| Question.11 Ultimately, organizations should view assessment as an information gathering activity, not as a security producing activity. In accordance with NIST SP 800-53A, which of the following is not produced during security control assessments? (A) Identify potential problems or shortfalls in the organization’s implementation of the NIST Risk Management Framework (B) Support budgetary decisions and the capital investment process (C) Correct identified weaknesses and deficiencies (D) Support information system authorization decisions |
11. Click here to View Answer
Correct Answer : D , Support budgetary decisions and the capital investment process
| Question.12 Which of the following is an objective of the System Characterization step under SP 800-30? a. Establish Data and Information Sensitivity Level b. Establish Threat and Vulnerability Matrix c. Establish System Control Framework d. Establish System Testing Procedures |
12. Click here to View Answer
Correct Answer : A, Establish Data and Information Sensitivity Level
| Question.13 In accordance with NIST SP 800-53A, during which phase of the NIST SP 800-64 System Development Lifecycle are security assessments used to increase confidence or assurance that the security controls are working correctly for a system? (A) Operation/Maintenance (B) Validation/Assessment (C) Implementation/Assessment (D) Development/Acquisition |
13. Click here to View Answer
Correct Answer : D, Development/Acquisition
| Question.14 Which of these are valid ways to mitigate risk? (A) Research and Acknowledgement (B) Conduct Risk Assessment (C) Evaluation and Assurance (D) Proper FISMA reporting |
14. Click here to View Answer
Correct Answer : (A) Research and Acknowledgement
| Question.15 Organizations are encouraged to develop a broad-based, organization-wide strategy for conducting security assessments, facilitating more cost-effective and consistent assessments across the inventory of information systems. Which of the following is FALSE when considering how to accomplish this objective? (A) An organization-wide strategy begins by applying the initial steps of the Risk Management Framework (B) With an organizational view of the security categorization process (C) Maximizing the number of common controls employed within an organization (D) The Risk Management Framework cannot be used on multiple systems |
15. Click here to View Answer
Correct Answer : (D) The Risk Management Framework cannot be used on multiple systems
| Question.16 OMB Circular A-130 states information security must be: (A) Risk Based-Cost Effective (B) Reduce risk to acceptable levels as determined by the System Owner (C) Eliminate risk (D) Reduce risk to negligible levels |
16. Click here to View Answer
Correct Answer : (A) Risk Based-Cost Effective
| Question.17 In accordance with Public Law 107-347, Executive Agencies must: (A) Use NIACAP for C&A of National Security Systems (B) Ensure security controls reduce risk (C) Authorize system processing prior to operation (D) Authorize systems each year to meet SP 800-37 Rev 1 Standards |
17. Click here to View Answer
Correct Answer : (C) Authorize system processing prior to operation
| Question.18 Adequate Security is: (A) Based on the maximum harm to information (B) Commensurate with risk (C) Required by law regardless of cost (D) Cost effective, based on projected budgets |
18. Click here to View Answer
Correct Answer : (B) Commensurate with risk
| Question.19 In the Risk Management Framework as described in NIST SP 800-37 Rev 1, which task follows the task called “Information System Description”? (A) Information System Registration (B) Security Categorization (C) Security Control Selection (D) Security Control Implementation |
19. Click here to View Answer
Correct Answer : (A) Information System Registration
| Question.20 Which role has PRIMARY responsibility for ongoing remediation actions? (A) Security Control Assessor (B) Information System Security Officer (C) Authorizing Official (D) Information System Owner |
20. Click here to View Answer
Correct Answer : (D) Information System Owner