ISSEP Exam Study Guide | 100% Correct
Answers | Verified | Latest 2024 Version
The authority to accept residual risk resides in which role? - ✔✔Authorizing Official
Which reference provides detailed guidance on risk assessments? - ✔✔SP 800-30 Risk Management
Guide for Information Technology Systems
Which non-executive branch organization provides the President with advice on security and continuity
of communications systems? - ✔✔National Security Telecommunications Advisory Committee (NSTAC)
NCSC-5 establishes the National Policy for the use of cryptographic material when operating in high risk
environments. Which is NOT required by this policy? - ✔✔Have a plan to operate without cryptographic
material if necessary
Who prepares the accreditation decision letter? - ✔✔Designated Representative
Who develops and maintains information security policies, procedures, and control techniques to
address all applicable requirements? - ✔✔Chief Information Officer
The Risk Management Equation includes: - ✔✔Risk Assessment + Risk Mitigation + Evaluation and
Assessment
Who procures, develops, integrates, modifies, operates or maintains an information system? -
✔✔Information System Owner
Who is responsible for preparing the system security plan and conducting the risk assessment? -
✔✔Information System Owner
You have just completed the Control Analysis step in the SP 800-30 process. What is the next step? -
✔✔Likelihood Determination
,In which phase of the 800-30 process does one produce the Risk Assessment Report (RAR)? - ✔✔Results
Documentation
Which phase of the SP 800-30 process produces the Impact Rating? - ✔✔Impact Analysis
Inputs to Step 3 Vulnerability Identification do NOT include: - ✔✔List of Potential Vulnerabilities
Which of these is (are) NOT inputs to Step 1 System Characterization under SP 800-30? - ✔✔System
Boundary
Which of the following is a good source of information on system vulnerabilities maintained by the NIST?
- ✔✔ICAD Database
Which of these are valid ways to mitigate risk? - ✔✔Risk Avoidance, Risk Transference
During which phase of the NIST SP 800-37 System Authorization Process does the Information System
Owner conduct the initial risk assessment? - ✔✔Initiation Phase
By regulation and law, information security must be: - ✔✔Cost-effective
Executive Agencies must: - ✔✔Authorize system processing prior to operation
Adequate Security is: - ✔✔Commensurate with risk
Which phase follows the Validation Phase in the NIACAP process? - ✔✔Post Accreditation Phase
Which phase of the IATF results in component and interface specifications that provides sufficient
information for acquisition of security products? - ✔✔Develop Detailed Security Design
,Security Control Assessment tries to determine if the controls are - ✔✔Producing desired results
Which phase of the IATF does formal risk assessment begin? - ✔✔Design System Security Architecture
What is the minimum frequency periodic testing and evaluation of the effectiveness of policies can be
done? - ✔✔Annually
Which of the following is NOT required to be part of the SSP under SP 800-37? - ✔✔Results of last
awareness evaluation
Which of the following is NOT normally part of the Requirements Traceability Matrix? - ✔✔POA&M
findings
Which of the following is NOT accomplished as part of registration? - ✔✔System Certification
IAW FIPS 199, what word is used to describe potential "LOW" impact items? - ✔✔Limited
Initial CONOPS development begins in which phase of the IATF? - ✔✔Define System Security
Requirements
The main purpose of C&A is? - ✔✔Acceptance and management of risk
Certification is? - ✔✔Evaluation of technical and non-technical controls
NIST SP 800-18, Guide for Developing Security Plans describes the purpose of security plans as: -
✔✔provide an overview of the system security requirements and the controls in place
Which of these is NOT a phase of DITSCAP? - ✔✔Initiation
What is a disadvantage of the Spiral development method? - ✔✔Production Paradox
, Which of the following is NOT part of the Information Management Model (IMM)? - ✔✔Information
Protection Policy (IPP)
Harm to Information and Potentially Harmful Events are measured using - ✔✔A metric such as a
seriousness rating
Who serves as principal staff advisor to the system owner on all matters involving the security of the
information system? - ✔✔Information System Security Officer
IAW the IATF, classes of attack do NOT include? - ✔✔Hackers
Who is responsible for ensuring that configuration and change control processes are followed? -
✔✔Information System Manager
As part of the SSE-CMM evaluation, which of the following is NOT evaluated as part of the "Assess
Security Risk"? - ✔✔Security Certification
Who is responsible for managing, coordinating, and overseeing all security authorization activities,
agency-wide? - ✔✔Authorization Advocate
Which of the following is NOT part of how the IATF describes the Defense in Depth paradigm? -
✔✔Respond
Who is responsible for representing the interests of the system acquisition or maintenance organization?
