What are the five stages of the SDLC?

1 - Initiation
2 - Development/Acquisitions
3 - Implementation
4 - Operations Maintenance
5 - Disposition/Disposal
What are the six steps of the Risk Management Framework (RMF)?

1 - Categorize
2 - Select
3 - Implement
4 - Assess
5 - Authorize
6 - Monitor
What roles and responsibilities can only be occupied by a government employee?

Risk Executive
Chief Information Officer (CIO)
Senior Informaiton Security Officer (SISO)
Authorizing Official (AO)

What are the three parts of Risk Management?

1 - Risk Assessment Methodology
2 - Risk Mitigation
3 - Risk Evaluation and Assessment

What are the nine steps of Risk Assessment Methodology?

1 - System Characterization
2 - Threat identification
3 - Vulnerability Identification
4 - Control Analysis
5 - Likelihood Determination
6 - Impact Analysis
7 - Risk Determination
8 - Control Recommendation
9 - Results Documentation

What are the six Risk Mitigation otions?

1 - Risk Assumption
2 - Risk Avoidance
3 - Risk Limitation
4 - Risk Planning
5 - Research and Acknowledgement
6 - Risk Transference

Define the term for the below definition:
applying risk management principles and staisfying compliance requirements; proactive; cost-
effective; risk-based; compensating controls

Governance

Five keys to successful Risk Management Program?

1 - Senior managements commitment
2 - Full support and participation IT team
3 - Competence of the risk assessment team
4 - User community awareness and cooperation
5 - An ongoing evaluation and assessment of the IT-relate mission risks

Office of Management and Budget (OMB) works directly for? Whitehouse Staff

What are the four phases for interconnecting systems?

1 - Planning
2 - Establishing
3 - Maintaining
4 Disconnecting

What are the six steps to the Planning Phase of Interconnecting Systems?

1 - Establish Joint Planning Team
2 - Define Business Case
3 - Perform C&A
4 - Determine Interconnecting Requirements
5 - Document Interconnection Agreement
6 - Approve or Reject Interconnection

What are the three Control Classes?
Management
Operations
Technical

What are the five families of the Management Class?

1 - Certification, Accreditation, and Security Assessments
2 - Planning
3 - Risk Assessment
4 - System and Services
5 - Program Management

What are the nine families of the Operations Class?

1 - Awareness
2 - Configuration Management
3 - Contingency Planning
4 - Incident Response
5 - Maintenance
6 - Media Protection
7 - Personnel Security
8 - Physical and Environmental Protection
9 - System and Information Integrity

What are the four families of the Technical Class?

1 - Access Control
2 - Audit and Accountability
3 - Identification and Authentication
4 - System and Communication Protection

What are the seven steps in IT Contingency Planning?

1 - Develop Contingency Planning Process
2 - Conduct Business Impact Analysis
3 - Identify Preventative Controls
4 - Develop Recovery Strategies
5 - Develop Contingency Plan
6 - Plan, testing, training, and exercise
7 - Plan Maintenance

What are the five steps of Configuration Management process?

1 - Identify Change
2 - Evaluate Change Request
3 - Implement Decision
4 - Implement
5 - Continuous Monitor

What are the five Maturity Levels?

Level 1 - Policies
Level 2 - Procedures
Level 3 - Implementation
Level 4 - Testing
Level 5 - Integration
What are the outputs for the System Characterization Step? System Boundary
System Functions
System and Data Criticality
System and Data Sensitivity

What is the output for the Treat Identification step? Threat Statement

What is the output for the Vulnerability Identification step? List of Potential Vulnerability

What is the output for the Control Analysis step? List of Current and Planned Controls

What is the output for the Likelihood Determination step? Likelihood Rating

What is the output for the Impact Analysis step? Impact Rating

What is the output for the Risk Determination step? Risks and Associated Risk Level

What is the output for the Control Recommendation step? Recommended Controls

What is the output for the Results Documentation step? Risk Assessment Report (RAR)

What are the input(s) for the System Characterization step?

hardware
software
system interfaces
data and info
people
system mission

What are the input(s) for the Threat Identification step?

history of system attacks
data from FedCIRC, intelligence agencies, NIPC, OIG, mass media, etc.

