Q1
FISMA charges which one of the following agencies with the responsibility of overseeing the
security policies and practices of all agencies of the executive branch of the Federal
government? Office of Management and Budget (OMB) National Institute of Standards and
Technology (NIST) National Security Agency (NSA) Department of Justice Office of Management
and Budget (OMB)
Answer: Office of Management and Budget (OMB)
Q2
Which one of the following publications provides details of the monitoring security control? NIST
SP 800 53 NIST SP 800 42 NIST SP 800 37 NIST SP 800 41
Answer: NIST SP 800 53
Q3
Which of the following individuals is responsible for monitoring the information system
environment that can negatively impact the security of the system and its accreditation? Chief
Information Security Officer Chief Information Officer Chief Risk Officer Information System
Owner
Answer: Chief Information Security Officer
Q4
Which of the following professionals plays the role of a monitor and takes part in the
organizations configuration management process? Senior Agency Information Security Officer
Authorizing Official Common Control Provider Chief Information Officer Common Control
Provider
Answer: configuration management process?
Q5
Which of the following is not a standard phase in the System Authorization Process? Pre
certification Post authorization Post certification Certification
Answer: Pre certification
, Q6
This process is used to determine if the security controls in the information system continue to
be effective over time in light of the inevitable changes that occur in the system as well as the
environment in which the system operates between authorization decisions.
Answer: Continuous monitoring
Q7
Which of the following NIST documents provides a guideline for identifying an information
system as a National Security System? NIST SP 800 59 NIST SP 800 53 NIST SP 800 60 NIST SP
800 37 NIST SP 800 59
Answer: NIST SP 800 59
Q8
Subsequent to a security breach, which of the following techniques are used with the intention
to limit the extent of damage caused by the incident? Corrective controls Preventive controls
Change controls Incident controls
Answer: Corrective controls
Q9
IS audit Systems acquisition Reauthorization Reclassification of data
Answer: Systems acquisition
Q10
Which of the following documents can be best aid in selecting controls to be monitored?
Answer: NIST SP 800 37
Q11
Applying the first three steps in the RMF to legacy systems can be viewed in what way to
determine if the necessary and sufficient security controls have been appropriately selected
and allocated?
Answer: Sequential
Q12
In which type of access control do user ID and password system come under?
Answer: Physical