Completing this exam is mandatory as part of your overall course completion and receiving your certificate. Completing this exam is what is important, even if you do not pass. However, 80% is considered a passing grade. Remember, you can only retake this Exam once. Upon completion, please remember to take a screenshot of your results page and upload it in the final section: COURSE COMPLETION CONFIRMATION UPLOAD. Good luck!
0 of 136 questions completed
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading…
You must sign in or sign up to start the quiz.
You must first complete the following:
0 of 136 questions answered correctly
Time has elapsed
You have reached 0 of 0 point(s), (0)
Earned Point(s): 0 of 0, (0)
0 Essay(s) Pending (Possible Point(s): 0)
Thank you for Completing this sample Exam. Please remember to take a screenshot of your results page and upload it in the final section: COURSE COMPLETION CONFIRMATION UPLOAD.
Q1. What is included in the Plan of Action and Milestones (POA&M) that is presented in the Authorizing Official (AO) as part of the initial authorization package?
Q2. What are the steps of a risk assessment?
Q3. Which of the following cannot be delegated by the Authorizing Official (AO)?
Q4. Configuring an Information System (IS) to prohibit the use of unused ports and protocols
Q5. The Authorization boundary of a system undergoing assessment includes
Q6. Which of the following BEST describes a government-wide standard for security Assessment and Authorization (A&A) and continuous monitoring for cloud products, which is mandatory for federal agencies and Cloud Service Providers (CSP)?
Q7. All Federal agencies are required by law to conduct which of the following activities?
Q8. What is the PRIMARY goal of an Information Security Continuous Monitoring (ISCM) strategy?
Q9. An organization is developing a risk assessment for a newly installed Information System (IS) to determine the best configuration or a supporting Information Technology (IT) product. Which of the following specific factors is often overlooked in this analysis?
Q10. If an assessment of a common control determines that it is not effective, what documentation is required?
Q11. As part of an annual Federal Information Security Management Act (FISMA) compliance audit the inspector general security program review has identified vulnerabilities to an Information System (IS) in an operational division, which of the following activities is the MOST likely to occur?
Q12. Which of the following documents provides a function description of the Information System (IS) control implementation?
Q13. Which is the likelihood that security controls with a low level of volatility will change?
Q14. A System Owner (SO) is implementing a new system with their existing organization Information Technology (IT) environment. What objectives are considered when determining possible impact to risk?
Q15. Besides the System Owner (SO), what role has the PRIMARY responsibility for implementing the security controls into the security and privacy plans for the Information Systems (IS?)
Q16. In order to receive an Authorization to Operate (ATO), the Plan of Action and Milestones (POA&M) MUST
Q17. Which of the following documents is updated when a vulnerability is discovered during continuous monitoring?
Q18. The process of uniquely assigning information resources to an Information System (IS) defines the
Q19. The PRIMARY benefit of documenting the control implementation is that it
Q20. What is used by System Owners (SO) to establish a disciplined and structured process to monitor the residual risk in the Information System (IS)?
Q21. In the security and privacy assessment reports, the control assessor identified some weaknesses and proposed initial remediation actions. Based on the identified weaknesses, it is determined that certain findings are inconsequential and present no threat to the organization. Who is PRIMARILY responsible for determining the initial risk response?
Q22. When addressing Configuration Management (CM), why is it MOST important to document the proposed changes?
Q23. What is a KEY consideration when selecting a media sanitization method of destruction tool when decommissioning an Information System (IS)?
Q24. The potential impact value “not applicable” applies to which of the following security objectives
Q25. The new Authorizing Official (AO) is reviewing all moderate and high systems to determine formal authorization action is needed for any of the systems. Which of the following documents BEST facilities this process?
Q26. The baseline configuration of an information system should be consistent with the
Q27. When implementing the organizational disposal process, what factors are considered when making a final decision about sanitization of media?
Q28. In establishing the rules of behavior for a system, which of the following is necessary?
Q 29. Which of the following BEST describes the objective of the Security Assessment Plan (SAP)?
Q30. An Information System (IS) is registered with appropriate program/management offices in order to
Q31. For a new system, the controls are selected and the security and privacy plans are written during which System Development Life Cycle (SDLC) phase?
Q32. If the protection offered by a common control proves to be unacceptable or insufficient, how would the problem be corrected?
Q33. Which of the following phases is identified as one of the four Incident Response (IR) phases?
Q34. What document is based on the findings and recommendations of the assessment report?
Q35. Which of the following is the BEST approach to authorizing operations of complex systems?
Q36. What should be included in a functional description of security control implementation?
Q37. The results of the completed control assessments, including recommendations for correcting any weaknesses or deficiencies in the control, are documented in which document?
Q38. What can an organization choose to eliminate the authorization termination data?
Q39. Which of the following is the principal vehicle used to verify that Information Systems (IS) are meeting their stated security goals and objectives?
Q40. When should a Plan of Action and Milestones (POA&M) be updated?
Q41. In determining residual risk, an organization considers impact on which of the following?
Q42. Which of the following MUST be done when a federal Information System (IS) is removed from service?
