Completing this exam is mandatory as part of your overall course completion and receiving your certificate. Completing this exam is what is important, even if you do not pass. However, 80% is considered a passing grade. Remember, you can only retake this Exam once. Upon completion, please remember to take a screenshot of your results page and upload it in the final section: COURSE COMPLETION CONFIRMATION UPLOAD. Good luck!
_______________________________________________________________
0 of 267 questions completed
Questions:
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading…
You must sign in or sign up to start the quiz.
You must first complete the following:
0 of 267 questions answered correctly
Your time:
Time has elapsed
You have reached 0 of 0 point(s), (0)
Earned Point(s): 0 of 0, (0)
0 Essay(s) Pending (Possible Point(s): 0)
Thank you for Completing this sample Exam. Please remember to take a screenshot of your results page and upload it in the final section: COURSE COMPLETION CONFIRMATION UPLOAD.
What does BIOS stand for?
Q1. What is included in the Plan of Action and Milestones (POA&M) that is presented in the Authorizing Official (AO) as part of the initial authorization package?
Which of the following is hardware?
Q2. What are the steps of a risk assessment?
Q1. What is included in the Plan of Action and Milestones (POA&M) that is presented in the Authorizing Official (AO) as part of the initial authorization package?
Q3. Which of the following cannot be delegated by the Authorizing Official (AO)?
Q2. What are the steps of a risk assessment?
Q4. Configuring an Information System (IS) to prohibit the use of unused ports and protocols
Q3. Which of the following cannot be delegated by the Authorizing Official (AO)?
Q5. The Authorization boundary of a system undergoing assessment includes
Q4. Configuring an Information System (IS) to prohibit the use of unused ports and protocols
Q6. Which of the following BEST describes a government-wide standard for security Assessment and Authorization (A&A) and continuous monitoring for cloud products, which is mandatory for federal agencies and Cloud Service Providers (CSP)?
Q7. All Federal agencies are required by law to conduct which of the following activities?
Q5. The Authorization boundary of a system undergoing assessment includes
Q8. What is the PRIMARY goal of an Information Security Continuous Monitoring (ISCM) strategy?
Q6. Which of the following BEST describes a government-wide standard for security Assessment and Authorization (A&A) and continuous monitoring for cloud products, which is mandatory for federal agencies and Cloud Service Providers (CSP)?
Q9. An organization is developing a risk assessment for a newly installed Information System (IS) to determine the best configuration or a supporting Information Technology (IT) product. Which of the following specific factors is often overlooked in this analysis?
Q7. All Federal agencies are required by law to conduct which of the following activities?
Q10. If an assessment of a common control determines that it is not effective, what documentation is required?
Q8. What is the PRIMARY goal of an Information Security Continuous Monitoring (ISCM) strategy?
Q11. As part of an annual Federal Information Security Management Act (FISMA) compliance audit the inspector general security program review has identified vulnerabilities to an Information System (IS) in an operational division, which of the following activities is the MOST likely to occur?
Q9. An organization is developing a risk assessment for a newly installed Information System (IS) to determine the best configuration or a supporting Information Technology (IT) product. Which of the following specific factors is often overlooked in this analysis?
Q12. Which of the following documents provides a function description of the Information System (IS) control implementation?
Q10. If an assessment of a common control determines that it is not effective, what documentation is required?
Q13: Which is the likelihood that security controls with a low level of volatility will change?
Q11. As part of an annual Federal Information Security Management Act (FISMA) compliance audit the inspector general security program review has identified vulnerabilities to an Information System (IS) in an operational division, which of the following activities is the MOST likely to occur?
Q14. A System Owner (SO) is implementing a new system with their existing organization Information Technology (IT) environment. What objectives are considered when determining possible impact to risk?
Q12. Which of the following documents provides a function description of the Information System (IS) control implementation?
Q13: Which is the likelihood that security controls with a low level of volatility will change?
Q15. Besides the System Owner (SO), what role has the PRIMARY responsibility for implementing the security controls into the security and privacy plans for the Information Systems (IS?)
Q13. Which is the likelihood that security controls with a low level of volatility will change?
