decision document conveys the final security...
The senior organizational official with overall organization-wide...
Basic Testing is also known as
The Security Control Assessor has just completed the Security...
During STEP 4 of the RMF process.  Which primary role has most of...
Organizations may define event-driven triggers (i.e., indicators...
A school has a web with a phone directory of employees' names and work...
Sonny, The ISSO, wants to go a document that is for National Security...
Fabian is doing an assessment.  Select the correct POTENTIAL...
Fabian has just been appointed to the position of the Security Control...
Regardless of the task ordering, the last step before an information...
There are five phases in the SDLC including (Select all that apply)
Match the following
Alert!

Advertisement