The scope of a risk remediation plan should include ____. Question 1 options:
Question 1
The scope of a risk remediation plan should include ____.
Question 1 options:
review of all system documentation
policies, procedures, and plans unique to the system
all identified vulnerabilities
the minimum security controls baseline for the organization
View hint for Question 1
Question 2 (2 points)
Why should detailed system security procedures be stored in a library instead of attached as appendices to a system security plan?
Question 2 options:
Authorization Officials do not appreciate being sent lengthy documents.
To implement configuration control and prevent unauthorized changes to the system security procedures.
When detailed procedures are attached to the SSP, they can lead to confusion caused by blending operational and management information
The procedures library is easier to secure than the SSP.
View hint for Question 2
Question 3 (2 points)
How frequently should system security procedures be reviewed and updated?
Question 3 options:
Whenever the system is reauthorized
Annually
Quarterly
Monthly
View hint for Question 3
Question 4 (2 points)
Which of the following is also referred to as a POA&M?
Question 4 options:
system security plan
project schedule
remediation procedures
risk mitigation plan
View hint for Question 4
Question 5 (2 points)
Which of the following can be used to ensure consistency in written security procedures?
Question 5 options:
Libraries
Templates
Style Galleries
Appendices
View hint for Question 5
Question 6 (2 points)
Which of the following are benefits of having written security procedures for information systems?
Question 6 options:
All listed choices are correct.
Written procedure can be used to evaluate compliance with security controls.
Written security procedures support continuity of operations
Written procedures can be used to cross-train personnel and assure replacements can perform the required tasks in a secure fashion.
View hint for Question 6
Question 7 (2 points)
Written security procedures are required to ______ per NIST SP 800-26 and NIST SP 800-53.
Question 7 options:
identify common controls used in security controls baselines
None of the listed choices are correct.
implement many of the controls required by security control baselines
define system boundaries for System Security Plans
View hint for Question 7
Question 8 (2 points)
A system owner should work with which of the following organizational units to ensure that management and operational controls are properly implemented?
Question 8 options:
All listed choices are correct.
Facilities Office
Chief of Staff’s Office
Human Resources Office
View hint for Question 8
Question 9 (2 points)
Why should a risk assessment include examination of system security plans?
Question 9 options:
To identify corrective actions which must be taken to mitigate risks associated with disasters and attacks.
To ensure compliance with documentation standards.
To identify vulnerabilities related to failure to comply with procedures.
None of the listed choices are correct.
View hint for Question 9
Question 10 (2 points)
How and why should an organization track weaknesses in system security procedures?
Question 10 options:
Tracking should be done in the security controls POA&M.
Tracking should be done in the system security plan itself via the change log so that the items needing correction are not lost or overlooked.
None of the listed choices are correct.
Weaknesses in system security procedures should be tracked in the remediation plan so that they can be scheduled for updating and correction.
View hint for Question 10
Question 11 (2 points)
When should a system owner direct staff members to create a risk mediation plan?
Question 11 options:
after vulnerabilities are identified
at the beginning of the SDLC
before the system authorization package is submitted for approval
after the system receives its initial Authorization to Operate.
View hint for Question 11
Question 12 (2 points)
In the context of security controls application, when is a POA&M used?
Question 12 options:
When changes are required to an operational system’s security controls.
To plan for the development of a security controls baseline.
To prepare for categorization of information systems
To operationalize security controls.
View hint for Question 12
Question 13 (2 points)
Which of the following guidelines are best practices for the formatting of system security procedures?
Question 13 options:
All listed choices are correct.
Use a common format that starts with title, purpose, scope, responsibility, and applicability of the procedure.
Include (a) the date of creation or last modification, (b) name and signature of the individual responsible for the procedure, and (c) name and signature of the system owner.
Use lists, bullet points, graphs, tips, and reminders.
View hint for Question 13
Question 14 (2 points)
What is a security procedure?
Question 14 options:
Step by step instructions for selecting security controls and creating security control baselines for a system.
None of the listed choices are correct.
A document which provides user instructions for secure use of an information system.
Step by step planning instructions for the application of security controls to a system.
View hint for Question 14
Question 15 (2 points)
Lack of consistency in implementation of security controls is a consequence of _____.
Question 15 options:
missing system security plans
inexperienced systems administrators
security controls failure
not having documented procedures
View hint for Question 15
Question 16 (3 points)
What is the purpose of security controls testing?
Question 16 options:
To identify attack vectors
To determine if the implemented security controls are effective in protecting an information system.
To meet organizational goals and objectives
To ensure continuity of operations plans will operate as intended.
View hint for Question 16
Question 17 (3 points)
A security test plan must include procedures for immediate response and resolution for which of the following events?
Question 17 options:
Overtime required to complete testing on schedule.
Documentation errata.
All listed choices are correct.