Q16. In order to receive an Authorization to Operate (ATO), the Plan of Action and Milestones (POA&M) MUST
Q15. Besides the System Owner (SO), what role has the PRIMARY responsibility for implementing the security controls into the security and privacy plans for the Information Systems (IS?)
Q17. Which of the following documents is updated when a vulnerability is discovered during continuous monitoring?
Q16. In order to receive an Authorization to Operate (ATO), the Plan of Action and Milestones (POA&M) MUST
Q18. The process of uniquely assigning information resources to an Information System (IS) defines the
Q17. Which of the following documents is updated when a vulnerability is discovered during continuous monitoring?
Q19. The PRIMARY benefit of documenting the control implementation is that it
Q18. The process of uniquely assigning information resources to an Information System (IS) defines the
Q20. What is used by System Owners (SO) to establish a disciplined and structured process to monitor the residual risk in the Information System (IS)?
Q19. The PRIMARY benefit of documenting the control implementation is that it
Q21. In the security and privacy assessment reports, the control assessor identified some weaknesses and proposed initial remediation actions. Based on the identified weaknesses, it is determined that certain findings are inconsequential and present no threat to the organization. Who is PRIMARILY responsible for determining the initial risk response?
Q20. What is used by System Owners (SO) to establish a disciplined and structured process to monitor the residual risk in the Information System (IS)?
Q22. When addressing Configuration Management (CM), why is it MOST important to document the proposed changes?
Q21. In the security and privacy assessment reports, the control assessor identified some weaknesses and proposed initial remediation actions. Based on the identified weaknesses, it is determined that certain findings are inconsequential and present no threat to the organization. Who is PRIMARILY responsible for determining the initial risk response?
Q23. What is a KEY consideration when selecting a media sanitization method of destruction tool when decommissioning an Information System (IS)?
Q24. The potential impact value “not applicable” applies to which of the following security objectives
Q22. When addressing Configuration Management (CM), why is it MOST important to document the proposed changes?
Q25. The new Authorizing Official (AO) is reviewing all moderate and high systems to determine formal authorization action is needed for any of the systems. Which of the following documents BEST facilities this process?
Q23. What is a KEY consideration when selecting a media sanitization method of destruction tool when decommissioning an Information System (IS)?
Q26. The baseline configuration of an information system should be consistent with the
Q24. The potential impact value “not applicable” applies to which of the following security objectives
Q27. When implementing the organizational disposal process, what factors are considered when making a final decision about sanitization of media?
Q25. The new Authorizing Official (AO) is reviewing all moderate and high systems to determine formal authorization action is needed for any of the systems. Which of the following documents BEST facilities this process?
Q28. In establishing the rules of behavior for a system, which of the following is necessary?
Q26. The baseline configuration of an information system should be consistent with the
Q 29. Which of the following BEST describes the objective of the Security Assessment Plan (SAP)?
Q27. When implementing the organizational disposal process, what factors are considered when making a final decision about sanitization of media?
Q30. An Information System (IS) is registered with appropriate program/management offices in order to
Q28. In establishing the rules of behavior for a system, which of the following is necessary?
Q 29. Which of the following BEST describes the objective of the Security Assessment Plan (SAP)?
Q31. For a new system, the controls are selected and the security and privacy plans are written during which System Development Life Cycle (SDLC) phase?
Q30. An Information System (IS) is registered with appropriate program/management offices in order to
Q32. If the protection offered by a common control proves to be unacceptable or insufficient, how would the problem be corrected?
Q31. For a new system, the controls are selected and the security and privacy plans are written during which System Development Life Cycle (SDLC) phase?
Q33. Which of the following phases is identified as one of the four Incident Response (IR) phases?
Q32. If the protection offered by a common control proves to be unacceptable or insufficient, how would the problem be corrected?
Q34. What document is based on the findings and recommendations of the assessment report?
Q33. Which of the following phases is identified as one of the four Incident Response (IR) phases?
Q35. Which of the following is the BEST approach to authorizing operations of complex systems?
Q34. What document is based on the findings and recommendations of the assessment report?
Q36. What should be included in a functional description of security control implementation?
Q35. Which of the following is the BEST approach to authorizing operations of complex systems?
