Continuous Monitoring is the fourth phase of the security certification and accreditation process. What activities are performed in the Continuous Monitoring process?
Each correct answer represents a complete solution. Choose all that apply.
Answer : A, B, C
Continuous Monitoring is the fourth phase of the security certification and accreditation process.
The Continuous Monitoring process consists of the following three main activities:
Configuration management and control Security control monitoring and impact analyses of changes
to the information system Status reporting and documentation The objective of these tasks is to
observe and evaluate the information system security controls during the system life cycle. These
tasks determine whether the changes that have occurred will negatively impact the system security.
Answer options E and D are incorrect. Security accreditation decision and security accreditation
documentation are the two tasks of the security accreditation phase.
Which of the following types of CNSS issuances establishes criteria, and assigns responsibilities?
Answer : D
The various CNSS issuances are as follows:
Policies: It assigns responsibilities and establishes criteria (NSTISSP) or (CNSSP).
Directives: It establishes or describes policy and programs, provides authority,or assigns
responsibilities (NSTISSD).
Instructions: It describes howto implement the policy or prescribes the manner of a policy (NSTISSI).
Advisory memoranda: It providesguidance on policy and may cover avariety of topics involvinginformation assurance,
telecommunications security, and network security (NSTISSAM).
Which of the following security controls will you use for the deployment phase of the SDLC to build secure software? Each correct answer represents a complete solution. Choose all that apply.
Answer : A, B, C
The various security controls in the SDLC deployment phase are as follows:
Secure Installation: While performing any software installation, it should kept in mind that the
security configuration of the
environment should never be reduced. If it is reduced then security issues and overall risks can affect
the environment.
Vulnerability Assessment and Penetration Testing: Vulnerability assessments (VA) and penetration
testing (PT) is used to determine
the risk and attest to the strength of the software after it has been deployed.
Security Certification and Accreditation (C&A): Security certification is the process used to ensure
controls which are effectively
implemented through established verification techniques and procedures, giving organization
officials confidence that the appropriate
safeguards and countermeasures are in place as means of protection. Accreditation is the
provisioning of the necessary security
authorization by a senior organization official to process, store, or transmit information.
Risk Adjustments: Contingency plans and exceptions should be generated so that the residual risk be
above the acceptable threshold.
Which of the following individuals are part of the senior management and are responsible for authorization of individual systems, approving enterprise solutions, establishing security policies, providing funds, and maintaining an understanding of risks at all levels? Each correct answer represents a complete solution. Choose all that apply.
Answer : A, B, C, E
Authorizing Official, AO Designated Representative (AODR), Chief Information Officer (CIO), and
Senior Information Security Officer (SISO) are part of the senior management. These individuals are
responsible for the following:
Authorization of individual systems
Approving enterprise solutions
Establishing security policies
Providing funds
Maintaining an understanding of risk at all levels
Answer option D is incorrect. A User Representative is not a part of the senior management in the
Authorization process.
Which of the following acts is used to recognize the importance of information security to the economic and national security interests of the United States?
Answer : B
The Federal Information Security Management Act of 2002 is a United States federal law enacted in
2002 as Title III of the E-Government Act
of 2002. The act recognized the importance of information security to the economic and national
security interests of the United States. The
act requires each federal agency to develop, document, and implement an agency-wide program to
provide information security for the
information and information systems that support the operations and assets of the agency, including
those provided or managed by another
agency, contractor, or other source.
FISMA has brought attention within the federal government to cybersecurity and explicitly
emphasized a 'risk-based policy for cost-effective
security'. FISMA requires agency program officials, chief information officers, and Inspectors
Generals (IGs) to conduct annual reviews of the
agency's information security program and report the results to Office of Management and Budget
(OMB). OMB uses this data to assist in its
oversight responsibilities and to prepare this annual report to Congress on agency compliance with
the act.
Answer option A is incorrect. The Lanham Act is a piece of legislation that contains the federal
statutes of trademark law in the United States.
The Act prohibits a number of activities, including trademark infringement, trademark dilution, and
false advertising. It is also called Lanham
Trademark Act.