What are the input(s) for the Vulnerability Identification step?

reports from prior risk assessments
audit comments
security requirements
security test results

What are the input(s) for the Control Analysis step?

current controls
planned controls
What are the input(s) for the Likelihood Determination step?

threat-source motivation
threat capacity
nature of vulnerability
current controls

What are the input(s) for the Impact Analysis step?

mission impact analysis
asset criticality
assessment
data criticality
data sensitivity

What are the input(s) for the Risk Determination step?

likelihood of threat exploitation
magnitude of impact
adequacy of planned or current controls

NIST falls under which department of the government? Department of Commerce

NIST SP 800-27 covers what? Engineering Principles for IT Security

NIST SP 800-34 covers what? Contingency Planning Guide for IT Systems

NIST SP 800-39 covers what? Managing Risk from Information Systems

NIST SP 800-40 covers what? Creating a Patch and Vulnerability Management Program

NIST SP 800-41 covers what? Guidelines on Firewalls and Firewall Policy

NIST SP 800-47 covers what? Security Guide for Interconnecting IT Systems

NIST SP 800-50 covers what? Building an IT Security Awareness and Training Program

NIST SP 800-55 covers what? Performance Measurement Guide for Information Security

NIST SP 800-65 covers what? Recommendation for Integrating Information Security into the
Capital Planning and Investment Control Process (CPIC)

NIST SP 800-83 covers what? Guide to Malware Incident Prevention and Handling

NIST SP 800-88 covers what? Guidelines for Media Sanitization

NIST SP 800-92 covers what? Guide to Computer Security Log Management

NIST SP 800-100 covers what? Information Security Handbook: A Guide for Managers

NIST SP 800-115 covers what? Technical Guide to Information Security Testing and Assessment

NIST SP 800-122 covers what? 'DRAFT' Guide to Protecting the Confidentiality of PII

What are the six stages for Incident Response?

1 - Preparation
2 - Detection
3 - Containment
4 - Eradiction
5 - Recovery
6 - Post-Incident

Step 5 fo the RMF falls within which stage of the SDLC? Implementation

What task is prepare during the beginning of Step 5? Plan of Action and Milestones (POA&M)

A security authorization plan contains what three key documents?

Security Plan
Security Assessment Report
POA&M

Which report provides the authoricing official and other senior leaders essential information with
regard to the security state of the information system including the effectiveness of deployed securitu
controls?

Security Status Reports

What are the types of Security Status Reports?

Event-driven
Time-driven
Both
By carrying out ongoing _______ and ________, authorizing officials can maintain the security
authorization over time. Risk Determination and Risk Acceptance

Determining how the changing conditions affect the mission or business risks associated with the
information systems is essential for maintaining what?

Adequate Security

What is the FIPS 200? Minimum Security Requirements for Federal Information and
Information Systems

The FIPS 200 minimum security requirements cover what? It covers the 17 security-related areas
with regard to protecting the confidentiality, integrity, and availability of federal information and
information systems and the information processed, stored, and transmittedby those systems.

What is the NIST SP 800-59 used for? Guideline for Identifying an Information System as a
National Security System

What is the term used when identify a system thats function, operation, or use involves intelligence
activities; cryptoplogic activities related to national security; equipment that is an integral part of a
weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions.
National Security System
If there is a dispute between the system owner and the agency as to whether the system is critical to
the direct fulfillment of military or intelligence missions. Who does either need to submit the issue
to? CNSS and OMB
What is defined as a function fo the likelihood of a given threat-sources exercising a particular
potential vulnerability, and the resulting impact of that adverse event? Risk
What are the different types of gathering techniques for Step 1 of the Risk Assessment Process?
Questionnaires
On-site Interviews
Document Review
Use of Automated Scanning tools
What are different types of threat-sources? Hacker/Cracker
Computer Criminal
Terrorist
Industrial Espionage
Insiders

What is the CNSSI 1253 used for?

Security Categorization and Control Selection for National Security Systems

What is the three step process for selecting security controls for a national security system?

Step 1 - Select the initial set of security controls
Step 2 - Tailor the initial set of security controls
Step 3 - supplement the tailored set of security controls

As per the NIST SP 800-100 what are the six steps of the Risk Assessment Process?

Step 1 - System Characterization
Step 2 - Threat Identification
Step 3 - Vulnerability Identification
Step 4 - Risk Anaylsis (Control Analysis, Likelihood Determination, Impact Analysis, Risk
Determination)
Step 5 - Control Recommendation
Step 6 - Results Documentation


What are the seven step approach to risk mitigation?

1 - Prioritize actions
2 - Evaluate recommeded control options
3 - conduct cost-benefit analysis
4 - Select controls
5 - assign responsibilities
6 - Develop a safeguard implementation plan
7 - Implement selected controls

As per the NIST SP 800-37 what are the four phase to the C&A process?

Initiation
Certification
Accreditation
Continuous Monitoring

What are the six phases of the Information Security Services Life Cycle?

1 - Initiation
2 - Assessment
3 - Solution
4 - Implementation
5 - Operations
6 - Closeout

What are the six categorizes of a Information Security Service?

1 - Strategic/Mission
2 - Budgetary/Funding
3 - Technical/Archectural
4 - Organizational
5 - Personnel
6 - Policy/Process

What are the four steps for Incident Response?

1 - Preparation
2 - Detection adn Analysis
3 - Containment, Eradication, and Recovery
4 - Post-Incident Activity

What is the five step Configuration Management Process?

1 - Identify Change
2 - Evaluate Change Request
3 - Implementation Decision
4 - Implement Approved Change Request
5 - Continuous Monitoring