Q37. The results of the completed control assessments, including recommendations for correcting any weaknesses or deficiencies in the control, are documented in which document?
Q36. What should be included in a functional description of security control implementation?
Q38. What can an organization choose to eliminate the authorization termination data?
Q37. The results of the completed control assessments, including recommendations for correcting any weaknesses or deficiencies in the control, are documented in which document?
Q39. Which of the following is the principal vehicle used to verify that Information Systems (IS) are meeting their stated security goals and objectives?
Q40. When should a Plan of Action and Milestones (POA&M) be updated?
Q38. What can an organization choose to eliminate the authorization termination data?
Q41. In determining residual risk, an organization considers impact on which of the following?
Q39. Which of the following is the principal vehicle used to verify that Information Systems (IS) are meeting their stated security goals and objectives?
Q42. Which of the following MUST be done when a federal Information System (IS) is removed from service?
Q40. When should a Plan of Action and Milestones (POA&M) be updated?
Q43. Which will an Authorizing Official (AO) find implementation details for a control?
Q41. In determining residual risk, an organization considers impact on which of the following?
Q44. The compliance schedules for National Institutes of Standards and Technology (NIST) security standards and guidelines are established by the
Q42. Which of the following MUST be done when a federal Information System (IS) is removed from service?
Q45. An organization’s Information System (IS) is categorized as a high-impact system.
The organization’s architecture does NOT support wireless connectivity. The initial
security control baseline requires the organization to implement AC-18: wireless access.
What process can the organization implement to eliminate this unnecessary control?
Q43. Which will an Authorizing Official (AO) find implementation details for a control?
Q46. Which of the following roles within the organization is responsible for clearly defining the impact level of the information the system processes?
Q44. The compliance schedules for National Institutes of Standards and Technology (NIST) security standards and guidelines are established by the
Q45. An organization’s Information System (IS) is categorized as a high-impact system.
The organization’s architecture does NOT support wireless connectivity. The initial
security control baseline requires the organization to implement AC-18: wireless access.
What process can the organization implement to eliminate this unnecessary control?
Q47. Who has the authority to divide a complex system in order to establish realistic security authorization boundaries?
Q46. Which of the following roles within the organization is responsible for clearly defining the impact level of the information the system processes?
Q48. Which document in support of the authorization package defines the well-defined set of security and privacy controls?
Q47. Who has the authority to divide a complex system in order to establish realistic security authorization boundaries?
Q49. The organization has implemented a project to move the physical servers to virtual machines (VM) over the next year. Which risk perspective addresses this project?
Q48. Which document in support of the authorization package defines the well-defined set of security and privacy controls?
Q50. What is the MOST important reason for developing a continuous monitoring strategy?
A. To maintain an up-to-date Configuration Management Plan
B. To conduct a point-in-time assessment to demonstrate due diligence and compliance
C. To determine if the deployed security controls continue to be effective over time
D. To validate an Interconnection Service Agreement (ISA)
Q49. The organization has implemented a project to move the physical servers to virtual machines (VM) over the next year. Which risk perspective addresses this project?
Q51. The determination of risk for a particular threat/vulnerability pair include assessment of the
Q50. What is the MOST important reason for developing a continuous monitoring strategy?
A. To maintain an up-to-date Configuration Management Plan
B. To conduct a point-in-time assessment to demonstrate due diligence and compliance
C. To determine if the deployed security controls continue to be effective over time
D. To validate an Interconnection Service Agreement (ISA)
Q52. Organizations consider which of the following factors when selecting security or privacy control assessors?
Q51. The determination of risk for a particular threat/vulnerability pair include assessment of the
Q53. Overlays can be implemented as part of control tailoring after the completion of what process?
Q52. Organizations consider which of the following factors when selecting security or privacy control assessors?
Q54. Security controls are designed to be technology and implementation
Q53. Overlays can be implemented as part of control tailoring after the completion of what process?
Q55. When monitoring controls, changes to the system should be
Q56. Which of the following is a key step in the overall Contingency planning process?
Q54. Security controls are designed to be technology and implementation
Q57. Subsystems are considered part of a larger system provided that they are
Q55. When monitoring controls, changes to the system should be
Q58. Residual risk can be categorized as risk
Q56. Which of the following is a key step in the overall Contingency planning process?
