FREE CGRC Compliance and Policy Questions and Answers

Question 1

The determination of whether a system should be deemed a national security system is required by FISMA and supported by which NIST publication?

Accepted Answer

NIST SP 800-59

Answer

NIST SP 800-70

Answer

NIST SP 800-69

Answer

NIST SP 800-60

Question 2

There are many prospective risks, categories of risk, and manners in which risk is evaluated. Federal law requires the consideration of mission, assets, other organizations and:

Accepted Answer

Individuals

Answer

Financial

Answer

Policy

Answer

None of the above

Question 3

The security objectives are:

Accepted Answer

Confidentiality, integrity, and availability

Answer

Confidentiality, integrity, and authenticity

Answer

Confidentiality, sensitivity, and availability

Answer

Risk management, risk mitigation, and risk monitoring

Question 4

According to the Risk Management Framework (RMF), which role has a primary responsibility to report the security status of the information system to the authorizing official (AO) and other appropriate organizational officials on an ongoing basis in accordance with the monitoring strategy?

Accepted Answer

Common control provider

Answer

Information system security officer (ISSO)

Answer

Independent assessor

Answer

Senior information assurance officer (SIAO)

Question 5

Which authorization approach considers time elapsed since the authorization results were produced, the environment of operation, the criticality/sensitivity of the information, and the risk tolerance of the other organization?

Accepted Answer

Leveraged

Answer

Single

Answer

Joint

Answer

Site-specific

Question 6

When should the information system owner document the information system and authorization boundary description in the security plan?

Accepted Answer

After security categorization

Answer

After security controls are implemented

Answer

While assembling the authorization package

Answer

When reviewing the security control assessment plan

Question 7

Information developed from Federal Information Processing Standard (FIPS) 199 may be used as an input to which authorization package document?

Accepted Answer

System security plan (SSP)

Answer

Security assessment report (SAR)

Answer

Plan of actions and milestones (POA&M)

Answer

Authorization decision document

Question 8

Who procures, develops, integrates, or modifies an information system?

Accepted Answer

Information System Owner

Answer

Program Manager

Answer

Chief Information Officer

Answer

Certification Program Manager

Question 9

You have just completed the Control Analysis step in the NIST SP 800-30 process. What reference would most likely be used to identify controls that are not documented in the SSP?

Accepted Answer

NIST SP 800-53

Answer

NIST SP 800-47 Rev 1

Answer

NIST SP 800-39

Answer

NIST SP 800-30

Question 10

OMB Circular A-130 states information security must be:

Accepted Answer

Risk Based-Cost Effective

Answer

Reduce risk to acceptable levels as determined by the System Owner

Answer

Eliminate risk

Answer

Reduce risk to negligible level