| Question.1 Which of the following is NOT typically included in the system registration process in the NIST RMF? (A) System identification information, such as the system name and owner (B) The security categorization of the system (C) Organizational policy on system registration (D) The selection and implementation of security controls for the system |
1. Click here to View Answer
Answer: D
| Question.2 What are the objectives of the Prepare step in the NIST RMF framework? (A) Facilitating better communication between senior leaders and executives at the organization and mission and business process levels and system owners (B) Facilitating organization-wide identification of common controls and the development of organizationally tailored control baselines, reducing the workload on individual system owners and the cost of system development and asset protection (C) Reducing the complexity of the information technology and operations technology infrastructure using enterprise architecture concepts and models to consolidate, optimize, and standardize organizational systems, applications, and services (D) Ensuring that the implemented security controls continue to provide the intended level of protection for the information system and its data throughout the system’s lifecycle. (E) Identifying, prioritizing, and focusing resources on the organization’s high-value assets and high impact systems that require increased levels of protection and taking steps commensurate with the risk to such assets. |
2. Click here to View Answer
Answer: A,B,C,E
| Question.3 Which of the following is NOT a best practice for implementing security controls according to NIST SP 800-53? (A) Implementing security controls in a phased approach (B) Providing security awareness training to personnel (C) Using automated tools to monitor security controls (D) Implementing only those security controls that are required by regulation or policy |
3. Click here to View Answer
Answer: D
| Question.4 Which of the following tasks are included in the categorize step of the NIST RMF process? (Select all that apply.) (A) Defining the system’s operational context and environment (B) Identifying and documenting the system’s hardware and software component (C) Evaluating the potential impact of a system security breac (D) Selecting and implementing appropriate security controls for the syste (E) Determining the system’s risk tolerance and security categorization |
4. Click here to View Answer
Answer: B,E
| Question.5 Ratio Corp is in the process of selecting security controls for a new information system. Which of the following is NOT a valid control selection method according to NIST guidelines? (A) Using a risk-based approach to determine the appropriate controls (B) Selecting controls based solely on cost-effectiveness (C) Implementing controls that are required by law, regulation, or policy (D) Adopting controls that are consistent with industry standards and best practices |
5. Click here to View Answer
Answer: B