Q59. The Information Technology (IT) manager is responsible to the Information Officer for the implementation of Role Based Access Control (RBAC) assigned divisional resource. Specifically, the IT manager must facilitate the Identity and Access Management (IAM) for configured assets. Which System Development Life Cycle (SDLC) phase will enable the system security officer to verify accountability and authentication of these implemented safeguards?
Q57. Subsystems are considered part of a larger system provided that they are
Q60. The Authorizing Official may accept authorization recommendations based on
Q58. Residual risk can be categorized as risk
Q61. The final Security Assessment Report (SAR) should contain which of the following
Q59. The Information Technology (IT) manager is responsible to the Information Officer for the implementation of Role Based Access Control (RBAC) assigned divisional resource. Specifically, the IT manager must facilitate the Identity and Access Management (IAM) for configured assets. Which System Development Life Cycle (SDLC) phase will enable the system security officer to verify accountability and authentication of these implemented safeguards?
Q62. Which of the following triggers a Security Plan (SP) update?
Q60. The Authorizing Official may accept authorization recommendations based on
Q61. The final Security Assessment Report (SAR) should contain which of the following
Q63. When a security control selected for a system cannot be applied,
Q62. Which of the following triggers a Security Plan (SP) update?
Q64. What is the MOST appropriate action to take after weaknesses or deficiencies in controls are corrected?
Q63. When a security control selected for a system cannot be applied,
Q65. The assessment effort for effective incident handling MUST include the determination that an organization
Q64. What is the MOST appropriate action to take after weaknesses or deficiencies in controls are corrected?
Q66. Common security controls are those that apply to one or more of which of the following?
Q65. The assessment effort for effective incident handling MUST include the determination that an organization
Q67. At which point in the Risk Management Framework (RMF) process is a system analyzed for changes that impact the security and privacy posture of the system?
Q66. Common security controls are those that apply to one or more of which of the following?
Q68. Security controls that are shared throughout an organization’s enterprise require
Q67. At which point in the Risk Management Framework (RMF) process is a system analyzed for changes that impact the security and privacy posture of the system?
Q69. A key part of the risk decision process is the recognition that, regardless of the risk response there typically remains a degree of residual risk. On what basis does an organization determine the acceptable degrees of residual risk?
Q68. Security controls that are shared throughout an organization’s enterprise require
Q70. Determining the level of acceptable risk associated with the operation of an Information System (IS), organization shall give
Q70. Determining the level of acceptable risk associated with the operation of an Information System (IS), organization shall give
Q71. What factor MUST be analyzed during risk determination activities?
Q71. What factor MUST be analyzed during risk determination activities?
Q72. The Least Privilege security control is a member of which control family?
Q73. Which process guides the selection of security controls to ensure adequate security commensurate with the risk of the organization?
Q72. The Least Privilege security control is a member of which control family?
Q74. Which of the following is an essential element when an organization updates its authorization package documents?
Q73. Which process guides the selection of security controls to ensure adequate security commensurate with the risk of the organization?
Q75. When implementing a control on wireless access, the organization MUST do which of the following?
Q74. Which of the following is an essential element when an organization updates its authorization package documents?
Q76. Organization A has merged with another similar organization, organization B, and has expanded the data center operations to include Information Technology (IT) assets from both locations. What is the BEST reason for requiring an updated risk assessments?
Q75. When implementing a control on wireless access, the organization MUST do which of the following?
Q77. Which of the following is an example of the test assessment method?
Q77. Which of the following is an example of the test assessment method?
Q78. Which of the following is TRUE when applying the Risk Management Framework (RMF) steps and associated tasks to existing systems?
Q78. Which of the following is TRUE when applying the Risk Management Framework (RMF) steps and associated tasks to existing systems?
Q79. The organizational and system monitoring strategies identifies
Q79. The organizational and system monitoring strategies identifies
Q80. An effective continuous monitoring strategy includes which of the following?
Q80. An effective continuous monitoring strategy includes which of the following?
Q69. A key part of the risk decision process is the recognition that, regardless of the risk response there typically remains a degree of residual risk. On what basis does an organization determine the acceptable degrees of residual risk?