Q43. Which will an Authorizing Official (AO) find implementation details for a control?
Q44. The compliance schedules for National Institutes of Standards and Technology (NIST) security standards and guidelines are established by the
Q45. An organization’s Information System (IS) is categorized as a high-impact system.
The organization’s architecture does NOT support wireless connectivity. The initial
security control baseline requires the organization to implement AC-18: wireless access.
What process can the organization implement to eliminate this unnecessary control?
Q46. Which of the following roles within the organization is responsible for clearly defining the impact level of the information the system processes?
Q47. Who has the authority to divide a complex system in order to establish realistic security authorization boundaries?
Q48. Which document in support of the authorization package defines the well-defined set of security and privacy controls?
Q49. The organization has implemented a project to move the physical servers to virtual machines (VM) over the next year. Which risk perspective addresses this project?
Q50. What is the MOST important reason for developing a continuous monitoring strategy?
A. To maintain an up-to-date Configuration Management Plan
B. To conduct a point-in-time assessment to demonstrate due diligence and compliance
C. To determine if the deployed security controls continue to be effective over time
D. To validate an Interconnection Service Agreement (ISA)
Q51. The determination of risk for a particular threat/vulnerability pair include assessment of the
Q52. Organizations consider which of the following factors when selecting security or privacy control assessors?
Q53. Overlays can be implemented as part of control tailoring after the completion of what process?
Q54. Security controls are designed to be technology and implementation
Q55. When monitoring controls, changes to the system should be
Q56. Which of the following is a key step in the overall Contingency planning process?
Q57. Subsystems are considered part of a larger system provided that they are
Q58. Residual risk can be categorized as risk
Q59. The Information Technology (IT) manager is responsible to the Information Officer for the implementation of Role Based Access Control (RBAC) assigned divisional resource. Specifically, the IT manager must facilitate the Identity and Access Management (IAM) for configured assets. Which System Development Life Cycle (SDLC) phase will enable the system security officer to verify accountability and authentication of these implemented safeguards?
Q60. The Authorizing Official may accept authorization recommendations based on
Q61. The final Security Assessment Report (SAR) should contain which of the following
Q62. Which of the following triggers a Security Plan (SP) update?
Q63. When a security control selected for a system cannot be applied,
Q64. What is the MOST appropriate action to take after weaknesses or deficiencies in controls are corrected?
Q65. The assessment effort for effective incident handling MUST include the determination that an organization
Q66. Common security controls are those that apply to one or more of which of the following?
Q67. At which point in the Risk Management Framework (RMF) process is a system analyzed for changes that impact the security and privacy posture of the system?
Q68. Security controls that are shared throughout an organization’s enterprise require
Q69. A key part of the risk decision process is the recognition that, regardless of the risk response there typically remains a degree of residual risk. On what basis does an organization determine the acceptable degrees of residual risk?
Q70. Determining the level of acceptable risk associated with the operation of an Information System (IS), organization shall give
Q71. What factor MUST be analyzed during risk determination activities?
Q72. The Least Privilege security control is a member of which control family?
Q73. Which process guides the selection of security controls to ensure adequate security commensurate with the risk of the organization?
Q74. Which of the following is an essential element when an organization updates its authorization package documents?
Q75. When implementing a control on wireless access, the organization MUST do which of the following?
Q76. Organization A has merged with another similar organization, organization B, and has expanded the data center operations to include Information Technology (IT) assets from both locations. What is the BEST reason for requiring an updated risk assessments?
Q77. Which of the following is an example of the test assessment method?
Q78. Which of the following is TRUE when applying the Risk Management Framework (RMF) steps and associated tasks to existing systems?
Q79. The organizational and system monitoring strategies identifies
Q80. An effective continuous monitoring strategy includes which of the following?
Q81. Which of the following includes the resource required for mitigation?
Q82. The Chief Information Officer (CIO) is establishing a policy of monthly assessment for access controls. What is the BEST corresponding action the system security officer should complete?
Q83. When a system contains Personally Identifiable Information (PII) what additional action MUST be performed related to the specific system?
Q84. Which role has the PRIMARY responsibility for the documentation of control implementation?
Q85. When making determinations regarding the adequacy of common controls for their respective systems, Information System Owner (ISO) refer to the Common Control Providers’ (CCP)
Q86. An organization-wide approach to identifying common controls early in the Risk Management Framework (RMF) process does which of the following?
Q87. From an organizational viewpoint, what effect does the designation of some security controls as common controls have?
Q88. What does a finding of “other than satisfied” reflect in an assessment report?
Q89. What is considered when establishing a system authorization boundary?
Q90. Which organizational reference can an Information Systems Security Officer (ISSO) use to help prioritize the remediation of a vulnerability found during a weekly vulnerability scan?
Q91. What consideration leads to a less frequent assessment and monitoring activity?
Q92. Which of the following is the mutual agreement among participating organizations to accept one another’s security assessments in order to reuse system resources or to accept each other’s assessed security posture in order to share information?
Q93. What is essential when documenting the implementation of security controls?
Q94. What activity MUST be completed before the System Owner (SO) considers the minimum security requirement of the system?
