The authority to accept residual risk resides in which role? - Answer Authorizing Official
Which reference provides detailed guidance on risk assessments? - Answer SP 800-30 Risk Management Guide for Information Technology Systems
Which non-executive branch organization provides the President...
The authority to accept residual risk resides in which role? - Answer ✔✔Authorizing Official
Which reference provides detailed guidance on risk assessments? - Answer ✔✔SP 800-30 Risk
Management Guide for Information Technology Systems
Which non-executive branch organization provides the President with advice on security and continuity
of communications systems? - Answer ✔✔National Security Telecommunications Advisory Committee
(NSTAC)
NCSC-5 establishes the National Policy for the use of cryptographic material when operating in high risk
environments. Which is NOT required by this policy? - Answer ✔✔Have a plan to operate without
cryptographic material if necessary
Who prepares the accreditation decision letter? - Answer ✔✔Designated Representative
Who develops and maintains information security policies, procedures, and control techniques to
address all applicable requirements? - Answer ✔✔Chief Information Officer
The Risk Management Equation includes: - Answer ✔✔Risk Assessment + Risk Mitigation + Evaluation
and Assessment
Who procures, develops, integrates, modifies, operates or maintains an information system? - Answer
✔✔Information System Owner
Who is responsible for preparing the system security plan and conducting the risk assessment? - Answer
✔✔Information System Owner
,You have just completed the Control Analysis step in the SP 800-30 process. What is the next step? -
Answer ✔✔Likelihood Determination
In which phase of the 800-30 process does one produce the Risk Assessment Report (RAR)? - Answer
✔✔Results Documentation
Which phase of the SP 800-30 process produces the Impact Rating? - Answer ✔✔Impact Analysis
Inputs to Step 3 Vulnerability Identification do NOT include: - Answer ✔✔List of Potential Vulnerabilities
Which of these is (are) NOT inputs to Step 1 System Characterization under SP 800-30? - Answer
✔✔System Boundary
Which of the following is a good source of information on system vulnerabilities maintained by the
NIST? - Answer ✔✔ICAD Database
Which of these are valid ways to mitigate risk? - Answer ✔✔Risk Avoidance, Risk Transference
During which phase of the NIST SP 800-37 System Authorization Process does the Information System
Owner conduct the initial risk assessment? - Answer ✔✔Initiation Phase
By regulation and law, information security must be: - Answer ✔✔Cost-effective
Executive Agencies must: - Answer ✔✔Authorize system processing prior to operation
Adequate Security is: - Answer ✔✔Commensurate with risk
Which phase follows the Validation Phase in the NIACAP process? - Answer ✔✔Post Accreditation Phase
Which phase of the IATF results in component and interface specifications that provides sufficient
information for acquisition of security products? - Answer ✔✔Develop Detailed Security Design
,Security Control Assessment tries to determine if the controls are - Answer ✔✔Producing desired
results
Which phase of the IATF does formal risk assessment begin? - Answer ✔✔Design System Security
Architecture
What is the minimum frequency periodic testing and evaluation of the effectiveness of policies can be
done? - Answer ✔✔Annually
Which of the following is NOT required to be part of the SSP under SP 800-37? - Answer ✔✔Results of
last awareness evaluation
Which of the following is NOT normally part of the Requirements Traceability Matrix? - Answer
✔✔POA&M findings
Which of the following is NOT accomplished as part of registration? - Answer ✔✔System Certification
IAW FIPS 199, what word is used to describe potential "LOW" impact items? - Answer ✔✔Limited
Initial CONOPS development begins in which phase of the IATF? - Answer ✔✔Define System Security
Requirements
The main purpose of C&A is? - Answer ✔✔Acceptance and management of risk
Certification is? - Answer ✔✔Evaluation of technical and non-technical controls
NIST SP 800-18, Guide for Developing Security Plans describes the purpose of security plans as: - Answer
✔✔provide an overview of the system security requirements and the controls in place
Which of these is NOT a phase of DITSCAP? - Answer ✔✔Initiation
, What is a disadvantage of the Spiral development method? - Answer ✔✔Production Paradox
Which of the following is NOT part of the Information Management Model (IMM)? - Answer
✔✔Information Protection Policy (IPP)
Harm to Information and Potentially Harmful Events are measured using - Answer ✔✔A metric such as a
seriousness rating
Who serves as principal staff advisor to the system owner on all matters involving the security of the
information system? - Answer ✔✔Information System Security Officer
IAW the IATF, classes of attack do NOT include? - Answer ✔✔Hackers
Who is responsible for ensuring that configuration and change control processes are followed? - Answer
✔✔Information System Manager
As part of the SSE-CMM evaluation, which of the following is NOT evaluated as part of the "Assess
Security Risk"? - Answer ✔✔Security Certification
Who is responsible for managing, coordinating, and overseeing all security authorization activities,
agency-wide? - Answer ✔✔Authorization Advocate
Which of the following is NOT part of how the IATF describes the Defense in Depth paradigm? - Answer
✔✔Respond
Who is responsible for representing the interests of the system acquisition or maintenance
organization? - Answer ✔✔Program Manager
Who provides an independent assessment of the system security plan? - Answer ✔✔Certification Agent
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller JUICYGRADES. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $16.49. You're not tied to anything after your purchase.