Q81. Which of the following includes the resource required for mitigation?
Q76. Organization A has merged with another similar organization, organization B, and has expanded the data center operations to include Information Technology (IT) assets from both locations. What is the BEST reason for requiring an updated risk assessments?
Q82. The Chief Information Officer (CIO) is establishing a policy of monthly assessment for access controls. What is the BEST corresponding action the system security officer should complete?
Q81. Which of the following includes the resource required for mitigation?
Q83. When a system contains Personally Identifiable Information (PII) what additional action MUST be performed related to the specific system?
Q82. The Chief Information Officer (CIO) is establishing a policy of monthly assessment for access controls. What is the BEST corresponding action the system security officer should complete?
Q84. Which role has the PRIMARY responsibility for the documentation of control implementation?
Q83. When a system contains Personally Identifiable Information (PII) what additional action MUST be performed related to the specific system?
Q85. When making determinations regarding the adequacy of common controls for their respective systems, Information System Owner (ISO) refer to the Common Control Providers’ (CCP)
Q84. Which role has the PRIMARY responsibility for the documentation of control implementation?
Q86. An organization-wide approach to identifying common controls early in the Risk Management Framework (RMF) process does which of the following?
A.
B.
C.
D.
Q85. When making determinations regarding the adequacy of common controls for their respective systems, Information System Owner (ISO) refer to the Common Control Providers’ (CCP)
Q87. From an organizational viewpoint, what effect does the designation of some security controls as common controls have?
Q88. What does a finding of “other than satisfied” reflect in an assessment report?
Q86. An organization-wide approach to identifying common controls early in the Risk Management Framework (RMF) process does which of the following?
A.
B.
C.
D.
Q89. What is considered when establishing a system authorization boundary?
Q87. From an organizational viewpoint, what effect does the designation of some security controls as common controls have?
Q90. Which organizational reference can an Information Systems Security Officer (ISSO) use to help prioritize the remediation of a vulnerability found during a weekly vulnerability scan?
Q88. What does a finding of “other than satisfied” reflect in an assessment report?
Q91. What consideration leads to a less frequent assessment and monitoring activity?
Q89. What is considered when establishing a system authorization boundary?
Q92. Which of the following is the mutual agreement among participating organizations to accept one another’s security assessments in order to reuse system resources or to accept each other’s assessed security posture in order to share information?
Q90. Which organizational reference can an Information Systems Security Officer (ISSO) use to help prioritize the remediation of a vulnerability found during a weekly vulnerability scan?
Q93. What is essential when documenting the implementation of security controls?
Q91. What consideration leads to a less frequent assessment and monitoring activity?
Q94. What activity MUST be completed before the System Owner (SO) considers the minimum security requirement of the system?
Q92. Which of the following is the mutual agreement among participating organizations to accept one another’s security assessments in order to reuse system resources or to accept each other’s assessed security posture in order to share information?
Q93. What is essential when documenting the implementation of security controls?
Q95. During the assessment of a new system, the System Owner (SO) mentioned that if unauthorized modification or destruction of medical information in the system occurred, it could result in potential loss of life because the system is the authoritative source of information about patient healthcare records including current and previous medications and ongoing medical procedures. Which of the following is the BEST Security categorization (SC) for the information type?
Q94. What activity MUST be completed before the System Owner (SO) considers the minimum security requirement of the system?
Q96. One of the primary goals in conducting analysis of the test results from a scan during Security Control Assessment (SCA) is to
Q95. During the assessment of a new system, the System Owner (SO) mentioned that if unauthorized modification or destruction of medical information in the system occurred, it could result in potential loss of life because the system is the authoritative source of information about patient healthcare records including current and previous medications and ongoing medical procedures. Which of the following is the BEST Security categorization (SC) for the information type?
Q97. Regardless of the task ordering, what is the last step before an Information System (IS) is placed into operation?
Q96. One of the primary goals in conducting analysis of the test results from a scan during Security Control Assessment (SCA) is to
Q98. Who is responsible for accepting the risk when a system undergoes a significant change?
Q97. Regardless of the task ordering, what is the last step before an Information System (IS) is placed into operation?