- ✔✔Program Manager
Who provides an independent assessment of the system security plan? - ✔✔Certification Agent
Who is responsible for identifying mission and operational requirements? - ✔✔User Representatives
Answers | Verified | Latest 2024 Version
The authority to accept residual risk resides in which role? - ✔✔Authorizing Official
Which reference provides detailed guidance on risk assessments? - ✔✔SP 800-30 Risk Management
Guide for Information Technology Systems
Which non-executive branch organization provides the President with advice on security and continuity
of communications systems? - ✔✔National Security Telecommunications Advisory Committee (NSTAC)
NCSC-5 establishes the National Policy for the use of cryptographic material when operating in high risk
environments. Which is NOT required by this policy? - ✔✔Have a plan to operate without cryptographic
material if necessary
Who prepares the accreditation decision letter? - ✔✔Designated Representative
Who develops and maintains information security policies, procedures, and control techniques to
address all applicable requirements? - ✔✔Chief Information Officer
The Risk Management Equation includes: - ✔✔Risk Assessment + Risk Mitigation + Evaluation and
Assessment
Who procures, develops, integrates, modifies, operates or maintains an information system? -
✔✔Information System Owner
Who is responsible for preparing the system security plan and conducting the risk assessment? -
✔✔Information System Owner
You have just completed the Control Analysis step in the SP 800-30 process. What is the next step? -
✔✔Likelihood Determination
,In which phase of the 800-30 process does one produce the Risk Assessment Report (RAR)? - ✔✔Results
Documentation
Which phase of the SP 800-30 process produces the Impact Rating? - ✔✔Impact Analysis
Inputs to Step 3 Vulnerability Identification do NOT include: - ✔✔List of Potential Vulnerabilities
Which of these is (are) NOT inputs to Step 1 System Characterization under SP 800-30? - ✔✔System
Boundary
Which of the following is a good source of information on system vulnerabilities maintained by the NIST?
- ✔✔ICAD Database
Which of these are valid ways to mitigate risk? - ✔✔Risk Avoidance, Risk Transference
During which phase of the NIST SP 800-37 System Authorization Process does the Information System
Owner conduct the initial risk assessment? - ✔✔Initiation Phase
By regulation and law, information security must be: - ✔✔Cost-effective
Executive Agencies must: - ✔✔Authorize system processing prior to operation
Adequate Security is: - ✔✔Commensurate with risk
Which phase follows the Validation Phase in the NIACAP process? - ✔✔Post Accreditation Phase
Which phase of the IATF results in component and interface specifications that provides sufficient
information for acquisition of security products? - ✔✔Develop Detailed Security Design
,Security Control Assessment tries to determine if the controls are - ✔✔Producing desired results
Which phase of the IATF does formal risk assessment begin? - ✔✔Design System Security Architecture
What is the minimum frequency periodic testing and evaluation of the effectiveness of policies can be
done? - ✔✔Annually
Which of the following is NOT required to be part of the SSP under SP 800-37? - ✔✔Results of last
awareness evaluation
Which of the following is NOT normally part of the Requirements Traceability Matrix? - ✔✔POA&M
findings
Which of the following is NOT accomplished as part of registration? - ✔✔System Certification
IAW FIPS 199, what word is used to describe potential "LOW" impact items? - ✔✔Limited
Initial CONOPS development begins in which phase of the IATF? - ✔✔Define System Security
Requirements
The main purpose of C&A is? - ✔✔Acceptance and management of risk
Certification is? - ✔✔Evaluation of technical and non-technical controls
NIST SP 800-18, Guide for Developing Security Plans describes the purpose of security plans as: -
✔✔provide an overview of the system security requirements and the controls in place
Which of these is NOT a phase of DITSCAP? - ✔✔Initiation
What is a disadvantage of the Spiral development method? - ✔✔Production Paradox
, Which of the following is NOT part of the Information Management Model (IMM)? - ✔✔Information
Protection Policy (IPP)
Harm to Information and Potentially Harmful Events are measured using - ✔✔A metric such as a
seriousness rating
Who serves as principal staff advisor to the system owner on all matters involving the security of the
information system? - ✔✔Information System Security Officer
IAW the IATF, classes of attack do NOT include? - ✔✔Hackers
Who is responsible for ensuring that configuration and change control processes are followed? -
✔✔Information System Manager
As part of the SSE-CMM evaluation, which of the following is NOT evaluated as part of the "Assess
Security Risk"? - ✔✔Security Certification
Who is responsible for managing, coordinating, and overseeing all security authorization activities,
agency-wide? - ✔✔Authorization Advocate
Which of the following is NOT part of how the IATF describes the Defense in Depth paradigm? -
✔✔Respond
Who is responsible for representing the interests of the system acquisition or maintenance organization?
- ✔✔Program Manager
Who provides an independent assessment of the system security plan? - ✔✔Certification Agent
Who is responsible for identifying mission and operational requirements? - ✔✔User Representatives
