Completing this exam is mandatory as part of your overall course completion and receiving your certificate. Completing this exam is what is important, even if you do not pass. However, 80% is considered a passing grade. Remember, you can only retake this Exam once. Upon completion, please remember to take a screenshot of your results page and upload it in the final section: COURSE COMPLETION CONFIRMATION UPLOAD. Good luck!
0 of 134 questions completed
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading…
You must sign in or sign up to start the quiz.
You must first complete the following:
0 of 134 questions answered correctly
Time has elapsed
You have reached 0 of 0 point(s), (0)
Earned Point(s): 0 of 0, (0)
0 Essay(s) Pending (Possible Point(s): 0)
Thank you for Completing this sample Exam. Please remember to take a screenshot of your results page and upload it in the final section: COURSE COMPLETION CONFIRMATION UPLOAD.
Q5. The Authorization boundary of a system undergoing assessment includes
Q22. When addressing Configuration Management (CM), why is it MOST important to document the proposed changes?
Q38. What can an organization choose to eliminate the authorization termination data?
Q54. Security controls are designed to be technology and implementation
Q71. What factor MUST be analyzed during risk determination activities?
Q86. An organization-wide approach to identifying common controls early in the Risk Management Framework (RMF) process does which of the following?
Q102. A Security Control Assessment (SCA) was completed over two years ago, but the surrounding environment has changed. What, if anything, should the assessment team do with the previous results?
Q118. An organization should consider which elements when selecting an assessment team?
Q135. Certification & Accreditation (C&A or CnA) is a process for implementing information security. Which of the following is the correct order of C&A phases in a DITSCAP assessment?
Q6. Which of the following BEST describes a government-wide standard for security Assessment and Authorization (A&A) and continuous monitoring for cloud products, which is mandatory for federal agencies and Cloud Service Providers (CSP)?
Q23. What is a KEY consideration when selecting a media sanitization method of destruction tool when decommissioning an Information System (IS)?
Q39. Which of the following is the principal vehicle used to verify that Information Systems (IS) are meeting their stated security goals and objectives?
Q55. When monitoring controls, changes to the system should be
Q72. The Least Privilege security control is a member of which control family?
Q87. From an organizational viewpoint, what effect does the designation of some security controls as common controls have?
Q103. The Authorizing Official (AO) issues an Authorization decision for an information system after
Q119. What is a consequence of an authorization boundary that is too expensive?
Q136. System Authorization is the risk management process. System Authorization Plan (SAP) is a comprehensive and uniform approach to the System Authorization Process.
What are the different phases of the System Authorization Plan?
Each correct answer represents a part of the solution. Choose all that apply.
Q7. All Federal agencies are required by law to conduct which of the following activities?
Q24. The potential impact value “not applicable” applies to which of the following security objectives
Q40. When should a Plan of Action and Milestones (POA&M) be updated?
Q56. Which of the following is a key step in the overall Contingency planning process?
Q73. Which process guides the selection of security controls to ensure adequate security commensurate with the risk of the organization?
Q88. What does a finding of “other than satisfied” reflect in an assessment report?
Q104. When documenting how system-specific and hybrid security controls are implemented, an organization takes into account
Q120. Which of the following are acceptable assessment methods for a control assessment?
Q8. What is the PRIMARY goal of an Information Security Continuous Monitoring (ISCM) strategy?
Q25. The new Authorizing Official (AO) is reviewing all moderate and high systems to determine formal authorization action is needed for any of the systems. Which of the following documents BEST facilities this process?
Q41. In determining residual risk, an organization considers impact on which of the following?
Q57. Subsystems are considered part of a larger system provided that they are
Q74. Which of the following is an essential element when an organization updates its authorization package documents?
Q89. What is considered when establishing a system authorization boundary?
Q105. Which process must be conducted during security categorization?
Q121. Which security control baseline does not require an independent assessment of security controls, as part of continuous monitoring?
Q9. An organization is developing a risk assessment for a newly installed Information System (IS) to determine the best configuration or a supporting Information Technology (IT) product. Which of the following specific factors is often overlooked in this analysis?
Q26. The baseline configuration of an information system should be consistent with the
Q42. Which of the following MUST be done when a federal Information System (IS) is removed from service?
Q58. Residual risk can be categorized as risk
Q75. When implementing a control on wireless access, the organization MUST do which of the following?
Q90. Which organizational reference can an Information Systems Security Officer (ISSO) use to help prioritize the remediation of a vulnerability found during a weekly vulnerability scan?
Q106. When determining the likelihood of a threat-source exploiting a system vulnerability, one MUST consider which of the following?
Q122. Which process follows the selection of the initial baseline security controls?
Q10. If an assessment of a common control determines that it is not effective, what documentation is required?
Q27. When implementing the organizational disposal process, what factors are considered when making a final decision about sanitization of media?
Q43. Which will an Authorizing Official (AO) find implementation details for a control?
Q59. The Information Technology (IT) manager is responsible to the Information Officer for the implementation of Role Based Access Control (RBAC) assigned divisional resource. Specifically, the IT manager must facilitate the Identity and Access Management (IAM) for configured assets. Which System Development Life Cycle (SDLC) phase will enable the system security officer to verify accountability and authentication of these implemented safeguards?
Q77. Which of the following is an example of the test assessment method?
Q91. What consideration leads to a less frequent assessment and monitoring activity?
Q107. Security Content Automation Protocol (SCAP) is a method for which of the following?
Q123. A minor application is being added to an existing accredited distributed system. This application does not require any additional security functionality other than that provided by the distributed system. Which of the following actions is taken?
Q11. As part of an annual Federal Information Security Management Act (FISMA) compliance audit the inspector general security program review has identified vulnerabilities to an Information System (IS) in an operational division, which of the following activities is the MOST likely to occur?
Q28. In establishing the rules of behavior for a system, which of the following is necessary?
Q44. The compliance schedules for National Institutes of Standards and Technology (NIST) security standards and guidelines are established by the
Q60. The Authorizing Official may accept authorization recommendations based on
Q78. Which of the following is TRUE when applying the Risk Management Framework (RMF) steps and associated tasks to existing systems?
Q92. Which of the following is the mutual agreement among participating organizations to accept one another’s security assessments in order to reuse system resources or to accept each other’s assessed security posture in order to share information?
Q108. Common controls protecting multiple organizational Information Systems (IS) of different levels are implemented at the which impact level?
Q124. Which of the following documents tracks an Information System’s (IS) remediation actions?
Q12. Which of the following documents provides a function description of the Information System (IS) control implementation?
Q 29. Which of the following BEST describes the objective of the Security Assessment Plan (SAP)?
Q45. An organization’s Information System (IS) is categorized as a high-impact system.
The organization’s architecture does NOT support wireless connectivity. The initial
security control baseline requires the organization to implement AC-18: wireless access.
What process can the organization implement to eliminate this unnecessary control?
Q61. The final Security Assessment Report (SAR) should contain which of the following
Q79. The organizational and system monitoring strategies identifies
Q93. What is essential when documenting the implementation of security controls?
Q109. What are the classifications of the system level security controls?
Q125. Which of the following professionals plays the role of a monitor and takes part in the organization’s configuration management process?
Q13: Which is the likelihood that security controls with a low level of volatility will change?
Q30. An Information System (IS) is registered with appropriate program/management offices in order to
Q46. Which of the following roles within the organization is responsible for clearly defining the impact level of the information the system processes?
Q62. Which of the following triggers a Security Plan (SP) update?
Q80. An effective continuous monitoring strategy includes which of the following?
Q94. What activity MUST be completed before the System Owner (SO) considers the minimum security requirement of the system?
Q110. An Information System (IS) has the following Security Categories (SC) for each information type:
SC public information = (confidentiality, NA), (integrity, HIGH), (availability, LOW)
SC investigation information = (confidentiality, MODERATE), (integrity, HIGH), (availability, MODERATE)
SC administrative = (confidentiality, NA), (integrity, LOW), (availability, LOW
What is the overall IS security category for confidentiality?
Q126. The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the most senior executive in an enterprise. What are the responsibilities of a Chief Information Officer?
Each correct answer represents a complete solution. Choose all that apply.
Q31. For a new system, the controls are selected and the security and privacy plans are written during which System Development Life Cycle (SDLC) phase?
Q47. Who has the authority to divide a complex system in order to establish realistic security authorization boundaries?
Q63. When a security control selected for a system cannot be applied,
Q69. A key part of the risk decision process is the recognition that, regardless of the risk response there typically remains a degree of residual risk. On what basis does an organization determine the acceptable degrees of residual risk?
Q95. During the assessment of a new system, the System Owner (SO) mentioned that if unauthorized modification or destruction of medical information in the system occurred, it could result in potential loss of life because the system is the authoritative source of information about patient healthcare records including current and previous medications and ongoing medical procedures. Which of the following is the BEST Security categorization (SC) for the information type?
Q111. The functional description of the control implementation includes
Q128. Which of the following professionals is responsible for starting the Certification & Accreditation (C&A) process?
Q16. In order to receive an Authorization to Operate (ATO), the Plan of Action and Milestones (POA&M) MUST
Q32. If the protection offered by a common control proves to be unacceptable or insufficient, how would the problem be corrected?
Q48. Which document in support of the authorization package defines the well-defined set of security and privacy controls?
Q64. What is the MOST appropriate action to take after weaknesses or deficiencies in controls are corrected?
Q76. Organization A has merged with another similar organization, organization B, and has expanded the data center operations to include Information Technology (IT) assets from both locations. What is the BEST reason for requiring an updated risk assessments?
Q96. One of the primary goals in conducting analysis of the test results from a scan during Security Control Assessment (SCA) is to
Q112. During which phase of the System Development Life Cycle (SDLC) of an existing system does the system owner conduct remediation action based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the Plan of Action and Milestones (POA&M)?
Q129. Which of the following assessment methodologies defines a six-step technical security evaluation?
Q127. The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statements are true about ISSO and ISSE?
Each correct answer represents a complete solution. Choose all that apply.
Q17. Which of the following documents is updated when a vulnerability is discovered during continuous monitoring?
Q33. Which of the following phases is identified as one of the four Incident Response (IR) phases?
Q49. The organization has implemented a project to move the physical servers to virtual machines (VM) over the next year. Which risk perspective addresses this project?
Q65. The assessment effort for effective incident handling MUST include the determination that an organization
Q81. Which of the following includes the resource required for mitigation?
Q97. Regardless of the task ordering, what is the last step before an Information System (IS) is placed into operation?
Q113. While conducting an internal control review of a high impact system’s technical controls, the information System Security Officer (ISSO) notes that system’s audit logs are collecting only user login time. This is a violation of which of the following?
Q130. DIACAP applies to the acquisition, operation, and sustainment of an DoD system that collects, stores, transmits, or processes unclassified or classified information since December 1997. What phases are identified by DIACAP?
Each answer represents a complete solution. Choose all that apply.
Q1. What is included in the Plan of Action and Milestones (POA&M) that is presented in the Authorizing Official (AO) as part of the initial authorization package?
Q18. The process of uniquely assigning information resources to an Information System (IS) defines the
Q34. What document is based on the findings and recommendations of the assessment report?
Q50. What is the MOST important reason for developing a continuous monitoring strategy?
A. To maintain an up-to-date Configuration Management Plan
B. To conduct a point-in-time assessment to demonstrate due diligence and compliance
C. To determine if the deployed security controls continue to be effective over time
D. To validate an Interconnection Service Agreement (ISA)
Q66. Common security controls are those that apply to one or more of which of the following?
Q82. The Chief Information Officer (CIO) is establishing a policy of monthly assessment for access controls. What is the BEST corresponding action the system security officer should complete?
Q98. Who is responsible for accepting the risk when a system undergoes a significant change?
Q114. What is the PRIMARY goal for establishing Information System (IS) boundaries?
Q131. Mark works as a Network Administrator for NetTech Inc. He wants users to access only those resources that are required for them. Which of the following access control
models will he use?
Q2. What are the steps of a risk assessment?
Q19. The PRIMARY benefit of documenting the control implementation is that it
Q35. Which of the following is the BEST approach to authorizing operations of complex systems?
Q51. The determination of risk for a particular threat/vulnerability pair include assessment of the
Q67. At which point in the Risk Management Framework (RMF) process is a system analyzed for changes that impact the security and privacy posture of the system?
Q83. When a system contains Personally Identifiable Information (PII) what additional action MUST be performed related to the specific system?
Q99. The security category of information 1 is determined to be:
Security Category Information type = (Confidentiality, NOT APPLICABLE), (integrity, MODERATE), (availability, LOW)
And the security category of information 2 is determined to be:
Security Category Information type = (Confidentiality, LOW), (integrity, LOW), (availability, HIGH)
What is the security category for the Information System (IS)
Q115. Which of the following considerations MUST be taken into account regarding data or media on an Information System (IS) prior to it being decommissioned and removed?
Q132. Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and
Q3. Which of the following cannot be delegated by the Authorizing Official (AO)?
Q20. What is used by System Owners (SO) to establish a disciplined and structured process to monitor the residual risk in the Information System (IS)?
Q36. What should be included in a functional description of security control implementation?
Q52. Organizations consider which of the following factors when selecting security or privacy control assessors?
Q68. Security controls that are shared throughout an organization’s enterprise require
Q84. Which role has the PRIMARY responsibility for the documentation of control implementation?
Q100. Which of the following BEST defines the purpose of the security assessment?
Q116. Which of the following BEST determines the level of details required when describing the Information System (IS)?
Q133. James works as an IT systems personnel in SoftTech Inc. He performs the following tasks: Runs regular backups and routine tests of the validity of the backup data. Performs data restoration from the backups whenever required. Maintains the retained records in accordance with the established information classification policy.
What is the role played by James in the organization?
Q4. Configuring an Information System (IS) to prohibit the use of unused ports and protocols
Q21. In the security and privacy assessment reports, the control assessor identified some weaknesses and proposed initial remediation actions. Based on the identified weaknesses, it is determined that certain findings are inconsequential and present no threat to the organization. Who is PRIMARILY responsible for determining the initial risk response?
Q37. The results of the completed control assessments, including recommendations for correcting any weaknesses or deficiencies in the control, are documented in which document?
Q53. Overlays can be implemented as part of control tailoring after the completion of what process?
Q70. Determining the level of acceptable risk associated with the operation of an Information System (IS), organization shall give
Q85. When making determinations regarding the adequacy of common controls for their respective systems, Information System Owner (ISO) refer to the Common Control Providers’ (CCP)
Q101. Which role does an System Owner (SO) coordinate inherited controls implemented with?
Q117. What is a key component of the initial security and privacy assessment reports?
Q134. FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls have been implemented?