NIST SP 800-39: Study Notes fully
solved already passed
The _______________________________________________ describes the security-related
aspects of the enterprise architecture that are incorporated into the enterprise architecture
definition as an integral part of the architecture development—that is a sub-architecture
derived from the enterprise architecture, not a separately defined layer or architecture. -
correct answer ✔✔ information security architecture
The 4 components of Risk Management Process includes 1.) ______________, 2.)
______________, 3.) _________________, and 4.) _______________ - correct answer ✔✔
Frame Risk, Assess Risk, Respond to Risk, Monitor Risk
The multi-tiered organization-wide Risk Management include Tier 1 ____________, Tier 2
_______________________________, and Tier 3 __________________________. - correct
answer ✔✔ Organization, Mission/Business Processes, Information Systems
An organizational ________________________________, one of the key outputs of risk
framing, addresses how organizations intend to assess, respond to, and monitor risk—the risk
associated with the operation and use of organizational information systems. - correct answer
✔✔ risk management strategy
The ____________________________ presumes neither a specific organizational structure nor
formal responsibility assigned to any one individual or group within the organization. Heads of
agencies or organizations may choose to retain the __________________________________ or
to delegate the function. - correct answer ✔✔ risk executive (function)
Strong __________________ is the best indicator of senior leadership commitment to effective,
consistent risk management across the organization to achieve ongoing mission/business
success. - correct answer ✔✔ governance
, To be effective, organization‐wide _________________________ programs require the strong
commitment, direct involvement, and ongoing support from senior leaders/executives. The
objective is to institutionalize __________________________ into the day ‐to ‐day operations of
organizations as a priority and an integral part of how organizations conduct operations in
cyberspace—recognizing that this is essential in order to successfully carry out missions in
threat‐laden operational environments. - correct answer ✔✔ risk management
An important Tier 1 risk management activity and also part of risk framing, is the determination
of __________________________. This is the level of risk or degree of uncertainty that is
acceptable to organizations and is a key element of the organizational risk frame. It affects all
components of the risk management process—having a direct impact on the risk management
decisions made by senior leaders/executives throughout the organization and providing
important constraints on those decisions. - correct answer ✔✔ risk tolerance
The determination of the relative importance of the missions/business functions and hence the
level of risk management investment, is something that is decided upon at Tier ___, executed at
Tier ___, and influences risk management activities at Tier ___. - correct answer ✔✔ 1, 2, 3
To address less sophisticated threats, organizations can focus their efforts at Tier ___. - correct
answer ✔✔ 3
When organizations need to address advanced persistent threats, it is likely that adequately
addressing related risks at Tier 3 is not feasible because necessary security solutions are not
currently available in the commercial marketplace. In those instances, organizations must
purposefully invest beyond Tier 3 for significant response capabilities at Tier ___, and to some
extent at Tier ___. - correct answer ✔✔ 2, 1
Tier 2 addresses risk from a ______________________________ perspective by designing,
developing, and implementing mission/business processes that support the missions/business
functions defined at Tier 1. - correct answer ✔✔ mission/business process
solved already passed
The _______________________________________________ describes the security-related
aspects of the enterprise architecture that are incorporated into the enterprise architecture
definition as an integral part of the architecture development—that is a sub-architecture
derived from the enterprise architecture, not a separately defined layer or architecture. -
correct answer ✔✔ information security architecture
The 4 components of Risk Management Process includes 1.) ______________, 2.)
______________, 3.) _________________, and 4.) _______________ - correct answer ✔✔
Frame Risk, Assess Risk, Respond to Risk, Monitor Risk
The multi-tiered organization-wide Risk Management include Tier 1 ____________, Tier 2
_______________________________, and Tier 3 __________________________. - correct
answer ✔✔ Organization, Mission/Business Processes, Information Systems
An organizational ________________________________, one of the key outputs of risk
framing, addresses how organizations intend to assess, respond to, and monitor risk—the risk
associated with the operation and use of organizational information systems. - correct answer
✔✔ risk management strategy
The ____________________________ presumes neither a specific organizational structure nor
formal responsibility assigned to any one individual or group within the organization. Heads of
agencies or organizations may choose to retain the __________________________________ or
to delegate the function. - correct answer ✔✔ risk executive (function)
Strong __________________ is the best indicator of senior leadership commitment to effective,
consistent risk management across the organization to achieve ongoing mission/business
success. - correct answer ✔✔ governance
, To be effective, organization‐wide _________________________ programs require the strong
commitment, direct involvement, and ongoing support from senior leaders/executives. The
objective is to institutionalize __________________________ into the day ‐to ‐day operations of
organizations as a priority and an integral part of how organizations conduct operations in
cyberspace—recognizing that this is essential in order to successfully carry out missions in
threat‐laden operational environments. - correct answer ✔✔ risk management
An important Tier 1 risk management activity and also part of risk framing, is the determination
of __________________________. This is the level of risk or degree of uncertainty that is
acceptable to organizations and is a key element of the organizational risk frame. It affects all
components of the risk management process—having a direct impact on the risk management
decisions made by senior leaders/executives throughout the organization and providing
important constraints on those decisions. - correct answer ✔✔ risk tolerance
The determination of the relative importance of the missions/business functions and hence the
level of risk management investment, is something that is decided upon at Tier ___, executed at
Tier ___, and influences risk management activities at Tier ___. - correct answer ✔✔ 1, 2, 3
To address less sophisticated threats, organizations can focus their efforts at Tier ___. - correct
answer ✔✔ 3
When organizations need to address advanced persistent threats, it is likely that adequately
addressing related risks at Tier 3 is not feasible because necessary security solutions are not
currently available in the commercial marketplace. In those instances, organizations must
purposefully invest beyond Tier 3 for significant response capabilities at Tier ___, and to some
extent at Tier ___. - correct answer ✔✔ 2, 1
Tier 2 addresses risk from a ______________________________ perspective by designing,
developing, and implementing mission/business processes that support the missions/business
functions defined at Tier 1. - correct answer ✔✔ mission/business process
