100% satisfaction guarantee Immediately available after payment Both online and in PDF No strings attached
logo-home
ISSEP EXAM 2024 WITH 100% CORRECT ANSWERS $16.49   Add to cart

Exam (elaborations)

ISSEP EXAM 2024 WITH 100% CORRECT ANSWERS

 2 views  0 purchase
  • Course
  • Institution

The authority to accept residual risk resides in which role? - Answer Authorizing Official Which reference provides detailed guidance on risk assessments? - Answer SP 800-30 Risk Management Guide for Information Technology Systems Which non-executive branch organization provides the President...

[Show more]

Preview 4 out of 54  pages

  • February 24, 2024
  • 54
  • 2023/2024
  • Exam (elaborations)
  • Questions & answers
avatar-seller
ISSEP EXAM 2024 WITH 100%
CORRECT ANSWERS

The authority to accept residual risk resides in which role? - Answer ✔✔Authorizing Official



Which reference provides detailed guidance on risk assessments? - Answer ✔✔SP 800-30 Risk
Management Guide for Information Technology Systems



Which non-executive branch organization provides the President with advice on security and continuity
of communications systems? - Answer ✔✔National Security Telecommunications Advisory Committee
(NSTAC)



NCSC-5 establishes the National Policy for the use of cryptographic material when operating in high risk
environments. Which is NOT required by this policy? - Answer ✔✔Have a plan to operate without
cryptographic material if necessary



Who prepares the accreditation decision letter? - Answer ✔✔Designated Representative



Who develops and maintains information security policies, procedures, and control techniques to
address all applicable requirements? - Answer ✔✔Chief Information Officer



The Risk Management Equation includes: - Answer ✔✔Risk Assessment + Risk Mitigation + Evaluation
and Assessment



Who procures, develops, integrates, modifies, operates or maintains an information system? - Answer
✔✔Information System Owner



Who is responsible for preparing the system security plan and conducting the risk assessment? - Answer
✔✔Information System Owner

,You have just completed the Control Analysis step in the SP 800-30 process. What is the next step? -
Answer ✔✔Likelihood Determination



In which phase of the 800-30 process does one produce the Risk Assessment Report (RAR)? - Answer
✔✔Results Documentation



Which phase of the SP 800-30 process produces the Impact Rating? - Answer ✔✔Impact Analysis



Inputs to Step 3 Vulnerability Identification do NOT include: - Answer ✔✔List of Potential Vulnerabilities



Which of these is (are) NOT inputs to Step 1 System Characterization under SP 800-30? - Answer
✔✔System Boundary



Which of the following is a good source of information on system vulnerabilities maintained by the
NIST? - Answer ✔✔ICAD Database



Which of these are valid ways to mitigate risk? - Answer ✔✔Risk Avoidance, Risk Transference



During which phase of the NIST SP 800-37 System Authorization Process does the Information System
Owner conduct the initial risk assessment? - Answer ✔✔Initiation Phase



By regulation and law, information security must be: - Answer ✔✔Cost-effective



Executive Agencies must: - Answer ✔✔Authorize system processing prior to operation



Adequate Security is: - Answer ✔✔Commensurate with risk



Which phase follows the Validation Phase in the NIACAP process? - Answer ✔✔Post Accreditation Phase



Which phase of the IATF results in component and interface specifications that provides sufficient
information for acquisition of security products? - Answer ✔✔Develop Detailed Security Design

,Security Control Assessment tries to determine if the controls are - Answer ✔✔Producing desired
results



Which phase of the IATF does formal risk assessment begin? - Answer ✔✔Design System Security
Architecture



What is the minimum frequency periodic testing and evaluation of the effectiveness of policies can be
done? - Answer ✔✔Annually



Which of the following is NOT required to be part of the SSP under SP 800-37? - Answer ✔✔Results of
last awareness evaluation



Which of the following is NOT normally part of the Requirements Traceability Matrix? - Answer
✔✔POA&M findings



Which of the following is NOT accomplished as part of registration? - Answer ✔✔System Certification



IAW FIPS 199, what word is used to describe potential "LOW" impact items? - Answer ✔✔Limited



Initial CONOPS development begins in which phase of the IATF? - Answer ✔✔Define System Security
Requirements



The main purpose of C&A is? - Answer ✔✔Acceptance and management of risk



Certification is? - Answer ✔✔Evaluation of technical and non-technical controls



NIST SP 800-18, Guide for Developing Security Plans describes the purpose of security plans as: - Answer
✔✔provide an overview of the system security requirements and the controls in place



Which of these is NOT a phase of DITSCAP? - Answer ✔✔Initiation

, What is a disadvantage of the Spiral development method? - Answer ✔✔Production Paradox



Which of the following is NOT part of the Information Management Model (IMM)? - Answer
✔✔Information Protection Policy (IPP)



Harm to Information and Potentially Harmful Events are measured using - Answer ✔✔A metric such as a
seriousness rating



Who serves as principal staff advisor to the system owner on all matters involving the security of the
information system? - Answer ✔✔Information System Security Officer



IAW the IATF, classes of attack do NOT include? - Answer ✔✔Hackers



Who is responsible for ensuring that configuration and change control processes are followed? - Answer
✔✔Information System Manager



As part of the SSE-CMM evaluation, which of the following is NOT evaluated as part of the "Assess
Security Risk"? - Answer ✔✔Security Certification



Who is responsible for managing, coordinating, and overseeing all security authorization activities,
agency-wide? - Answer ✔✔Authorization Advocate



Which of the following is NOT part of how the IATF describes the Defense in Depth paradigm? - Answer
✔✔Respond



Who is responsible for representing the interests of the system acquisition or maintenance
organization? - Answer ✔✔Program Manager



Who provides an independent assessment of the system security plan? - Answer ✔✔Certification Agent

The benefits of buying summaries with Stuvia:

Guaranteed quality through customer reviews

Guaranteed quality through customer reviews

Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.

Quick and easy check-out

Quick and easy check-out

You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.

Focus on what matters

Focus on what matters

Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!

Frequently asked questions

What do I get when I buy this document?

You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.

Satisfaction guarantee: how does it work?

Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.

Who am I buying these notes from?

Stuvia is a marketplace, so you are not buying this document from us, but from seller JUICYGRADES. Stuvia facilitates payment to the seller.

Will I be stuck with a subscription?

No, you only buy these notes for $16.49. You're not tied to anything after your purchase.

Can Stuvia be trusted?

4.6 stars on Google & Trustpilot (+1000 reviews)

79079 documents were sold in the last 30 days

Founded in 2010, the go-to place to buy study notes for 14 years now

Start selling
$16.49
  • (0)
  Add to cart