Evidence of criminal wrong doing, pornography, or malware.
View hint for Question 17
Question 18 (3 points)
A ___ risk system’s certification testing involves a checklist-based security review.
Question 18 options:
High
Low
Standard
Moderate
View hint for Question 18
Question 19 (3 points)
Which of the following should be used to tailor system authorization activities?
Question 19 options:
attack surface and identified common vulnerabilities for the operating system
Confidentiality, integrity, and availability requirements for the system
external threats and threat actors
availability of assessors and other testing personnel
View hint for Question 19
Question 20 (3 points)
Which of the following risk levels would include regression testing and penetration testing as part of the system certification testing effort?
Question 20 options:
Moderate
Standard
Moderate and High
High
View hint for Question 20
Question 21 (3 points)
How do automated tools used by certification testers differ from tools used by hackers or penetration testers?
Question 21 options:
Certification Test Teams do not use automated tools.
Certification Test Teams write their own tools
The tools authorized for use by the assessors and certification test teams are modified to ensure they cause no harm to the organization.
The toolkit used by certification testers frequently includes the same tools as used by hackers and penetration testers.
View hint for Question 21
Question 22 (3 points)
The tests for individual security controls are documented in which section of the certification test plan?
Question 22 options:
None of the listed choices are correct.
Appendices
Testing Requirements Section
Testing Approach
View hint for Question 22
Question 23 (3 points)
The security controls test plan is developed using the ____ as a starting point.
Question 23 options:
System Security Plan
Minimum Controls Baseline
Risk Remediation Plan
POA&M
View hint for Question 23
Question 24 (3 points)
Which of the following should detect missing security controls?
Question 24 options:
Security Controls Testing
Documentation review by the Authorizing Official’s Designated Representative
Properly functioning audit logs
Firewalls and Intrusion Detection Systems
View hint for Question 24
Question 25 (3 points)
Security Test and Evaluation is another name for _____.
Question 25 options:
Test Procedures
POA&M
None of the listed choices are correct.
Security Controls Assessment
View hint for Question 25
Question 26 (3 points)
What is the advantage of having a single team responsible for performing all certification tasks including testing?
Question 26 options:
Consistency in task execution
Independence from the system owner’s organization
Independence from the Authorizing Official’s organization
Improved transparency and better oversight of the team’s work
View hint for Question 26
Question 27 (3 points)
When the scope of testing is broad enough, the assessors will be able to determine the _____.
Question 27 options:
None of the listed choices are correct.
correctness of security controls selection processes
adequacy of the risk remediation plan
accuracy and completeness of the system’s security documentation
View hint for Question 27
Question 28 (3 points)
Who is responsible for developing the security controls test plan?
Question 28 options:
Chief System Owner
Common Controls Owner
Certification Testing Team
Authorizing Official’s Designated Representative
View hint for Question 28
Question 29 (3 points)
In the context of NIST SP 800-37 Risk Management Framework, which of the following is true?
Question 29 options:
Steps have tasks.
All listed choices are correct.
Tasks have levels.
Steps are grouped by tiers.
View hint for Question 29
Question 30 (3 points)
Which of the following plans should be evaluated as part of the certification testing?
Question 30 options:
All supporting plans should be evaluated.
Disaster Recovery Plan
Continuity of Operations Plan
Incident Response Plan
View hint for Question 30
Question 31 (5 points)
Security testing personnel for a high-risk system should be _____ in order to maintain appropriate levels of independence.
Question 31 options:
hired under contract by the Approving Authority’s organization
recruited from staff normally assigned to the system owner’s organization
assigned randomly by lottery from all available and qualified IT staff
obtained from outside the approving authority’s organization.
View hint for Question 31
Question 32 (5 points)
The risk remediation plan should be integrated with the organization’s _____.
Question 32 options:
Risk Assessment Strategy
Capital Planning Process
Master Scheduling Process
All listed choices are correct.
View hint for Question 32
Question 33 (5 points)
Which of the following system security procedures are “common” procedures intended for use across multiple information systems within an organization?
Question 33 options:
Data Backup
None of the listed choices are correct.
Malicious Software Prevention
Password Compromise
View hint for Question 33
Question 34 (5 points)
A tester is using a shell script to obtain software version numbers as part of a certification test procedure. What type of procedure is this?
Question 34 options:
Demonstration
Observation
Inspection
Test
View hint for Question 34
Question 35 (5 points)
In the context of certification test plans, what is the purpose of the “memoranda of understanding” section?
Question 35 options:
None of the listed choices are correct.
to set forth the agreement between the system owner and the authorizing official as to when and how the system will be tested prior to the system authorization review
to document the memoranda or contracts which specify the work to be done by the certification testing team
to identify and document all memoranda which cover system interconnections, hosted systems, and hosting arrangements
Complete Answer:
