Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
75 Cards in this Set
- Front
- Back
What are the five stages of the SDLC?
|
1 - Initiation
2 - Development/Acquisitions 3 - Implementation 4 - Operations Maintenance 5 - Disposition/Disposal |
|
What are the six steps of the Risk Management Framework (RMF)?
|
1 - Categorize
2 - Select 3 - Implement 4 - Assess 5 - Authorize 6 - Monitor |
|
What roles and responsibilities can only be occupied by a government employee?
|
Risk Executive
Chief Information Officer (CIO) Senior Informaiton Security Officer (SISO) Authorizing Official (AO) |
|
What are the three parts of Risk Management?
|
1 - Risk Assessment Methodology
2 - Risk Mitigation 3 - Risk Evaluation and Assessment |
|
What are the nine steps of Risk Assessment Methodology?
|
1 - System Characterization
2 - Threat identification 3 - Vulnerability Identification 4 - Control Analysis 5 - Likelihood Determination 6 - Impact Analysis 7 - Risk Determination 8 - Control Recommendation 9 - Results Documentation |
|
What are the six Risk Mitigation otions?
|
1 - Risk Assumption
2 - Risk Avoidance 3 - Risk Limitation 4 - Risk Planning 5 - Research and Acknowledgement 6 - Risk Transference |
|
Define the term for the below definition:
applying risk management principles and staisfying compliance requirements; proactive; cost-effective; risk-based; compensating controls |
Governance
|
|
Five keys to successful Risk Management Program?
|
1 - Senior managements commitment
2 - Full support and participation IT team 3 - Competence of the risk assessment team 4 - User community awareness and cooperation 5 - An ongoing evaluation and assessment of the IT-relate mission risks |
|
Office of Management and Budget (OMB) works directly for?
|
Whitehouse Staff
|
|
What are the four phases for interconnecting systems?
|
1 - Planning
2 - Establishing 3 - Maintaining 4 - Disconnecting |
|
What are the six steps to the Planning Phase of Interconnecting Systems?
|
1 - Establish Joint Planning Team
2 - Define Business Case 3 - Perform C&A 4 - Determine Interconnecting Requirements 5 - Document Interconnection Agreement 6 - Approve or Reject Interconnection |
|
What are the three Control Classes?
|
Management
Operations Technical |
|
What are the five families of the Management Class?
|
1 - Certification, Accreditation, and Security Assessments
2 - Planning 3 - Risk Assessment 4 - System and Services 5 - Program Management |
|
What are the nine families of the Operations Class?
|
1 - Awareness
2 - Configuration Management 3 - Contingency Planning 4 - Incident Response 5 - Maintenance 6 - Media Protection 7 - Personnel Security 8 - Physical and Environmental Protection 9 - System and Information Integrity |
|
What are the four families of the Technical Class?
|
1 - Access Control
2 - Audit and Accountability 3 - Identification and Authentication 4 - System and Communication Protection |
|
What are the seven steps in IT Contingency Planning?
|
1 - Develop Contingency Planning Process
2 - Conduct Business Impact Analysis 3 - Identify Preventative Controls 4 - Develop Recovery Strategies 5 - Develop Contingency Plan 6 - Plan, testing, training, and exercise 7 - Plan Maintenance |
|
What are the five steps of Configuration Management process?
|
1 - Identify Change
2 - Evaluate Change Request 3 - Implement Decision 4 - Implement 5 - Continuous Monitor |
|
What are the five Maturity Levels?
|
Level 1 - Policies
Level 2 - Procedures Level 3 - Implementation Level 4 - Testing Level 5 - Integration |
|
What are the outputs for the System Characterization Step?
|
System Boundary
System Functions System and Data Criticality System and Data Sensitivity |
|
What is the output for the Treat Identification step?
|
Threat Statement
|
|
What is the output for the Vulnerability Identification step?
|
List of Potential Vulnerability
|
|
What is the output for the Control Analysis step?
|
List of Current and Planned Controls
|
|
What is the output for the Likelihood Determination step?
|
Likelihood Rating
|
|
What is the output for the Impact Analysis step?
|
Impact Rating
|
|
What is the output for the Risk Determination step?
|
Risks and Associated Risk Level
|
|
What is the output for the Control Recommendation step?
|
Recommended Controls
|
|
What is the output for the Results Documentation step?
|
Risk Assessment Report (RAR)
|
|
What are the input(s) for the System Characterization step?
|
hardware
software system interfaces data and info people system mission |
|
What are the input(s) for the Threat Identification step?
|
history of system attacks
data from FedCIRC, intelligence agencies, NIPC, OIG, mass media, etc. |
|
What are the input(s) for the Vulnerability Identification step?
|
reports from prior risk assessments
audit comments security requirements security test results |
|
What are the input(s) for the Control Analysis step?
|
current controls
planned controls |
|
What are the input(s) for the Likelihood Determination step?
|
threat-source motivation
threat capacity nature of vulnerability current controls |
|
What are the input(s) for the Impact Analysis step?
|
mission impact analysis
asset criticality assessment data criticality data sensitivity |
|
What are the input(s) for the Risk Determination step?
|
likelihood of threat exploitation
magnitude of impact adequacy of planned or current controls |
|
NIST falls under which department of the government?
|
Department of Commerce
|
|
NIST SP 800-27 covers what?
|
Engineering Principles for IT Security
|
|
NIST SP 800-34 covers what?
|
Contingency Planning Guide for IT Systems
|
|
NIST SP 800-39 covers what?
|
Managing Risk from Information Systems
|
|
NIST SP 800-40 covers what?
|
Creating a Patch and Vulnerability Management Program
|
|
NIST SP 800-41 covers what?
|
Guidelines on Firewalls and Firewall Policy
|
|
NIST SP 800-47 covers what?
|
Security Guide for Interconnecting IT Systems
|
|
NIST SP 800-50 covers what?
|
Building an IT Security Awareness and Training Program
|
|
NIST SP 800-55 covers what?
|
Performance Measurement Guide for Information Security
|
|
NIST SP 800-65 covers what?
|
Recommendation for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC)
|
|
NIST SP 800-83 covers what?
|
Guide to Malware Incident Prevention and Handling
|
|
NIST SP 800-88 covers what?
|
Guidelines for Media Sanitization
|
|
NIST SP 800-92 covers what?
|
Guide to Computer Security Log Management
|
|
NIST SP 800-100 covers what?
|
Information Security Handbook: A Guide for Managers
|
|
NIST SP 800-115 covers what?
|
Technical Guide to Information Security Testing and Assessment
|
|
NIST SP 800-122 covers what?
|
'DRAFT' Guide to Protecting the Confidentiality of PII
|
|
What are the six stages for Incident Response?
|
1 - Preparation
2 - Detection 3 - Containment 4 - Eradiction 5 - Recovery 6 - Post-Incident |
|
Step 5 fo the RMF falls within which stage of the SDLC?
|
Implementation
|
|
What task is prepare during the beginning of Step 5?
|
Plan of Action and Milestones (POA&M)
|
|
A security authorization plan contains what three key documents?
|
Security Plan
Security Assessment Report POA&M |
|
Which report provides the authoricing official and other senior leaders essential information with regard to the security state of the information system including the effectiveness of deployed securitu controls?
|
Security Status Reports
|
|
What are the types of Security Status Reports?
|
Event-driven
Time-driven Both |
|
By carrying out ongoing _______ and ________, authorizing officials can maintain the security authorization over time.
|
Risk Determination and Risk Acceptance
|
|
Determining how the changing conditions affect the mission or business risks associated with the information systems is essential for maintaining what?
|
Adequate Security
|
|
What is the FIPS 200?
|
Minimum Security Requirements for Federal Information and Information Systems
|
|
The FIPS 200 minimum security requirements cover what?
|
It covers the 17 security-related areas with regard to protecting the confidentiality, integrity, and availability of federal information and information systems and the information processed, stored, and transmittedby those systems.
|
|
What is the NIST SP 800-59 used for?
|
Guideline for Identifying an Information System as a National Security System
|
|
What is the term used when identify a system thats function, operation, or use involves intelligence activities; cryptoplogic activities related to national security; equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions.
|
National Security System
|
|
If there is a dispute between the system owner and the agency as to whether the system is critical to the direct fulfillment of military or intelligence missions. Who does either need to submit the issue to?
|
CNSS and OMB
|
|
What is defined as a function fo the likelihood of a given threat-sources exercising a particular potential vulnerability, and the resulting impact of that adverse event?
|
Risk
|
|
What are the different types of gathering techniques for Step 1 of the Risk Assessment Process?
|
Questionnaires
On-site Interviews Document Review Use of Automated Scanning tools |
|
What are different types of threat-sources?
|
Hacker/Cracker
Computer Criminal Terrorist Industrial Espionage Insiders |
|
What is the CNSSI 1253 used for?
|
Security Categorization and Control Selection for National Security Systems
|
|
What is the three step process for selecting security controls for a national security system?
|
Step 1 - Select the initial set of security controls
Step 2 - Tailor the initial set of security controls Step 3 - supplement the tailored set of security controls |
|
As per the NIST SP 800-100 what are the six steps of the Risk Assessment Process?
|
Step 1 - System Characterization
Step 2 - Threat Identification Step 3 - Vulnerability Identification Step 4 - Risk Anaylsis (Control Analysis, Likelihood Determination, Impact Analysis, Risk Determination) Step 5 - Control Recommendation Step 6 - Results Documentation |
|
What are the seven step approach to risk mitigation?
|
1 - Prioritize actions
2 - Evaluate recommeded control options 3 - conduct cost-benefit analysis 4 - Select controls 5 - assign responsibilities 6 - Develop a safeguard implementation plan 7 - Implement selected controls |
|
As per the NIST SP 800-37 what are the four phase to the C&A process?
|
Initiation
Certification Accreditation Continuous Monitoring |
|
What are the six phases of the Information Security Services Life Cycle?
|
1 - Initiation
2 - Assessment 3 - Solution 4 - Implementation 5 - Operations 6 - Closeout |
|
What are the six categorizes of a Information Security Service?
|
1 - Strategic/Mission
2 - Budgetary/Funding 3 - Technical/Archectural 4 - Organizational 5 - Personnel 6 - Policy/Process |
|
What are the four steps for Incident Response?
|
1 - Preparation
2 - Detection adn Analysis 3 - Containment, Eradication, and Recovery 4 - Post-Incident Activity |
|
What is the five step Configuration Management Process?
|
1 - Identify Change
2 - Evaluate Change Request 3 - Implementation Decision 4 - Implement Approved Change Request 5 - Continuous Monitoring |