- Shuffle
Toggle OnToggle Off
- Alphabetize
Toggle OnToggle Off
- Front First
Toggle OnToggle Off
- Both Sides
Toggle OnToggle Off
Front
How to study your flashcards.
Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key
Up/Down arrow keys: Flip the card between the front and back.down keyup key
H key: Show hint (3rd side).h key
PLAY BUTTON
PLAY BUTTON
18 Cards in this Set
- Front
- Back
|
Who has the primary responsibility for step one of the Risk Management Framework (RMF)?
|
Information System Owner; Information Owner/Steward
|
|
In which phase of the SDLC does the categorization stage take place?
|
Initiation (concept/requirements definition)
|
|
What are two major factors to take into consideration when taking part in the security categorization process?
|
The enterprise architecture and the information security architecture.
|
|
What are three tasks associated with step one of the RMF?
|
Categorize, Describe, and Register the information system and document the results in the
security plan. |
|
What are four tasks associated with step 2 of the RMF?
|
Identify the common controls for
organizational information systems, Select the security controls for the information system Develop a strategy for the continuous monitoring and document the controls in a security plan Review and approve the SSP |
|
Security controls that are inherited by one or more organizational
information systems are called ___________? |
Common Controls
|
|
What three documents are used by authorizing officials within the organization to make risk-based
decisions in the security authorization process for their information systems. |
Security plans, security assessment reports, and plans of
action and milestones |
|
What capability should common control providers
have with regard to communicating with information system owners who inherit controls? |
Common control providers
are able to quickly inform information system owners when problems arise in the inherited common controls. |
|
In what SDLC phase(s) does step 1 of the RMF occur?
|
Initiation (concept/requirements definition).
|
|
In what SDLC phase(s) does step 2 of the RMF occur?
|
Initiation and Developement/aquisition
Tasks 2.1-2.3 occur in the inition phase, task 2.4 (Review and approve the security plan) occurs in the developement phase. |
|
What are three things the continuous monitoring strategy for the information system identifies?
|
the security controls
to be monitored, the frequency of monitoring, and the control assessment approach. |
|
Who approves the monitoring strategy including the set of security
controls that are to be monitored on an ongoing basis as well as the frequency of the monitoring activities? |
The authorizing official or designated representative
|
|
In what step of the RMF are minimum assurance requirements for the security controls employed within and inherited
by the information system addressed? |
Step 2
|
|
List tasks for step 6 of the RMF.
|
1. Determine security impact of proposed changes
2. Assess subset of controls 3. conduct remediation actions 4. update the SSP |
|
Lists tasks for step 5 of the RMF
|
1. Prepare the POA&M
2. Assemble and submit the security authorization package. 3. Determine risk 4. Determine if risk is acceptable |
|
List tasks in step 3 of the RMF
|
1. Implement security controls
2. document the implentation of the security controls |
|
List tasks in step 4 of the RMF
|
1. develope plan the assess controls
2. Assess security controls 3. Prepare security assessment report 4. Conduct initial remediation actions |
|
Who is the independant entity responsible for much of step 4.
|
The Security Control Assessor
|
