FITSP-A Module 4 Questions and Answers (Graded A)

1. List the 3 security objectives under FISMA. a) Confidentiality, Integrity, Authentication b) Confidentiality, Integrity, Availability c) Containment, Integrity, Availability d) Confidentiality, Impact, Availability - Answer- Correct answer: b) Confidentiality, Integrity, Availability FISMA 2002, Section 3542 states: "The term 'information security' means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide - integrity...; confidentiality...; and availability, Incorrect answers: The other choices include terms that are not security objectives. 2. FIPS 199 standards apply to which types of systems? a) Unclassified Systems b) Classified Systems c) Financial Systems d) All Systems - Answer- Correct answer: a) Unclassified System and c) Financial systems FIPS Pub 199 states: "These standards shall apply to: (i) all information within the federal government other than that information that has been determined ... to require protection against unauthorized disclosure and is marked to indicate its classified status; and (ii) all federal information systems other than those information systems designated as national security systems/' Incorrect answers: Per the quote above, FIPS Pub 199 does not apply to systems with classified information. It also does not apply to national security systems. 3. Where are security controls documented? a) System Security Plan b) Risk Assessment c) Business Impact Assessment d) Privacy Impact Assessment - Answer- Correct answer: a) System Security Plan NIST SP 800-37rl defines the System Security Plan as "Formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements." Incorrect answers: The other 3 choices are assessments conducted as part of the RMF process, but do not contain the security controls. The BIA is used in contingency planning, the PIA in systems that contain PI I, and the risk assessment for all systems. 4. What is the correct order of the Risk Management Framework process? a) Categorize, Select, Implement, Assess, Authorize, Monitor b) Assess , Categorize, Select, Implement, Authorize, Monitor c) Assess, Categorize, Authorize, Select, Implement, Monitor d) Select, Assess, Categorize, Authorize, Implement, Monitor - Answer- Correct answer: a) Categorize, Select, Implement, Assess, Authorize, Monitor NIST SP 800-37rl, p.7, 8 delineates the steps in the RMF as Categorize, Select, Implement, Assess, Authorize, Monitor. Incorrect answers: The other choices have the incorrect name for at least one step. 5. After the information and information system security categorization is completed, which publication specifies the minimum security requirements for the determined security category? a) SP 800-37 b) FIPS 200 c) SP 800-53 d) SP 800-122 - Answer- Correct answer: b) FIPS 200 NIST 800-53r4 states: "Security categorization of federal information and information systems, as required by FIPS Publication 199, is the first step in the RMF. Next, organizations select the appropriate security control baselines for their information systems by satisfying the minimum security requirements set forth in FIPS Publication 200. Incorrect answers: a) is the RMF Guide; c) provides the security controls catalog; d) is the Guide to Protecting PII 6. What are the three levels of potential impact from a security breach? a) Limited, Serious, Severe b) None, Some, Much c) Low, Moderate, High d) Minimal, Moderate, Significant - Answer- Correct answer: c) Low, Moderate, High FIPS Pub 199 states: "FIPS Publication 199 defines three levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability). The potential impact is LOW if The potential impact is MODERATE if The potential impact is HIGH if " Incorrect answers: a) provides the descriptions for adverse effect for each of the levels (don't get the description of effects confused with the levels themselves); b) and d) are not the terms used. 7. Privacy security requirements are adequately addressed by the standard catalog of security controls? a) True b) False c) Not Applicable - Answer- correct answer: a) True As of Revision 4, NIST SP 800-53 now contains Privacy Controls in Appendix J. Incorrect answers: b) was true until Version 4 was released; c) is not true - privacy controls are an important part of the overall system security controls. 8. Which of the following is NOT a type of security control? a) System-specific b) Hybrid c) Derived d) Common - Answer- Correct answer: c) Derived NIST SP 800-34r4, Paragraph 2.4 states: "There are three distinct types of designations related To the security controls ...These designations include common controls, system-specific controls, and hybrid controls." Incorrect answers: Derived is not a term commonly used for security controls. The closest term would be "inherited," which is not a designation per se, but an indication that a common control is being applied to a particular system. 9. When would you use a gap analysis in the RMF process? a) When applying security to an legacy system b) When there is an "air gap" in the system connection to the network c) When there is a significant time gap between design and implementation. d) When the Authorizing Official billet is vacant for an extended time - Answer- Correct answer: a) When applying security to a legacy system NIST SP 800-37rl, p. 19 states: "Applying the first three steps in the RMF to legacy systems can be viewed as a gap analysis to determine if the necessary and sufficient security controls (i.e., system-specific, hybrid, and common controls) have been appropriately selected and allocated." Incorrect answers: b) and c) are not specifically concerned with the RMF process; d) is not cause for gap analysis 10. Who has the primary responsibility for implementing the security controls specified in the system security plan? a) Information Owner b) Information System Security Officer c) Information System Owner d) Authorizing Official - Answer- Correct answer: c) Information System Owner NIST SP 800-37rl, Paragraph 3.3 states: 'TASK 3-1: Implement the security controls specified in the security plan. Primary Responsibility: Information System Owner." Incorrect answers: a) and b) have supporting roles in implementation; d) normally does not participate in implementation. 