RMF - STEP 4, ASSESS THE SECURITY
CONTROLS QUESTIONS AND
ANSWERS 100% CORRECT
Are the controls under review?
- Implemented correctly?
- Operating as intended?
- Producing desired results? - ANSWER-Assessment objectives (Under Assessment
Tasks)
Agencies are required to use FIPS _____/NIST SP 800-53 for the specification of
security controls and NIST SP 800-53A for the assessment of security control
effectiveness. - ANSWER-200
Assessing the security controls is using the appropriate assessment procedures to
determine the extent to which the controls are implemented correctly, ______________
__ ____________, and producing the desired outcome with respect to meeting the
securing requirements for the system. - ANSWER-operating as intended
*An assessment can be _______________________ (met control) or
_______________ (did not meet control); nothing else. DoD calls these Compliant of
Non-compliant. - ANSWER-Satisfactory or Other
What are these?
- Prepare for security control assessment
- Establish security control assessment plan
- Determine security control effectiveness
- Develop initial security assessment report
- Perform initial remediation actions
- Develop final security assessment report and addendum. - ANSWER-6 Key Areas for
Assessment
Organizations should develop an information security assessment policy to provide
direction and guidance for their __________________ __________________. -
ANSWER-security assessments.
The policy should be reviewed at least __________________ and whenever there are
new assessment-related requirements. - ANSWER-annually
SP800-53A
Information is more:
- Complete
, - Reliable
- Trustworthy
(True or False) - ANSWER-True
The guidance in SP 800-53A have been developed to help achieve more secure
information systems within the federal government by doing the following:
- Enabling more consistent, comparable, and repeatable assessments of security
controls with reproducible results
- Facilitating more cost -effective assessment of security controls contributing to the
determination of overall control effectiveness.
- Promoting a better understanding of the risks to organizational operations,
organizational assets, individuals, other organizations, and the Nation resulting from the
operation and use of federal ISs.
- Creating more complete, reliable, and trustworthy information for organizational
officials to support risk management decisions, reciprocity of assessment results,
information sharing, and FISMA compliance. - ANSWER-Study
Conducting security control assessments in parallel with the development/acquisition
and implementation phase of the lifecycle permits the identification of weakness and
deficiencies early and provides the most cost-effective method for initiating corrective
actions. (True of False) - ANSWER-True
Organization consider both the ______________ __________ and
___________________ required in selecting security control assessors. Organization
also ensure that security control assessors possess the required skills and technical
expertise to successfully carry out assessments of system-specific, hybrid, and common
controls. This includes knowledge of the experience with the specific hardware,
software, and firmware components employed by the organization. - ANSWER-
technical expertise and independence
______________________ implies that assessors are free from any perceived or actual
conflicts of interest with respect to the development, operation, or management of the IS
or the determination of security control effectiveness. - ANSWER-Impartially
- Ensure proper policies in place
- Ensure all previous RMF Steps completed
- Ensure all Common Controls in place and implemented
- Collect and evaluate system artifacts
- Assessment testing:
-- Vulnerability scanning
-- Log review
-- Penetration testing
-- Configuration checklist review - ANSWER-Assessment Tasks
What are the three types of assessment medthod that can be used during an
assessment? - ANSWER-Testing, Examination, and/or Interviewing
CONTROLS QUESTIONS AND
ANSWERS 100% CORRECT
Are the controls under review?
- Implemented correctly?
- Operating as intended?
- Producing desired results? - ANSWER-Assessment objectives (Under Assessment
Tasks)
Agencies are required to use FIPS _____/NIST SP 800-53 for the specification of
security controls and NIST SP 800-53A for the assessment of security control
effectiveness. - ANSWER-200
Assessing the security controls is using the appropriate assessment procedures to
determine the extent to which the controls are implemented correctly, ______________
__ ____________, and producing the desired outcome with respect to meeting the
securing requirements for the system. - ANSWER-operating as intended
*An assessment can be _______________________ (met control) or
_______________ (did not meet control); nothing else. DoD calls these Compliant of
Non-compliant. - ANSWER-Satisfactory or Other
What are these?
- Prepare for security control assessment
- Establish security control assessment plan
- Determine security control effectiveness
- Develop initial security assessment report
- Perform initial remediation actions
- Develop final security assessment report and addendum. - ANSWER-6 Key Areas for
Assessment
Organizations should develop an information security assessment policy to provide
direction and guidance for their __________________ __________________. -
ANSWER-security assessments.
The policy should be reviewed at least __________________ and whenever there are
new assessment-related requirements. - ANSWER-annually
SP800-53A
Information is more:
- Complete
, - Reliable
- Trustworthy
(True or False) - ANSWER-True
The guidance in SP 800-53A have been developed to help achieve more secure
information systems within the federal government by doing the following:
- Enabling more consistent, comparable, and repeatable assessments of security
controls with reproducible results
- Facilitating more cost -effective assessment of security controls contributing to the
determination of overall control effectiveness.
- Promoting a better understanding of the risks to organizational operations,
organizational assets, individuals, other organizations, and the Nation resulting from the
operation and use of federal ISs.
- Creating more complete, reliable, and trustworthy information for organizational
officials to support risk management decisions, reciprocity of assessment results,
information sharing, and FISMA compliance. - ANSWER-Study
Conducting security control assessments in parallel with the development/acquisition
and implementation phase of the lifecycle permits the identification of weakness and
deficiencies early and provides the most cost-effective method for initiating corrective
actions. (True of False) - ANSWER-True
Organization consider both the ______________ __________ and
___________________ required in selecting security control assessors. Organization
also ensure that security control assessors possess the required skills and technical
expertise to successfully carry out assessments of system-specific, hybrid, and common
controls. This includes knowledge of the experience with the specific hardware,
software, and firmware components employed by the organization. - ANSWER-
technical expertise and independence
______________________ implies that assessors are free from any perceived or actual
conflicts of interest with respect to the development, operation, or management of the IS
or the determination of security control effectiveness. - ANSWER-Impartially
- Ensure proper policies in place
- Ensure all previous RMF Steps completed
- Ensure all Common Controls in place and implemented
- Collect and evaluate system artifacts
- Assessment testing:
-- Vulnerability scanning
-- Log review
-- Penetration testing
-- Configuration checklist review - ANSWER-Assessment Tasks
What are the three types of assessment medthod that can be used during an
assessment? - ANSWER-Testing, Examination, and/or Interviewing