Q99. The security category of information 1 is determined to be:
Security Category Information type = (Confidentiality, NOT APPLICABLE), (integrity, MODERATE), (availability, LOW)
And the security category of information 2 is determined to be:
Security Category Information type = (Confidentiality, LOW), (integrity, LOW), (availability, HIGH)
What is the security category for the Information System (IS)
Q98. Who is responsible for accepting the risk when a system undergoes a significant change?
Q100. Which of the following BEST defines the purpose of the security assessment?
Q99. The security category of information 1 is determined to be:
Security Category Information type = (Confidentiality, NOT APPLICABLE), (integrity, MODERATE), (availability, LOW)
And the security category of information 2 is determined to be:
Security Category Information type = (Confidentiality, LOW), (integrity, LOW), (availability, HIGH)
What is the security category for the Information System (IS)
Q101. Which role does an System Owner (SO) coordinate inherited controls implemented with?
Q100. Which of the following BEST defines the purpose of the security assessment?
Q102. A Security Control Assessment (SCA) was completed over two years ago, but the surrounding environment has changed. What, if anything, should the assessment team do with the previous results?
Q101. Which role does an System Owner (SO) coordinate inherited controls implemented with?
Q103. The Authorizing Official (AO) issues an Authorization decision for an information system after
Q104. When documenting how system-specific and hybrid security controls are implemented, an organization takes into account
Q102. A Security Control Assessment (SCA) was completed over two years ago, but the surrounding environment has changed. What, if anything, should the assessment team do with the previous results?
Q105. Which process must be conducted during security categorization?
Q103. The Authorizing Official (AO) issues an Authorization decision for an information system after
Q106. When determining the likelihood of a threat-source exploiting a system vulnerability, one MUST consider which of the following?
Q104. When documenting how system-specific and hybrid security controls are implemented, an organization takes into account
Q107. Security Content Automation Protocol (SCAP) is a method for which of the following?
Q105. Which process must be conducted during security categorization?
Q108. Common controls protecting multiple organizational Information Systems (IS) of different levels are implemented at the which impact level?
Q106. When determining the likelihood of a threat-source exploiting a system vulnerability, one MUST consider which of the following?
Q109. What are the classifications of the system level security controls?
Q107. Security Content Automation Protocol (SCAP) is a method for which of the following?
Q110. An Information System (IS) has the following Security Categories (SC) for each information type:
SC public information = (confidentiality, NA), (integrity, HIGH), (availability, LOW)
SC investigation information = (confidentiality, MODERATE), (integrity, HIGH), (availability, MODERATE)
SC administrative = (confidentiality, NA), (integrity, LOW), (availability, LOW
What is the overall IS security category for confidentiality?
Q108. Common controls protecting multiple organizational Information Systems (IS) of different levels are implemented at the which impact level?
Q109. What are the classifications of the system level security controls?
Q111. The functional description of the control implementation includes
Q110. An Information System (IS) has the following Security Categories (SC) for each information type:
SC public information = (confidentiality, NA), (integrity, HIGH), (availability, LOW)
SC investigation information = (confidentiality, MODERATE), (integrity, HIGH), (availability, MODERATE)
SC administrative = (confidentiality, NA), (integrity, LOW), (availability, LOW
What is the overall IS security category for confidentiality?
Q112. During which phase of the System Development Life Cycle (SDLC) of an existing system does the system owner conduct remediation action based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the Plan of Action and Milestones (POA&M)?
Q111. The functional description of the control implementation includes
Q113. While conducting an internal control review of a high impact system’s technical controls, the information System Security Officer (ISSO) notes that system’s audit logs are collecting only user login time. This is a violation of which of the following?
Q112. During which phase of the System Development Life Cycle (SDLC) of an existing system does the system owner conduct remediation action based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the Plan of Action and Milestones (POA&M)?
Q114. What is the PRIMARY goal for establishing Information System (IS) boundaries?
Q113. While conducting an internal control review of a high impact system’s technical controls, the information System Security Officer (ISSO) notes that system’s audit logs are collecting only user login time. This is a violation of which of the following?
Q115. Which of the following considerations MUST be taken into account regarding data or media on an Information System (IS) prior to it being decommissioned and removed?