Q95. During the assessment of a new system, the System Owner (SO) mentioned that if unauthorized modification or destruction of medical information in the system occurred, it could result in potential loss of life because the system is the authoritative source of information about patient healthcare records including current and previous medications and ongoing medical procedures. Which of the following is the BEST Security categorization (SC) for the information type?
Q96. One of the primary goals in conducting analysis of the test results from a scan during Security Control Assessment (SCA) is to
Q97. Regardless of the task ordering, what is the last step before an Information System (IS) is placed into operation?
Q98. Who is responsible for accepting the risk when a system undergoes a significant change?
Q99. The security category of information 1 is determined to be:
Security Category Information type = (Confidentiality, NOT APPLICABLE), (integrity, MODERATE), (availability, LOW)
And the security category of information 2 is determined to be:
Security Category Information type = (Confidentiality, LOW), (integrity, LOW), (availability, HIGH)
What is the security category for the Information System (IS)
Q100. Which of the following BEST defines the purpose of the security assessment?
Q101. Which role does an System Owner (SO) coordinate inherited controls implemented with?
Q102. A Security Control Assessment (SCA) was completed over two years ago, but the surrounding environment has changed. What, if anything, should the assessment team do with the previous results?
Q103. The Authorizing Official (AO) issues an Authorization decision for an information system after
Q104. When documenting how system-specific and hybrid security controls are implemented, an organization takes into account
Q105. Which process must be conducted during security categorization?
Q106. When determining the likelihood of a threat-source exploiting a system vulnerability, one MUST consider which of the following?
Q107. Security Content Automation Protocol (SCAP) is a method for which of the following?
Q108. Common controls protecting multiple organizational Information Systems (IS) of different levels are implemented at the which impact level?
Q109. What are the classifications of the system level security controls?
Q110. An Information System (IS) has the following Security Categories (SC) for each information type:
SC public information = (confidentiality, NA), (integrity, HIGH), (availability, LOW)
SC investigation information = (confidentiality, MODERATE), (integrity, HIGH), (availability, MODERATE)
SC administrative = (confidentiality, NA), (integrity, LOW), (availability, LOW
What is the overall IS security category for confidentiality?
Q111. The functional description of the control implementation includes
Q112. During which phase of the System Development Life Cycle (SDLC) of an existing system does the system owner conduct remediation action based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the Plan of Action and Milestones (POA&M)?
Q113. While conducting an internal control review of a high impact system’s technical controls, the information System Security Officer (ISSO) notes that system’s audit logs are collecting only user login time. This is a violation of which of the following?
Q114. What is the PRIMARY goal for establishing Information System (IS) boundaries?
Q115. Which of the following considerations MUST be taken into account regarding data or media on an Information System (IS) prior to it being decommissioned and removed?
Q116. Which of the following BEST determines the level of details required when describing the Information System (IS)?
Q117. What is a key component of the initial security and privacy assessment reports?
Q118. An organization should consider which elements when selecting an assessment team?
Q119. What is a consequence of an authorization boundary that is too expensive?
Q120. Which of the following are acceptable assessment methods for a control assessment?
Q121. Which security control baseline does not require an independent assessment of security controls, as part of continuous monitoring?
Q122. Which process follows the selection of the initial baseline security controls?
Q123. A minor application is being added to an existing accredited distributed system. This application does not require any additional security functionality other than that provided by the distributed system. Which of the following actions is taken?
Q124. Which of the following documents tracks an Information System’s (IS) remediation actions?
Q125. Which of the following professionals plays the role of a monitor and takes part in the organization’s configuration management process?
Q126. The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the most senior executive in an enterprise. What are the responsibilities of a Chief Information Officer?
Each correct answer represents a complete solution. Choose all that apply.
Q127. The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statements are true about ISSO and ISSE?
Each correct answer represents a complete solution. Choose all that apply.
Q128. Which of the following professionals is responsible for starting the Certification & Accreditation (C&A) process?
Q129. Which of the following assessment methodologies defines a six-step technical security evaluation?
Q130. DIACAP applies to the acquisition, operation, and sustainment of an DoD system that collects, stores, transmits, or processes unclassified or classified information since December 1997. What phases are identified by DIACAP?
Each answer represents a complete solution. Choose all that apply.
Q131. Mark works as a Network Administrator for NetTech Inc. He wants users to access only those resources that are required for them. Which of the following access control
models will he use?
Q132. Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and
Q133. James works as an IT systems personnel in SoftTech Inc. He performs the following tasks: Runs regular backups and routine tests of the validity of the backup data. Performs data restoration from the backups whenever required. Maintains the retained records in accordance with the established information classification policy.
What is the role played by James in the organization?
Q134. FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls have been implemented?
Q135. Certification & Accreditation (C&A or CnA) is a process for implementing information security. Which of the following is the correct order of C&A phases in a DITSCAP assessment?
Q136. System Authorization is the risk management process. System Authorization Plan (SAP) is a comprehensive and uniform approach to the System Authorization Process.
What are the different phases of the System Authorization Plan?
Each correct answer represents a part of the solution. Choose all that apply.