Question

Which role has the PRIMARY responsibility for the documentation of control implementation?

1. Systems security engineer
2. Control assessor
3. Information System Owner (ISO)
4. Information Owner/Steward

When making determinations regarding the adequacy of common controls for their respective systems, Information System Owner (ISO) refer to the Common Control Providers’ (CCP)

1. Privacy Impact Assessment (PIA)
2. Business Impact Analysis (BIA)
3. Authorization Packages
4. Vulnerability Scans

An organization-wide approach to identifying common controls early in the Risk Management Framework (RMF) process does which of the following?

1. Considers system-specific controls before assigning common controls
2. Allows each Information System Owner (ISO) to accept only those common controls that are mission-critical
3. Facilitates a more global strategy for assessing those controls and sharing essential assessment results
4. Encourages Information System Owners and Authorizing Officials (AO) to complete their initial Security Plan (SP) prior to control assignment

From an organizational viewpoint, what effect does the designation of some security controls as common controls have?

1. It is difficult for developers to build in security controls for individual applications
2. Costs are increased in the Security Assessment and Authorization (A&A) activities
3. Depth of analysis required is increased during the security Assessment and Authorization (A&A)
4. Consistent application of security across the organization is enabled What does a finding of “other than satisfied” reflect in an assessment report?

1. An Information Security incident has occurred
2. Information types should be reevaluated
3. A lack of specified protection
4. The contingency plan must be revised

What is considered when establishing a system authorization boundary?

1. Direct management control

2. Cost of security authorization
3. Network topography and complexity
4. Interconnection Security Agreement (ISA)

Which organizational reference can an Information System Security Officer (ISSO) use to help prioritized the remediation of a vulnerability found during a weekly vulnerability scan?

1. Risk Assessment (RA)
2. Risk management strategy
3. Assessment report
4. Plan of Action and Milestones (POA&M)

What consideration leads to a less frequent assessment and monitoring activity?

1. Volatile security controls
2. High-impact level systems
3. High organizational risk tolerance
4. Risks in the control assessment

Which of the following is the mutual agreement among participating organizations to accept one another’s security assessments in order to reuse system resources or to accept each other’s assessed security posture in order to share information?

1. Memorandum of Understanding (MOU)
2. Memorandum of Agreement (MOA)
3. Reciprocity
4. Reuse

What is essential when documenting the implementation of security controls?

1. Security requirement and specification traceability
2. Inclusion of threat and vulnerability pairs
3. Organizational risk tolerance
4. Control threat assessment

What activity MUST be completed before the System Owner (SO) considers the minimum security requirement of the system?

1. Risk assessment
2. Privacy threshold Analysis (PTA)
3. Impact level determination
4. Vulnerability scanning

During the assessment of a new system, the System Owner (SO) mentioned that if unauthorized modification or destruction of medical information in the system occurred, it could result in potential loss of life because the system is the authoritative source of information about patient healthcare records including current and previous medications and ongoing medical procedures.

Which of the following is the BEST Security Categorization (SC) for the information type?

1. SC medical information = ( confidentiality , MODERATE), ( integrity, LOW), (availability, LOW)
2. SC medical information = ( confidentiality , MODERATE), ( integrity, MODERATE), (availability, MODERATE)
3. SC medical information = ( confidentiality , MODERATE), ( integrity, HIGH), (availability, HIGH)
4. SC medical information = ( confidentiality , MODERATE), ( integrity, MODERATE), (availability, HIGH)

One of the PRIMARY goals in conducting analysis of the test results from a scan during the Security Control Assessment (SCA) is to

1. Identify false negative findings
2. Categorize vulnerabilities
3. Determine threats to the system
4. Validate the system boundaries

Regardless of the task ordering, what is the last step before an Information System (IS) is placed into operation?

1. Report the security status of the IS to the Authorizing Official (AO)
2. Review the reported security status of the IS.
3. Update the Security Plan (SP) and the assessment report.
4. The explicit acceptance of risk by the Authorizing Official (AO)

Who is responsible for accepting the risk when a system undergoes a significant change?

1. Information System Security Officer (ISSO)
2. System Owner
3. Risk executive ( function)
4. Authorizing Official (AO)

The Security category of information 1 is determined to be:

• Security Category Information type = ( Confidentiality ,NOT APPLICABLE), (integrity, MODERATE), (availability, LOW)

and the security category of information 2 is determined to be:

• Security Category information type = ( Confidentiality ,LOW), (integrity, LOW), (availability HIGH)

What is the security category for the Information System (IS)?

1. Security Category Information type = ( Confidentiality ,LOW), (integrity, LOW), (availability MODERATE)
2. Security Category Information type = ( Confidentiality ,LOW), (integrity, MODERATE), (availability HIGH)
3. Security Category Information type = ( Confidentiality ,NOT APPLICABLE), (integrity, LOW), (availability, MODERATE)

4. Security Category Information type = ( Confidentiality ,NOT APPLICABLE), (integrity, MODERATE), (availability, HIGH)

Which of the following BEST defines the purpose of the security assessment?

1. To determine if the remaining known vulnerability pose an acceptable level of risk
2. To determine the extent to which the security controls are implemented correctly and operating as intended
3. To perform oversight and monitor the security controls in the Information System (IS)
4. To perform initial risk estimate and security categorization of the Information System (IS) Which role does an System Owner (SO) coordinate inherited controls implementation with?

1. Common Control Provider (CCP)
2. System security officer
3. Authorizing Official (AO)
4. Authorizing Official Designated Representative (AODR)

A Security Control Assessment (SCA) was completed over two years ago, but the surrounding environment has since changed. What if anything, should the assessment team do with the previous results?

1. Assessment only those controls that have changed
2. Designed since the results are too old
3. Assess all controls for the system
4. Determine changes and impacts

The Authorizing Official (AO) issues an Authorization decision for an information system after

1. Deciding whether or not the risk acceptable
2. Completing the risk analysis
3. Updating the Security Plan (SP)
4. Documenting the control assessment results.

When documenting how system-specific and hybrid security controls are implemented, an organization takes into account

1. Industry best practices
2. Accepted management and technical controls
3. Future hardware and software requirements
4. Specific technologies and platform dependencies Which process must be conducted during security categorization?

1. Define information types
2. Define baseline security controls
3. Determine risk level
4. Determine likelihood of impact

Answer 1

As per the Chegg guidelines, among multiple questions, the first one needs to be answered. Therefore, the solution of the first question is provided below:

Solution:

The correct option for the role which has the PRIMARY responsibility for the documentation of control implementation is D. Information Owner/Steward.

Explanation:

• In the team of RMF, the person which are responsible for the roles, which are the selection of the security control are the one which is the architect of the information system and those who are the owner of the information system.
• Thus, the correct option is D. Information Owner/steward.

Kindly post rest of the questions separately for answers.