EMT Practice Test

1. Question Content...


Question List

Question1: According to NIST SP 800-37 Rev 2 appendix F, there exists several types of authorization decisions including all of the following except one.
Response:

Question2: What are the FIPS Publication 199 defined 3 levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability)? Response:

Question3: The security controls (i.e., safeguards or countermeasures) for an information system that primarily are implemented and executed by people (as opposed to systems).
Response:

Question4: A structured set of arguments and a body of evidence showing that an information system satisfies specific claims with respect to a given quality attribute.
Response:

Question5: What does RTM stand for?
Response:

Question6: What is verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.
Response:

Question7: What publication provides a wide range of security controls as a basis for mitigation measures?
Response:

Question8: What is the purpose of the assess step?
Response:

Question9: Which of the following system security policies is used to address specific issues of concern to the organization?
Response:

Question10: The Security Category that guards against the improper modification or destruction of information and includes ensuring information non-repudiation & authenticity.
Response:

Question11: What is the purpose of a Privacy impact assessment?
Response:

Question12: The RMF Step and task where a Continuous Monitoring strategy that monitors the effectiveness of the selected security controls is created.
Response:

Question13: The monitoring frequency for each security control is based on which of the following?

Question14: According to NIST SP 800-39, Managing Information System Risk, when an organization responds to risk by eliminating the activity or technology that are the basis for the risk, that organization is (accepting risk, avoiding risk, transferring risk, mitigating risk)? Response:

Question15: The security assessment plan is prepared to provide the Authorizing Official and other organizational officials with a plan of how the security assessment will be conducted. Which roles have the primary responsibility to prepare the security assessment plan? Response:

Question16: What is the purpose of the monitor step?
Response:

Question17: When an ATO is issued, which of the following roles authoritatively accepts residual risk on behalf of the organization?
Response:

Question18: Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation.
Which of the following statements are true about Certification and Accreditation? Each correct answer represents a complete solution. Choose two.
Response:

Question19: Which of the following processes is used to protect the data based on its secrecy, sensitivity, or confidentiality?
Response:

Question20: The registration of the system directly follows which RMF task? Response:

Question21: Which of the following organizational officials have the primary responsibility for putting together the authorization package?
Response:

Question22: One of the main objectives of testing is to avoid ______________ of normal operations.
Response:

Question23: Which of the following is an example of the test assessment Method according to NIST SP 800-
37 Rev 2? Response:

Question24: The Security Content Automation Protocol (SCAP) is a method for which of the following?
Response:

Question25: Certification and Accreditation (C&A or CnA) is a process for implementing information security.
Which of the following is the correct order of C&A phases in a DITSCAP assessment? Response:

Question26: Establishing an overall sensitivity level for an Information System based on the aggregated sensitivity level of all data by CIA; is referred to as the ______________.
Response:

Question27: Under key roles in Continuous Monitoring; the __________ acts under authority of the system owner to monitor security posture of system & immediately reports discrepancies to system owner.
Response:

Question28: A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. What are the different types of policies? Each correct answer represents a complete solution. Choose all that apply.
Response:

Question29: Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
Response:

Question30: Significant changes to the environment of operation may trigger an event-driven authorization action which may not be limited to all of the following except one. Choose the exception.
Response:

Question31: What RMF role is primarily responsible for Tasks 1, 2, and 3 in Assessing Security Controls?
Response:

Question32: When an authorization to operate (ATO) is issued, which of the following roles authoritatively accepts residual risk on behalf of the organization?
Response:

Question33: You are the project manager of the NKJ Project for your company. The project's success or failure will have a significant impact on your organization's profitability for the coming year.
Management has asked you to identify the risk events and communicate the event's probability and impact as early as possible in the project.
Management wants to avoid risk events and needs to analyze the cost-benefits of each risk event in this project. What term is assigned to the low-level of stakeholder tolerance in this project?
Response:

Question34: During which Risk Management Framework (RMF) step is the system security plan initially approved? Response:

Question35: From a system authorization perspective, why are potential system software patches tested prior to deployment?
Response:

Question36: This is a standard that sets essential requirements for assessing the effectiveness of computer security controls built into a computer system?
Response:

Question37: Who is primarily responsible for the development of the system-specific procedures (ISO, ISSO, IS Architect, Sys Admin)?
Response:

Question38: Which of the following recovery plans includes specific strategies and actions to deal with specific variances to assumptions resulting in a particular security problem, emergency, or state of affairs? Response:

Question39: What course of action can be taken by a party if the current negotiations fail and an agreement cannot be reached?
Response:

Question40: A security assessment plan comprises of all of the following except one Response:

Question41: All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected best defines:
Response:

Question42: During which RMF step is the system security plan initially approved? Response:

Question43: ___________________ information is defined as any information that the loss, misuse or unauthorized access would adversely affect the national interest or the conduct of federal programs or the privacy to which individuals are entitled.
Response:

Question44: NIST SP 800-53 describes a family of controls as:
Response:

Question45: Security control assessors can reuse past assessment results to satisfy the annual FISMA security assessment requirement provided the assessment results are:
CHOOSE ALL THAT APPLY
Response:

Question46: Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset best describes Response:

Question47: The authorizing official may determine that additional information supporting the authorization package is needed. The additional documentation may include all but one of the following.
Response:

Question48: During the security impact analysis vulnerabilities were uncovered in the information system.
Which of the following documents should address the outstanding items? Response:

Question49: This process is used to determine if the security controls in the information system continue to be effective over time in light of the inevitable changes that occur in the system as well as the environment in which the system operates between authorization decisions.
Response:

Question50: The RMF Step and task where the Categorization of the information and IS is done and results documented in the Security Plan (SP) Response:

Question51: Which of the following are the common roles with regard to data in an information classification program?
Each correct answer represents a complete solution. Choose all that apply.
Response:

Question52: Which of the following are the tasks performed by the owner in the information classification schemes? Each correct answer represents a part of the solution. Choose three.
Response:

Question53: Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and systems? Response:

Question54: The FISMA defines three security objectives for information and information systems:
Response:

Question55: What are the three classifications for security controls for information systems? Response:

Question56: During information system continuous monitoring you have to monitor changes in the machine elements of the system such as computer elements and data stored in hardware - typically in read only memory (ROM) or programmable read only memory (PROM) - such that the programs and data cannot be dynamically written or modified during execution of the programs.
What is the name of such and element?
Response:

Question57: The primary responsibility to select control assessors rests on which roles? Response:

Question58: Any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency.
Response:

Question59: An effective security control monitoring strategy for an information system includes Response:

Question60: Overlays can be implemented as part of control tailoring after the completion of what process?
Response:

Question61: Which of the following statements reflect the 'Code of Ethics Canons' in the '(ISC)2 Code of Ethics'? Each correct answer represents a complete solution. Choose all that apply.
Response:

Question62: Which NIST special publication is the guide on continuous monitoring? Response:

Question63: What is the system development life cycle phase for step six of the RMF for an existing system?
Response:

Question64: The term __________ relates to the system as a whole where as Sensitivity relates to the data that the system processes.
Response:

Question65: What are the responsibilities of a system owner?
Each correct answer represents a complete solution. Choose all that apply.
Response:

Question66: Which of the following is a 1996 United States federal law, designed to improve the way the federal government acquires, uses, and disposes information technology? Response:

Question67: The security category of information 1 is determined to be: Confidentiality, low; Integrity, moderate; and availability, Moderate. The security category for information 2 is determined to be:
confidentiality, Not Applicable, Integrity, Low; and availability, Moderate. What is the overall security category? Response:

Question68: Which of the following is NOT a phase of the security certification and accreditation process?
Response:

Question69: Testing officials should use which NIST publication as guide for developing test procedures?
Response:

Question70: Which of the following is a risk that is created by the response to another risk? Response:

Question71: An effective continuous monitoring program can be used to Response:

Question72: Which organizational official is responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system? Response:

Question73: Which of the following are "not" a phase of the NIST Risk Management Framework? Response:

Question74: National Institute of Standards and Technology (NIST) guidance classifies security controls as Response:

Question75: Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls. Which of the following are the international information security standards? Each correct answer represents a complete solution. Choose all that apply.
Response:

Question76: Which of the following individuals is responsible for preparing and submitting security status reports to the organizations?
Response:

Question77: You are working as a project manager in your organization. You are nearing the final stages of project execution and looking towards the final risk monitoring and controlling activities. For your project archives, which one of the following is an output of risk monitoring and control? Response:

Question78: A differential backup stores files that were created or modified since the last full backup.
Therefore, if a file is changed after the previous full backup, a differential backup will save the file each time until the next full backup is completed.
The differential backup takes less time to complete then a full backup. Restoring from a differential backup may require less media than an incremental backup because only the full backup and the last differential media would be needed.
As a disadvantage, differential backups take longer to complete than incremental backups because the amount of data since the last full backup increases each day until the next full backup is executed.
Response:

Question79: Common control providers have the responsibility for development, implementation, assessment, and monitoring of common controls. In which document do common control providers document common controls?
Response:

Question80: _________________________ management offers a structured approach to managing, approving, and documenting changes affecting an IS; critical to continuous assessment of security posture of IS.
Response:

Question81: One of the inputs to the risk determination task is the employment of risk assessments to provide information that may influence the risk analysis and risk determination. What publication provides guidance on conducting risk assessments?
Response:

Question82: The person primarily responsible for RMF Step 1, Categorization.
Response:

Question83: What is the four-step security categorization process?
Response:

Question84: Which of the following is a standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system? Response:

Question85: A passive technique that monitors network communication, decodes protocols, and examines headers and payloads for information of interest. It is both a review technique and a target identification and analysis technique.
Response:

Question86: True or False. Impacts of changes should be known in advance so that appropriate actions can be taken before vulnerabilities are experienced.
Response:

Question87: Which of the following statements best describes the difference between the role of a data owner and the role of a data custodian?
Response:

Question88: Can a value of not applicable be assigned to any security objective in the context of establishing a security category for an information system.
Response:

Question89: Why is security control volatility an important consideration in the development of a security control monitoring strategy?
Response:

Question90: In which step of the NIST SP 800-30 Risk Assessment process are vulnerabilities paired with threats? Response:

Question91: What are the three tools necessary for managing the inventory program? Response:

Question92: Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Synonymous with security controls and countermeasures.
Response:

Question93: Developmental testing and evaluation is a type of control Assessment and its activities include the following except one.
Response:

Question94: The Organization Level (Tier 1) strategy addresses/requires........
Response:

Question95: An occurrence that actually jeopardizes the CIA of an information system or the information system processes that stores or transmits information or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
Response:

Question96: The RMF Step and task where the Information System (include system boundary) is described and documented in the Security Plan Response:

Question97: Which of the following objectives are defined by integrity in the C.I.A triad of information security systems? Each correct answer represents a part of the solution. Choose three.
Response:

Question98: You are the project manager for a construction project. The project includes a work that involves very high financial risks. You decide to insure processes so that any ill happening can be compensated. Which type of strategies have you used to deal with the risks involved with that particular work? Response:

Question99: Applying the first three steps in the RMF to legacy systems can be viewed in what way to determine if the necessary and sufficient security controls have been appropriately selected and allocated? Response:

Question100: Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. Synonymous with security controls and safeguards.
Response:

Question101: Management wants you to create a visual diagram of what resources will be utilized in the project deliverables. What type of a chart is management asking you to create? Response:

Question102: Which of the following evidences are the collection of facts that, when considered together, can be used to infer a conclusion about the malicious activity/person? Response:

Question103: Which SDLC phase can use the System Authorization package to assist with decommissioning tasks for an IS?
Response:

Question104: What is the 2nd SDLC phase; which maps to the RMF steps 3 & 4 (Implement, Assess)?
Response:

Question105: According to RMF which role has a primary responsibility to report the security status of the information system to the AO & other appropriate organizational officials on an ongoing basis IAW monitoring strategy (ISSO, CCP, ISSM, AO)?
Response:

Question106: Which RMF role can be appointed at the discretion of the Approving/Authorization Authority?
Response:

Question107: The emphasis of the revised NIST SP 800-37 process is on.............
Response:

Question108: A security control for an information system that has not been designated as a common control or the portion of a hybrid control that is to be implemented within an informational system is referred to as a...
Response:

Question109: An environmentally conditioned workspace that is partially equipped with information systems and telecommunications equipment to support relocated operations in the event of a significant disruption.
Response:

Question110: Which of the following is NOT a responsibility of a data owner? Response:

Question111: What is the system development life cycle phase for step six of the RMF for a new system?
Response:

Question112: The registration of the system directly follows which Risk Management Framework (RMF) task?
Response:

Question113: What is the first step in the process of implementing an Information Security Continuous Monitoring (ISCM)?
Response:

Question114: Which of the following statements about the authentication concept of information security management is true?
Response:

Question115: Which NIST SP 800 series document is concerned with continuous monitoring of Federal Information Systems & organizations?
Response:

Question116: When attempting to categorize a system, which two RMF starting point inputs should be accounted for? Response:

Question117: Which organization is responsible for procurement, development, integration, modification, operation, maintenance, and disposal of an Information System?
Response:

Question118: You are the project manager for the NHH project.
You are working with your project team to examine the project from four different defined perspectives to increase the breadth of identified risks by including internally generated risks.
What risk identification approach are you using in this example?

Question119: Which of the following documents can be best aid in selecting controls to be monitored?
Response:

Question120: Which of the following is a temporary approval to operate based on an assessment of the implementation status of the assigned IA Controls?
Response:

Question121: FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls are tested and reviewed?
Response:

Question122: NIST 800-53 identifies continuous monitoring as which of the following security control?
Response:

Question123: What is the comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Response:

Question124: According to NIST SP 800-37 Rev 2, What is step five of the Risk Management Framework (RMF) process?
Response:

Question125: Which of the following in an assessment plan protects the security control assessment team from liability should the security control assessment result in unforeseen damage? Response:

Question126: The Information system owner should strive to test every control at least every ___ years & most critical controls continuously.
Response:

Question127: Governing document that provides a comprehensive, rigorous method for specifying security function and assurance requirements for products and systems.
Response:

Question128: Although system authorization is important; obtaining ATO is not the end; continuous monitoring provides ______________ that an information system remains secure following accreditation.
Response:

Question129: What are five primary roles associated with the system authorization program? Response:

Question130: Common activities within organizations can cause changes to systems or the environments of operation and can have significant impact on the security posture of systems. Which of the following is an example of change in an environment of operation? Response:

Question131: When an authorization to operate is issued, which of the following roles authoritatively accepts residual risk on behalf of the organization?
Response:

Question132: Step 7 of the risk management framework can be described as:
Response:

Question133: In which of the following phases does the change management process start? Response:

Question134: What type of testing is the Evaluation thru operation, movement, or adjustment under specific conditions to determine control success?
Response:

Question135: A countermeasure or safeguard that is implemented in an informational system in part as a common control and in part as a system-specific control Response:

Question136: A full backup captures all files on the disk or within the folder selected for backup. Because all backed-up files are recorded to a single media or media set, locating a particular file or group of files is simple. In addition, full backups of files that do not change frequently (such as system files) could lead to excessive, unnecessary media storage requirements.
Response:

Question137: Which of the following NIST documents includes components for penetration testing? Response:

Question138: Fred is the project manager of the PKL project. He is working with his project team to complete the quantitative risk analysis process as a part of risk management planning. Fred understands that once the quantitative risk analysis process is complete, the process will need to be completed again in at least two other times in the project.
When will the quantitative risk analysis process need to be repeated? Response:

Question139: What role is an agency official responsible for providing advice & other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that IT is acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency? Response:

Question140: What will provide a mechanism for evaluating the functions the subsystems perform, interfaces with other subsystems and connections with other information systems, and how they have an impact on other subsystems and permit update of the system design and incorporation in the security plan.
Response:

Question141: Risk acceptance when the external subsystem owner or service provider cannot fully meet security expectations should be based on the implementation of........
Response:

Question142: According to FISMA and OMB policy, external subsystems are required to meet the same security requirements as systems operated internally....................
Response:

Question143: The loss of confidentiality, integrity, or availability that could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a severe degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; 2) results in major damage to organizational assets; 3) results in major financial loss; or 4) results in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries).
Response:

Question144: POAM update frequency is at discretion of System Owner but should be frequent enough to provide an accurate status of progress in remediation.
Response:

Question145: System authorization programs are marked by frequent failure due to, among other things, poor planning, poor systems inventory, failure to fix responsibility at the system level, and Response:

Question146: Which reference document describes the contents of a Plan of Action and Milestone (POA&M) updating and replacing OMB M 02-01?
Response:

Question147: Which of the following techniques are used after a security breach and are intended to limit the extent of any damage caused by the incident?
Response:

Question148: The purpose of security controls testing is to evaluate the _________________ of the security controls protecting an information system.
Response:

Question149: A discussion-based exercise where personnel with roles and responsibilities in a particular IT plan meet in a classroom setting or in breakout groups to validate the content of the plan by discussing their roles during an emergency and their responses to a particular emergency situation. A facilitator initiates the discussion by presenting a scenario and asking questions based on the scenario.
This best defines a...
Response:

Question150: Security testing that involves direct interaction with a target, such as sending packets to a target.
Response:

Question151: Which RMF role needs to be aware of id of new threats, evolving risks, changes in data sensitivity/criticality and changes in operating environment; to make conscious decision on whether system needs to re-certify.
Response:

Question152: Which of the following publications serves as a guide for the selection of security controls?
Response:

Question153: What is the process of determining the security category for information or an information system per methodologies described in CNSS instruction 1253 for national security systems and in FIPS
199 for other than national security systems?
Response:

Question154: A written plan for recovering one or more information systems at an alternate facility in response to a major hardware or software failure or destruction of facilities.
Response:

Question155: An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
Response:

Question156: Which Certification Level of Effort is indicated by checklist-based, independent security review that includes; interviews, policy/procedure reviews, operations observation? Response:

Question157: Which of the following NIST documents defines impact?
Response:

Question158: Adrian is the project manager of the NHP Project. In her project there are several work packages that deal with electrical wiring. Rather than to manage the risk internally she has decided to hire a vendor to complete all work packages that deal with the electrical wiring. By removing the risk internally to a licensed electrician Adrian feels more comfortable with project team being safe.
What type of risk response has Adrian used in this example? Response:

Question159: The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.
Response:

Question160: Ongoing authorizations and reporting can be time- and event-driven. Which official has the primary responsibility for ongoing authorizations?
Response:

Question161: Who has the authority to divide a complex system in order to establish realistic security authorization boundaries?
Response:

Question162: You work as a project manager for SoftTech Inc. You are working with the project stakeholders to begin the qualitative risk analysis process.
You will need all of the following as inputs to the qualitative risk analysis process except for which one? Response:

Question163: Any deviations from the Security Assessment plan should be________? Response:

Question164: Which role in the security authorization process is responsible for organizational information systems? Response:

Question165: You and your project team are identifying the risks that may exist within your project. Some of the risks are small risks that won't affect your project much if they happen. What should you do with these identified risk events?
Response:

Question166: Which of the following processes provides a standard set of activities, general tasks, and a management structure to certify and accredit systems, which maintain the information assurance and the security posture of a system or site?
Response:

Question167: What does SC stand for regarding Information Types?
Response:

Question168: In which type of access control do user ID and password system come under? Response:

Question169: A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function best defines which of the following?
Response:

Question170: The National Information Assurance Certification and Accreditation Process (NIACAP) is the minimum standard process for the certification and accreditation of computer and telecommunications systems that handle U.S. national security information. What are the different types of NIACAP accreditation? Each correct answer represents a complete solution. Choose all that apply.
Response:

Question171: The implementation of the Assessment and the authorization process is an example of what type of risk response?
Response:

Question172: What RMF artifact establishes the scope of protection for an IS and encompass people, process, and info tech that are part of the system?

Question173: The objective of status reporting & documentation is to ensure the Information System Owner updates the ____________ __________ and the POAM and that the security status is reported to the AO.
Response:

Question174: Which of the following guidance documents is useful in determining the impact level of a particular threat on agency systems?
Response:

Question175: Process of controlling modifications to hardware, firmware, software, and documentation to protect the information system against improper modification prior to, during, and after system implementation.
Response:

Question176: Guarding against improper information modification or destruction, and includes ensuring information non- repudiation and authenticity.
Response:

Question177: Which of the following tasks are identified by the Plan of Action and Milestones document? Each correct answer represents a complete solution. Choose all that apply.
Response:

Question178: Which of the following statements are true about security risks? correct answer represents a complete solution. Choose three.
Response:

Question179: Which of the following statements is true about residual risks? Response:

Question180: Information System and Environment Changes, determine the security impact of proposed or actual changes to the information system and its environment of operation; is Task _____ in RMF Step 6, monitoring of controls.
Response:

Question181: A certain security principle provides assurance that data has not been modified, tampered with or corrupted through unauthorized or unintended changes. Data can be a message, a file, or data within a database.
Which security principle ensures data accuracy?
Response:

Question182: What is the purpose for scoping guidance?
Response:

Question183: NIST SP 800-39 requires that the Security Control Assessor's findings should be:
Response:

Question184: Security Test and Evaluation (ST&E) is a component of risk assessment. It is useful in discovering system vulnerabilities. For what purposes is ST&E used?
Each correct answer represents a complete solution. Choose all that apply.
Response:

Question185: Which of the following assessment methods is used to review, inspect, and analyze assessment objects? Response:

Question186: Security categorization of an National Security System must consider the security categories of all information types resident on it.
Response:

Question187: In 2003, NIST developed a new Certification & Accreditation (C&A) guideline known as FIPS 199.
What levels of potential impact are defined by FIPS 199?
Each correct answer represents a complete solution. Choose all that apply.
Response:

Question188: What does avoidance mean with respect to risk response?
Response:

Question189: Your project has several risks that may cause serious financial impact should they happen. You have studied the risk events and made some potential risk responses for the risk events but management wants you to do more. They'd like for you to create some type of a chart that identified the risk probability and impact with a financial amount for each risk event. What is the likely outcome of creating this type of chart? Response:

Question190: An event or situation that has the potential for causing undesirable consequences or impact.
Response:

Question191: Management policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disaster.
Response:

Question192: Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
Response:

Question193: Which one of the following publications provides details of the monitoring security control?
Response:

Question194: The tiers of the National Institute of Standards and Technology (NIST) risk management framework are Response:

Question195: Which of the following control families belongs to the management class of security controls?
Response:

Question196: Which of the following specifies security requirements for federal information and information systems in 17 security-related areas that represent a broad-based, balanced information security program? Response:

Question197: Subsequent to a security breach, which of the following techniques are used with the intention to limit the extent of damage caused by the incident?
Response:

Question198: An effective continuous monitoring program can be used to meet the ___________ publication's requirements for security risk assessment Response:

Question199: An organizational official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal is known as the:
Response:

Question200: Which of the three-tiered approaches to risk management address risk at the IS security control level & their allocation?
Response:

Question201: The publication that has the Standards for Security Categorization of Federal Information and Information Systems.
Response:

Question202: To help review or design security controls, they can be classified by several criteri

Question203: What would be the impact level due to the loss of CIA that could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations or the nation?
Response:

Question204: What is included in a POA&M that is presented to the Approving Authority as part of the initial authorization package?
Response:

Question205: Which of the following access control models uses a predefined set of access privileges for an object of a system?
Response:

Question206: What are the four business areas of BRM?
Response:

Question207: When an AO submits the security authorization decision, what responses should the ISO expect to receive?
Response:

Question208: Which of the following relations correctly describes total risk? Response:

Question209: Not all deficiencies in controls or lack of security protections are vulnerabilities. Vulnerabilities in control can be defined as:
Response:

Question210: The transfer of risk is one of the five risk treatment methods pointed out in NIST 800-37 Rev 2.
Choose an example of risk transfer from the following options.
Response:

Question211: What is the objective of the Security Accreditation Decision task? Response:

Question212: Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.
Response:

Question213: An analysis of an information system's requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption.
Response:

Question214: The change control board team at Colvine Tech has determined the security impact of proposed changes to an application, what would be the team's next action? Response:

Question215: What are information system?
Response:

Question216: Which of the following is a subset discipline of Corporate Governance focused on information security systems and their performance and risk management?
Response:

Question217: A key part of the risk-based decision process is the recognition that regardless of the risk response, There remains some risks known as:
Response:

Question218: Which of the following terms related to risk management represents the estimated frequency at which a threat is expected to occur?
Response:

Question219: In which of the RMF phases (task 3) is the conduct remediation actions based on the results of ongoing monitoring activities, assessment of risk and outstanding items in the POA&M and milestones.
Response:

Question220: The official primarily responsibility for security of an Info System; who establishes sensitivity level and types of controls required to protect the IS and initiates system authorization activities.
Response:

Question221: NIST SP 800-37 comports under OMB Circular A-130; but it was developed by NIST under what authority; which is PL 107-347?
Response:

Question222: A SCAP specification that provides unique, common names for publicly known information system vulnerabilities.
Response:

Question223: What is Step 6?
Response:

Question224: Which of the following acts promote a risk-based policy for cost effective security? Each correct answer represents a part of the solution. Choose all that apply.
Response:

Question225: The risk transference is referred to the transfer of risks to a third party, usually for a fee, it creates a contractual-relationship for the third party to manage the risk on behalf of the performing organization. Which one of the following is NOT an example of the transference risk response?
Response:

Question226: Thomas is a key stakeholder in your project. Thomas has requested several changes to the project scope for the project you are managing. Upon review of the proposed changes, you have discovered that these new requirements are laden with risks and you recommend to the change control board that the changes be excluded from the project scope. The change control board agrees with you. What component of the change control system communicates the approval or denial of a proposed change request?
Response:

Question227: You are responsible for network and information security at a metropolitan police station. The most important concern is that unauthorized parties are not able to access dat

Question228: Which of the following governance bodies directs and coordinates implementations of the information security program?
Response:

Question229: Which NIST SP series document is concerned with continuous monitoring for federal information systems and organizations?
Response:

Question230: The process by which a security control baseline is modified based on: (i) the application of scoping guidance; (ii) the specification of compensating security controls, if needed; and (iii) the specification of organization-defined parameters in the security controls via explicit assignment and selection statements.
Response:

Question231: When carrying out ongoing risk response, the effectiveness of new, modified, enhanced, or added controls must be...
Response:

Question232: Which of the following is NOT an objective of the security program? Response:

Question233: FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls have been implemented?
Response:

Question234: The potential impact is moderate if-The loss of confidentiality, integrity, or availability could be expected to have a..........................
Response:

Question235: The System Owner (SO) of Colvine Tech is implementing a new system in the organization's Information Technology (IT) environment. What objectives are considered when determining possible impact to risk? Response:

Question236: Where can a project manager find risk-rating rules?
Response:

Question237: When SCA conducted assessments are conducted in parallel with system
development/acquisition & implementation; it "does not" permit early identification of weaknesses
& cost-effective corrective action; True or False?
Response:

Question238: During which RMF step is the system security plan (SP) approved? Response:

Question239: Failure to authorize an operational system to process demonstrates that management has not exercised due care in protecting the system in the event of a security incident. Which of the following Acts has been violated?
Response:

Question240: In what phases of the Risk Management Framework (RMF) and system development life cycle (SDLC), respectively, does documentation of control implementation start? Response:

Question241: The authorization boundary of a system undergoing assessment comprises of:
Response:

Question242: When determining the applicability of a specific security control, the security professional should utilize which type of guidance?
Response:

Question243: Which FIPS publication specifies security requirements for federal information and information systems in 17 security related areas that represent a broad-based, balanced information security program? Response:

Question244: An organizational official responsible for the development, implementation, assessment, and monitoring of security controls inherited by information systems is called...
Response:

Question245: Change management is initiated under which phase?
Response:

Question246: Step 6 of the risk management framework can be described as:
Response:

Question247: The ability of an information system to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs.
Response:

Question248: When an authorizing official (AO) submits the security authorization decision, what responses should the information system owner (ISO) expect to receive?
Response:

Question249: Which of the following is the acronym of RTM?
Response:

Question250: The level of assessor independence is determined based on applicable laws, executive orders, directives, regulations, policies, or standards. Who determines the level of assessor independence? Response:

Question251: Which of the following statements correctly describes DIACAP residual risk? Response:

Question252: Which of the following is not a risk factor as stated in NIST SP 800-37? Response:

Question253: According to NIST SP 800-39, when an organization responds to risk by eliminating the activities or technologies that are the basis for the risk, that organization is Response:

Question254: An authentication method uses smart cards as well as usernames and passwords for authentication. Which of the following authentication methods is being referred to? Response:

Question255: An agreement that allows two organizations to back up each other.
Response:

Question256: Which RMF role establishes risk management roles and responsibilities and provides advice and relevant information to authorizing officials concerning the risk management strategy to guide authorization decision making.
Response:

Question257: Which of the following are the types of access controls? Each correct answer represents a complete solution. Choose three.
Response:

Question258: You are preparing to start the qualitative risk analysis process for your project. You will be relying on some organizational process assets to influence the process. Which one of the following is NOT a probable reason for relying on organizational process assets as an input for qualitative risk analysis? Response:

Question259: Interrelationships of system authorization processes.
Response:

Question260: The RMF Step and task where the security controls are selected and documented in the Security Plan.
Response:

Question261: A level of collaboration may be required between security and privacy control assessors with respect to controls that implemented to achieve both security and privacy objectives. Assessor findings must be:
Response:

Question262: Which of the following processes is a structured approach to transitioning individuals, teams, and organizations from a current state to a desired future state? Response:

Question263: What is FIPS 199?
Response:

Question264: What publication provides a structured process (RMF) to fully integrate information security and risk management activities into the SDLC in a disciplined fashion? Response:

Question265: Updating the security plan, security assessment report, and POAM based on results of the continuous monitoring process is what task in RMF Step 6, Monitor.
Response:

Question266: For inherited controls, the type of authorization that the system owner would expect from the authorizing official is:
Response:

Question267: Where can you find guidance for registering information systems in the organization system inventory? Response:

Question268: Which NIST SP describes various sensitivity rankings for federal systems; Guide for Developing Security Plans for Federal Info Systems?
Response:

Question269: The management, operational, and technical controls (i.e., safeguards or countermeasures) employed by an organization in lieu of the recommended controls in the baselines described in NIST Special Publication 800-53 and CNSS Instruction 1253, that provide equivalent or comparable protection for an information system.
Response:

Question270: Authentication ensures that system users are who they say the are. At Colvine Tech, a system user must prove identity by providing an email address, a password, and answer a security question before being given logical access What factor of authentication fits this requirement?
Response:

Question271: What is the MOST appropriate action to take after weaknesses or deficiencies in controls are corrected? Response:

Question272: Which of the following best defines a general support system? Response:

Question273: Information that has been determined pursuant to Executive Order 12958 as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status.
Response:

Question274: NIST SP 800-37 defines this role as an organizational official responsible for the development, implementation, assessment, and monitoring of common controls (i.e., security controls inherited by information systems).
Response:

Question275: What is NIST SP 800-37 R1?
Response:

Question276: The security controls for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, and firmware components of the system are known as Response:

Question277: BS 7799 is an internationally recognized ISM standard that provides high level, conceptual recommendations on enterprise security. BS 7799 is basically divided into three parts. Which of the following statements are true about BS 7799? Each correct answer represents a complete solution. Choose all that apply.
Response:

Question278: According to NIST SP 800-37 Rev 2, step 5 of the risk management framework can be described as:
Response:

Question279: Security testing conducted from inside the organization's security perimeter.
Response:

Question280: Who is the official with the authority to formally assume responsibility for operating an IS at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals. Synonymous with Accreditation Authority.
Response:

Question281: Which of the following provides instructions for annual FISMA reporting and emphasizes monitoring the security state of information systems on an ongoing bases with a frequency sufficient to make ongoing, risk-based decisions?
Response:

Question282: If a "war-stopper" is found; testing should be immediately halted until the issue is resolved; what is a war-stopper?
Response:

Question283: One of the primary goals in conducting analysis of the test results from a scan during Security Control Assessment (SCA) is to Response:

Question284: Which of the following are the objectives of the security certification documentation task? Each correct answer represents a complete solution. Choose all that apply.
Response:

Question285: What's another term that is synonymous with a common control? Response:

Question286: Which of the following details best define an independent assessor? Response:

Question287: Ensuring timely and reliable access to and use of information. SP 800-53; SP 800-53A; CNSSI-
4009; SP 800-27; SP 800-60; SP 800-37; FIPS 200; FIPS 199; 44 U.S.C., Sec.
Response:

Question288: Colvine-Tech hardware (10 computers) are located in a single computer room and access to the room is permitted only to the few system users who have the required privileges. To access the computer room which is restricted by door locks, proximity cards and personal identification pins are required. Relative to the hardware in the computer room, the doorlock and the PIN are examples of what type of security control?
Response: