Term 1 of 258
What are two types of authorization decisions that can be rendered by authorizing officials?
Accept/Deny
Allow/Denial
Authorize/Denial
Access/Type
Term 2 of 258
To facilitate effective implementation of OMB capital planning and NIST security requirements, the
Government Accountability Office (GAO) offers which investment
life-cycle model as a best practices approach to investment management?
Assess—Respond—Monitor
Initiate-Develop-Assess
Select—Control—Evaluate
identify—Prioritize—Remediate
Term 3 of 258
What are the two most important factors in choosing a security control assessor?
Independence/Expertise
Trustworthiness/Experience
Expertise/Trustworthiness
Experience/Independence
,Term 4 of 258
What is defined as an identifiable part of a system (e.g., hardware, software, firmware,
documentation, or a combination thereof) that is a discrete target of configuration control
processes?
Configuration ltem
Compensating control
Business Reference Model
FIPS 197
Term 5 of 258
Which VPN technologies are approved for use by Federal agencies?
lPSec, SSL/TLS (but not 55Lv3)
Frame Risk, Assess Risk, Respond to Risk, Monitor Risk (FARM)
Common, System—Specific, Hybrid
Risk Executive (Function)
Term 6 of 258
The following OMB memo announced implementation of commonly accepted security
configurations for windows operating systems.
M-07-18
M-09-32
M-10-28
M-07-11
,Term 7 of 258
Which e-authentication level, described in the special publication 800-63, requires multifactor
authentication, and the use of a hard token?
True
Level 4
SISO, AO
Risk Executive (Function)
Term 8 of 258
Teleworking from an employee's residence is covered under the Alternate Work Site security
control. True or False?
True
False
Term 9 of 258
What is a term used to describe a body of evidence, organized into an argument, demonstrating
that
some claim about an information system is assured?
All of the above
Assurance case
VLAN/Cold
Common Controls
, Term 10 of 258
In the sanitization guidelines of NIST SPO 800-88, what is the recommended disposal method for
paper-based medical records containing sensitive Pll?
Classified Recycling Bin
Purge
Controlled Refuse Area
Cross—cut shredders
Term 11 of 258
Which phase of the System Development Life Cycle is least likely to require assessment of
controls?
Disposal
Operation and Maintenance
Development/Acquisition
Initiation
Term 12 of 258
When would you use a gap analysis in the RMF process?
When applying security to an legacy system
When there is an "air gap" in the system connection to the network
When there is a significant time gap between design and implementation
When the Authorizing Official billet is vacant for an extended time
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller stuuviaa. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $12.99. You're not tied to anything after your purchase.