Too Tired? Too Anxious? Need More Time? We’ve got your back.
ASSIGNMENT INSTRUCTIONS:
1.NIST SP 800-53 covers a vast number and types of security controls throughout the management, operational, and ___________ domains. (Fill in the blank).
2. By definition an assessment is the testing/evaluation and the extent of: (Choose 3).
Group of answer choicesSecurity Controls
Confidentiality
Correctly implementing
Producing the desired outcome
Infrastructure
3. The purpose of the risk assessment component is to identify what? (Choose 3).
Group of answer choicesVulnerabilities
Likelihood of harm
Rules
Threats
Strategy
4. What law that was passed requires all federal agencies to conduct reviews and accreditations for their information systems?
Group of answer choicesFederal Info System Management Act
Sarbanes-Oxley Act
USA Patriot Act
FIPS-197
5. Who approves Federal Information Processing Standards (FIPS)?
Group of answer choicesSecretary of Commerce
Department of Defense
Public Law
Committee on National Security Systems
CERT
6. Which FIPS addresses the task to develop standards for categorization?
Group of answer choicesFIPS 199
FIPS 202
FIPS 200
Federal Agencies
7. Plans of Action and Milestones (POAMS) contain Weaknesses, Resources, Completion Date, Changes, Current Status, and _______________. (Fill in the blank).
8. The ICD 503 has many focus points but for Vulnerability Assessment, the initial evaluation analysis steps conclude with a vulnerability assessment to identify the?
Group of answer choicesResidual Risk
Test
Access
System
9. FedRAMP developed risk management program focused on security for ______-based systems. (Fill in the blank).
10. In the Risk Management Framework, the step after Authorization is?
Group of answer choicesMonitoring
Preparation
Assessing
Categorization
11. In the RMF’s Preparation Phase, what requires increased levels of protection in an organization?
Group of answer choicesHigh Value Assets
Cybersecurity Initiatives
Authorization
Networks
12. In the RMF’s Categorization Phase, choose the documents needed to help complete the goal of Categorization. (Choose 3)
Group of answer choicesBudgets
System Security Plans
Potential Impacts of a security compromise
Notes
Interviews
13. When conducting an Assessment, the questions that are answered for controls are: Implemented Correctly, __________________, and Producing the Desired Outcome.
14. The 3 documents included in the Authorization Package are the System Security Plan, Security Assessment Report, and the?
Group of answer choicesPOAM
Continuous Diagnostic and Mitigation Plan
Maintenance Plan
Personnel Security Plan
15. If you had conflicting guidance by NIST and Congress/OMB authorities, which should you follow?
Group of answer choicesCongress/OMB
NIST
No answer text was provided.
No answer text was provided.
16. Give your description of risk management without quoting NIST 800-37’s definition.
17. From the book, Security Controls Evaluation, Testing and Assessment Handbook, 2nd Edition, name 3 statutory or regulatory laws and tell a short summary about each one.
HOW TO WORK ON THIS ASSIGNMENT (EXAMPLE ESSAY / DRAFT)
NIST SP 800-53 is a framework that provides a comprehensive set of security controls for federal information systems and organizations. The framework covers security controls in three domains: management, operational, and technical.
- By definition an assessment is the testing/evaluation and the extent of: Security Controls, Correctly implementing, and Producing the desired outcome.
Assessment is the process of evaluating the effectiveness of security controls to determine if they are properly implemented and producing the desired outcome.
- The purpose of the risk assessment component is to identify vulnerabilities, likelihood of harm, and threats.
Risk assessment is the process of identifying and evaluating potential risks to an organization. It helps to identify vulnerabilities, assess the likelihood of harm, and identify potential threats.
- The law that requires all federal agencies to conduct reviews and accreditations for their information systems is the Federal Information System Management Act (FISMA).
FISMA is a law that requires all federal agencies to establish and maintain an information security program, which includes periodic risk assessments, security controls, and security testing.
- Federal Information Processing Standards (FIPS) are approved by the Secretary of Commerce.
FIPS are standards and guidelines that are developed by the National Institute of Standards and Technology (NIST) for federal information systems. The Secretary of Commerce approves FIPS.
- FIPS 200 addresses the task to develop standards for categorization.
FIPS 200 provides a standard for categorizing information and information systems based on the impact to an organization.
- Plans of Action and Milestones (POAMs) contain Weaknesses, Resources, Completion Date, Changes, Current Status, and Remediation Plan.
POAMs are documents that outline the weaknesses and vulnerabilities of an information system, along with a remediation plan to address these issues. The document also includes resources, completion dates, changes, and current status.
- The ICD 503 initial evaluation analysis steps for vulnerability assessment conclude with identifying residual risk.
ICD 503 is a standard for managing the security of information systems in the federal government. The initial evaluation analysis steps for vulnerability assessment conclude with identifying residual risk.
- FedRAMP developed a risk management program focused on security for cloud-based systems.
FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based systems.
- In the Risk Management Framework, the step after Authorization is Monitoring.
The Risk Management Framework (RMF) is a process for managing risk in federal information systems. The step after authorization is monitoring the system to ensure that security controls remain effective.
- In the RMF’s Preparation Phase, High Value Assets require increased levels of protection in an organization.
The Preparation Phase of the RMF involves identifying and categorizing information systems based on the level of risk they pose. High Value Assets require increased levels of protection in an organization.
- In the RMF’s Categorization Phase, the documents needed to help complete the goal of categorization are the System Security Plans, Potential Impacts from a security compromise, and Budgets.
The Categorization Phase of the RMF involves categorizing information systems based on the potential impact to the organization if the system is compromised. The documents needed to help complete this process include system security plans, potential impacts from a security compromise, and budgets.
- When conducting an Assessment, the questions that are answered for controls are: Implemented Correctly, Operating as intended, and Producing the Desired Outcome.
During an assessment, security controls are evaluated based on whether they are implemented correctly, operating as intended, and producing the desired outcome.
Too Tired? Too Anxious? Need More Time? We’ve got your back.