Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
35 Cards in this Set
- Front
- Back
Which of the following Security Objectives?
a) Confidentiality, Integrity, and Assurance b) Confidentiality and Assurance c) Availability, Integrity and Confidentiality d) Confidentiality, Impact, and Availability |
c) Availability, Integrity and Confidentiality
|
|
Which System Development Life Cycle phase does certification testing begin?
a) Initiation Phase b) Development Phase c) Certification Phase d) Disposition Phase |
b) Development Phase
|
|
True or False: FISMA and NIST SP 800-37 states that IT systems security needs to be cost-effective and risk-based.
|
True
|
|
If a situation could result in loss of life or serious life threatening injuries, what would be the potential impact level?
|
High (see FIPS 199)
|
|
Office of Budget and Management issues what types of documents?
|
Circulars and Memorandums (OMB Circular A-130, OMB M02-01)
|
|
The Threat-source motivation and capacity are inputs for what step?
|
Likelihood Determination (the nature of vulnerability and current controls are used to determine the likelihood of the event occuring)
|
|
The Likelihood Determination Step output is the input for what?
|
Risk Determination (Likelihood and Impact results are used to determine the risk)
|
|
NIST issues what types of document?
|
Special Publications (SP) and FIPS
|
|
Ego, curiosity, revenge, errors and omissions, intelligence or monetary gain, and revenge are motivators for what type of threat-source?
|
Insider Threat (only one that is motivated by errors and omissions)
|
|
Which document should be completed with the completion of a risk assessment effort?
|
Risk Assessment Report (RAR)
|
|
Which publication provides guidance of firewalls?
|
SP 800-41
|
|
Which NIST publication describes how to tell if a system is an NSS?
|
SP 800-59
|
|
Which publication provides guidance on HIPAA?
|
SP 800-64
|
|
Which publication provides guidance on building and SPP?
|
SP 800-18
|
|
Which Magnitude of impact analysis is based on intangible data?
|
Qualitative
|
|
How many steps are in a risk assessment process described in SP 800-30?
|
9
|
|
CNSSI-1253 is formatted to align with which document?
|
SP 800-53
|
|
Which document is most used in RMF Step 2?
|
FIPS-200
|
|
Which document is most used in RMF Step 1?
|
SP 800-60
|
|
Which document is most used in RMF Step 4?
|
SP 800-53A
|
|
Which document is most used in RMF Step 3?
|
SP 800-53
|
|
Which document is most used in RMF Step 5?
|
SP 800-37
|
|
Which document is most used in RMF Step 6?
|
SP 800-53A
|
|
Which document provides the description of the controls for the system?
|
SP 800-53
|
|
Who is responsible for the day-to-day security operations of a system?
|
ISSO
|
|
What are the three documents in the Authorization Decision Package?
|
SSP, SAR, POA&M
|
|
PRISMA was based on what?
|
CSE/CMM (Capability Maturity Model)
|
|
How many families of controls are there in SP 800-53, rev 3?
|
18 (under the Management class of controls: Program management)
|
|
Who provides overall corporate risk guidance?
|
Risk Executive
|
|
CCEVS is what?
|
Common Criteria Evaluation and Validation Scheme (is a partnership between the public and private sectors to produce evaluated products)
|
|
PRISMA was developed by whom?
|
NIST
|
|
Who is responsible for putting the Authorization Decision Package together?
|
Information System Owner
|
|
What provides quantified levels of impact for RMF analysis?
|
BIA (Business Impact Analysis)
|
|
Who is responsible for conducting the security categorization analysis in the initial RMF step?
|
Information System Owner
|
|
How many RMF steps are in Phase 1 of the Original NIST C&A process?
|
3 (the first three steps of the RMF are in the Initiation Phase)
|