1. what is the first Step to assigning Impact levels for security categorization? a) Identify Business Impact b) Identify Information Type c) Select Provisional Impact d) Determine Security Objective - Answer- Correct answer: b) Identify Information Type NIST SP 800-60Vlrl provides a guide for security categorization based on FIPS 199 and FIPS 200 with a 4 step process. The first step (Paragraph 4.1) is "Identify Information Types" Incorrect answers: Security categorization information should be used in a) Business Impact assessments, which are normally done later; c) is Step 2 of the process; d) Security Objective refers to confidentiality, integrity, and availability - they are not determined; the categorization is performed in each objective area. 2. What are security controls that are inheritable by one or more organizational information systems? a) Common Controls b) Technical Controls c) Baseline Controls d) Inherited Controls - Answer- Correct answer: a) Common Controls NIST SP 800-53rl, Paragraph 2.4 states: "Common controls are security controls whose implementation results in a security capability that is inheritable by one or more organizational information systems." Incorrect answers: b) was a designation formerly used to classify controls; c) refers to those controls that are part of a specified security baseline; d) refers to those common controls that have been inherited by a system. 3. What kind of security control is a management, operational, or technical control employed by an organization in lieu of a recommended security control? a) Scoped Control b) Tailored Control c) Supplemental Control d) Compensating Control - Answer- Correct answer: d) Compensating Control NIST SP 800-53rl defines Compensating Security Controls as: "The security controls employed in lieu of the recommended controls in the security control baselines described in NIST Special Publication 800-53 and CNSS Instruction 1253 that provide equivalent or comparable protection for an information system or organization." incorrect answers: a) suggests the scoping considerations applied to baseline controls, but the term "scoped control" is not used; b) refers to the process of tailoring a specified security baseline, but "tailored" is applied to the baseline, not the individual controls; c) refers to controls that are not part of the standard baseline, but are added to it. 4. What is the most significant change, regarding security control selection, in the revision of the SP 800-37? a) RMF Step 2 Monitoring Strategy b) RMF Step 6 System Decommissioning c) CA Task Removal of Risk Determination d) RMF SSP Emphasis - Answer- Correct answer: a) RMF Step 2 Monitoring Strategy NIST SP 800-37rl, Paragraph 1.1 states: "The risk management process described in this publication changes the traditional focus of C&A as a static, procedural activity to a more dynamic approach." A significant part of that change in focus was a shift from the documentation emphasis in the C&A process to an "emphasis on the selection, implementation, assessment, and monitoring of security controls, and the authorization of information systems." The selection and implementation Of controls is a key component of the system security plan. In Step 2 (Selection), the monitoring emphasis is reflected in Task 2-3, Monitoring Strategy. Incorrect answers: b) refers to an SDLC step, not an RMF step; c) is incorrect - risk determination is central to the RMF process; d) the revision de-emphasis documentation, such as the SSP 5. What is the basis for the identification of information types? a) Business Reference Model b) Mission-specific Function c) Management Support Category d) Performance Reference Model - Answer- Correct answer: a) Business Reference Model NIST SP 800-60Vlrl, Paragraph 4.1 states: "The basis for the identification of information types is the OMB's Business Reference Model (BRM) described in the October 2007 publication, FEA Consolidated Reference Model Document, Version 2.3." Incorrect answers: b) refers to functions which are what the organization performs; c) refers to Management and support information within the model; d) is an incorrect name for the model. 6. What are the factors that drive the level of effort for the selection and implementation of security controls? a) Level of Financial Independence b) System Importance & Criticality c) Overall Impact Level d) Business Impact Level - Answer- Correct answer: b) System Importance & Criticality NIST SP 800-37rl, p. 19 states: "The security categorization process influences the level of effort expended when implementing the RMF tasks. Information systems supporting the most critical and/or sensitive operations and assets within the organization as indicated by the security categorization, demand the greatest level of attention and effort to ensure that appropriate information security and risk mitigation are achieved." Incorrect answers: a) does not impact level of effort; c) is taken into consideration in determining criticality, but is not the primary driver; d) is also a factor in importance and criticality, but not the primary driver. 7. Which of the followi