Answer option D is incorrect. The Computer Misuse Act 1990 is an act of the UK Parliament which
states the following statement:
Unauthorized access to the computer material is punishable by 6 months imprisonment or a fine
'not exceeding level 5 on the standard
scale' (currently 5000).
Unauthorized access with the intent to commit or facilitate commission of further offences is
punishable by 6 months/maximum fine on
summary conviction or 5 years/fine on indictment.
Unauthorized modification of computer material is subject to the same sentences as section 2
offences.
Answer option C is incorrect. The Computer Fraud and Abuse Act is a law passed by the United
States Congress in 1984 intended to reduce
cracking of computer systems and to address federal computer-related offenses. The Computer
Fraud and Abuse Act (codified as 18 U.S.C.
1030) governs cases with a compelling federal interest, where computers of the federal government
or certain financial institutions are
involved, where the crime itself is interstate in nature, or computers used in interstate and foreign
commerce. It was amended in 1986, 1994,
1996, in 2001 by the USA PATRIOT Act, and in 2008 by the Identity Theft Enforcement and
Restitution Act. Section (b) of the act punishes
anyone who not just commits or attempts to commit an offense under the Computer Fraud and
Abuse Act but also those who conspire to do so.
Which of the following federal agencies coordinates, directs, and performs highly specialized
activities to protect U.S. information systems and produces foreign intelligence information?
Answer : B
The National Security Agency/Central Security Service (NSA/CSS) is a crypto-logic intelligence agency
of the United States government. It is
administered as part of the United States Department of Defense. NSA is responsible for the
collection and analysis of foreign communications
and foreign signals intelligence, which involves cryptanalysis.
NSA is also responsible for protecting U.S. government communications and information systems
from similar agencies elsewhere, which
involves cryptography. NSA is a key component of the U.S. Intelligence Community, which is headed
by the Director of National Intelligence.
The Central Security Service is a co-located agency created to coordinate intelligence activities and
co-operation between NSA and U.S.
military cryptanalysis agencies. NSA's work is limited to communications intelligence. It does not
perform field or human intelligence activities.
Answer option A is incorrect. The National Institute of Standards and Technology (NIST), known
between 1901 and 1988 as the National
Bureau of Standards (NBS), is a measurement standards laboratory which is a non-regulatory agency
of the United States Department of
Commerce. The institute's official mission is to promote U.S. innovation and industrial
competitiveness by advancing measurement science,
standards, and technology in ways that enhance economic security and improve quality of life.
Answer option C is incorrect. The Committee on National Security Systems (CNSS) is a United States
intergovernmental organization that sets
policy for the security of the US security systems. The CNSS holds discussions of policy issues, sets
national policy, directions, operational
procedures, and guidance for the information systems operated by the U.S. Government, its
contractors, or agents that contain classified
information, involve intelligence activities, involve cryptographic activities related to national
security, etc.
Answer option D is incorrect. The United States Congress is the bicameral legislature of the federal
government of the United States of
America. It consists of the Senate and the House of Representatives. The Congress meets in the
United States Capitol in Washington, D.C.
Both senators and representatives are chosen through direct election.
Each of the 435 members of the House of Representatives represents a district and serves a two-
year term. House seats are apportioned
among the states by population. The 100 Senators serve staggered six-year terms. Each state has
two senators, regardless of population.
Every two years, approximately one-third of the Senate is elected at a time. The United States
Congress main function is to make laws. The
Office of the Law Revision Counsel organizes and publishes the United States Code (USC). It is a
consolidation and codification by subject
matter of the general and permanent laws of the United States.
In 2003, NIST developed a new Certification & Accreditation (C&A) guideline known as FIPS 199.
What levels of potential impact are defined by FIPS 199? Each correct answer represents a complete
solution. Choose all that apply.
Answer : A, B, C
In 2003, NIST developed a new Certification & Accreditation (C&A) guideline known as FIPS 199. FIPS
199 is a standard for security categorization of Federal Information and Information Systems. It
defines three levels of potential impact:
Low: It causes a limited adverse effect.
Medium: It causes a serious adverse effect.
High: It causes a severe adverse effect.