Q114. What is the PRIMARY goal for establishing Information System (IS) boundaries?
Q116. Which of the following BEST determines the level of details required when describing the Information System (IS)?
Q115. Which of the following considerations MUST be taken into account regarding data or media on an Information System (IS) prior to it being decommissioned and removed?
Q117. What is a key component of the initial security and privacy assessment reports?
Q116. Which of the following BEST determines the level of details required when describing the Information System (IS)?
Q118. An organization should consider which elements when selecting an assessment team?
Q117. What is a key component of the initial security and privacy assessment reports?
Q119. What is a consequence of an authorization boundary that is too expensive?
Q120. Which of the following are acceptable assessment methods for a control assessment?
Q118. An organization should consider which elements when selecting an assessment team?
Q121. Which security control baseline does not require an independent assessment of security controls, as part of continuous monitoring?
Q119. What is a consequence of an authorization boundary that is too expensive?
Q122. Which process follows the selection of the initial baseline security controls?
Q120. Which of the following are acceptable assessment methods for a control assessment?
Q123. A minor application is being added to an existing accredited distributed system. This application does not require any additional security functionality other than that provided by the distributed system. Which of the following actions is taken?
Q121. Which security control baseline does not require an independent assessment of security controls, as part of continuous monitoring?
Q124. Which of the following documents tracks an Information System’s (IS) remediation actions?
Q125. Which of the following professionals plays the role of a monitor and takes part in the organization’s configuration management process?
Q126. The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the most senior executive in an enterprise. What are the responsibilities of a Chief Information Officer?
Each correct answer represents a complete solution. Choose all that apply.
Q127. The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statements are true about ISSO and ISSE?
Each correct answer represents a complete solution. Choose all that apply.
Q128. Which of the following professionals is responsible for starting the Certification & Accreditation (C&A) process?
Q129. Which of the following assessment methodologies defines a six-step technical security evaluation?
Q130. DIACAP applies to the acquisition, operation, and sustainment of an DoD system that collects, stores, transmits, or processes unclassified or classified information since December 1997. What phases are identified by DIACAP?
Each answer represents a complete solution. Choose all that apply.
Q131. Mark works as a Network Administrator for NetTech Inc. He wants users to access only those resources that are required for them. Which of the following access control
models will he use?
Q130. DIACAP applies to the acquisition, operation, and sustainment of an DoD system that collects, stores, transmits, or processes unclassified or classified information since December 1997. What phases are identified by DIACAP?
Each answer represents a complete solution. Choose all that apply.
Q132. Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and
systems?
Q131. Mark works as a Network Administrator for NetTech Inc. He wants users to access only those resources that are required for them. Which of the following access control
models will he use?
Q133. James works as an IT systems personnel in SoftTech Inc. He performs the following tasks: Runs regular backups and routine tests of the validity of the backup data. Performs data restoration from the backups whenever required. Maintains the retained records in accordance with the established information classification policy.
What is the role played by James in the organization?
Q132. Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and
systems?
Q133. James works as an IT systems personnel in SoftTech Inc. He performs the following tasks: Runs regular backups and routine tests of the validity of the backup data. Performs data restoration from the backups whenever required. Maintains the retained records in accordance with the established information classification policy.
What is the role played by James in the organization?
Q134. FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls have been implemented?
Q134. FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls have been implemented?
Q135. Certification & Accreditation (C&A or CnA) is a process for implementing information security. Which of the following is the correct order of C&A phases in a DITSCAP assessment?
Q135. Certification & Accreditation (C&A or CnA) is a process for implementing information security. Which of the following is the correct order of C&A phases in a DITSCAP assessment?
Q136. System Authorization is the risk management process. System Authorization Plan (SAP) is a comprehensive and uniform approach to the System Authorization Process.
What are the different phases of the System Authorization Plan?
Each correct answer represents a part of the solution. Choose all that apply.
Q136. System Authorization is the risk management process. System Authorization Plan (SAP) is a comprehensive and uniform approach to the System Authorization Process.
What are the different phases of the System Authorization Plan?
Each correct answer represents a part of the solution. Choose all that apply.
Q13. Which is the likelihood that security controls with a low level of volatility will change?