Question 1

Which of the following is NOT a question you should ask when considering best practices for your organization?
A) Do you have a similar customer base as the target?
B) Is your organization structure similar to the target?
C) Do you face similar challenges as the target?
D) Are you in a similar industry as the target?

Accepted Answer

The question "Do you have a similar customer base as the target?" is not a relevant question to ask when considering best practices for your organization. The focus should be on the organization's own challenges and goals, rather than on the customer base of another organization.

Question 2

A(n)____________________ is an external "value or profile of a performance metric against which changes in the performance metric can be usefully compared."

Accepted Answer

The answer of A(n)____________________ is an external "value or profile...

Question 3

Organizations that adopt minimum levels of security to establish a future legal defense may need to verify that they have done what any ____________________ organization would do in similar circumstances.

Accepted Answer

The answer of Organizations that adopt minimum levels of security...

Question 4

One of the factors critical to the success of an information security performance program is practical information security ____________________ and procedures.

Accepted Answer

The answer of One of the factors critical to the...

Question 5

Security Certification & Accreditation initiative offers several benefits.Which of the following is NOT one of them?
A) More consistent, comparable, and repeatable certifications of InfoSec programs
B) More complete, reliable information for authorizing officials
C) Greater availability of competent security evaluation and assessment services
D) More secure IT systems within the federal government

Accepted Answer

The answer of Security Certification & Accreditation initiative offers several...

Question 6

Which of the following would NOT be a valuable performance measure?
A) Percent of the organization's IT budget devoted to InfoSec
B) Percent of IT personnel that have received security training
C) Percent of media that has been sanitized
D) Percent of vulnerabilities that have been remediated with organizationally specified time frames

Accepted Answer

Percent of media that has been sanitized is not a valuable performance measure for InfoSec as it does not necessarily provide an accurate indication of the effectiveness of security measures within an organization. Factors such as the type of media and the level of sensitivity of the information it contains can significantly affect the value of this measure. The other options (A, B, and D) are all valuable performance measures for InfoSec as they provide insight into the allocation of resources, training of personnel, and the effectiveness of vulnerability management efforts.

Question 7

Which of the following is NOT a goal of the NIST System Certification and Accreditation Project:
A) Develop standard guidelines and procedures for certifying and accrediting corporate IT systems, including the critical infrastructure of the United States
B) Define essential minimum security controls for federal IT systems
C) Promote the development of public- and private-sector assessment organizations and certification of individuals capable of providing cost-effective, high-quality security certifications based on standard guidelines and procedures
D) All of these are goals of the NIST C&A Project

Accepted Answer

The answer of Which of the following is NOT a...

Question 8

Under the NIST SP 800-37 security controls model,systems are classified into a specific security certification level.Which of the following is the level of certification for high-priority systems?
A) SCL-1
B) SCL-2
C) SCL-3
D) SCL-4

Accepted Answer

SCL-3 is the level of certification for high-priority systems under the NIST SP 800-37 security controls model.

Question 9

Best security practices balance the need for information ____________________ with the need for adequate protection while simultaneously demonstrating fiscal responsibility.

Accepted Answer

The answer of Best security practices balance the need for...

Question 10

The benefits of using information security performance measures include "increasing ____________________ for information security performance; improving effectiveness of information security activities; demonstrating compliance with laws,rules,and regulations; and providing quantifiable inputs for resource allocation decisions."

Accepted Answer

The answer of The benefits of using information security performance...

Question 11

A problem with benchmarking is that recommended practices are a(n)____________________; that is,knowing what happened a few years ago does not necessarily tell you what to do next.

Accepted Answer

The answer of A problem with benchmarking is that recommended...

Question 12

According to NIST SP 800-37,the first step in the security controls selection process is to ____.
A) characterize the system
B) select the appropriate minimum security controls for the system
C) adjust security controls based on system exposure and risk decisions
D) None of these

Accepted Answer

According to NIST SP 800-37, the first step in the security controls selection process is to characterize the system. This involves identifying the system's purpose, function, and operational environment, as well as its assets, data, and potential threats and vulnerabilities. Once the system has been characterized, the appropriate minimum security controls can be selected and implemented, and adjustments can be made based on the system's exposure and risk decisions.

Question 13

The ____________________ standard is a model level of performance that demonstrates industrial leadership,quality,and concern for the protection of information.

Accepted Answer

The answer of The ____________________ standard is a model level...

Question 14

Organizations typically use three types of performance measures,including those that assess the impact of a(n)____________________ or other security event on the organization or its mission.

Accepted Answer

The answer of Organizations typically use three types of performance...

Question 15

In future certification and accreditation practices,NIST will focus less on certification and accreditation strategies,and more on ____.
A) holistic risk management strategy
B) accreditation and certification
C) managed controls
D) international standards such as ISO

Accepted Answer

The statement suggests that in the future, NIST will prioritize a holistic risk management strategy over traditional certification and accreditation practices. Therefore, option A is the best choice as it aligns with NIST's future approach. Option B is incorrect as it contradicts the statement, and option C is too narrow in scope. Option D may be relevant, but it is not mentioned as a specific focus for NIST in the statement.

Question 16

It is no longer sufficient to simply assert effective information security; an organization must demonstrate that it is taking effective measures in the spirit of ____________________.

Accepted Answer

The answer of It is no longer sufficient to simply...

Question 17

The typical length of certification and/or accreditation is ____.
A) less than 1 year
B) 1-2 years
C) 3-5 years
D) virtually permanent

Accepted Answer

The typical length of certification and/or accreditation is 3-5 years. This allows for periodic reviews and updates to ensure continued compliance with standards and best practices.

Question 18

When an organization applies statistical and quantitative forms of mathematical analysis to the data points collected to measure the activities and outcomes of the InfoSec program,it is using InfoSec ____________________.

Accepted Answer

The answer of When an organization applies statistical and quantitative...

Question 19

The purpose of NIST SP 800-53 (R3)as part of the NIST System C&A Project is to establish a set of standardized,minimum security controls for IT systems addressing low,moderate,and high levels of concern for ____.
A) confidentiality
B) integrity
C) availability
D) all of these

Accepted Answer

NIST SP 800-53 (R3) provides security controls for all three aspects of information security: confidentiality, integrity, and availability. The purpose of the document is to establish minimum security controls for IT systems, addressing low, moderate, and high levels of concern for all three aspects of information security.

Question 20

In the future,NIST plans to replace accreditation with ____ and certification with ____.
A) certification; accreditation
B) approvals; assessments
C) assessments; critical elements
D) authorization; security control assessment

Accepted Answer

NIST plans to replace accreditation with authorization and certification with security control assessment. This shift is meant to emphasize the importance of ongoing risk management and continuous monitoring of security controls, rather than a one-time certification or accreditation process.

Quiz 7: Security Management Practices

Which of the following is NOT a question you should ask when considering best practices for your organization?

A(n)____________________ is an external "value or profile of a performance metric against which changes in the performance metric can be usefully compared."

Organizations that adopt minimum levels of security to establish a future legal defense may need to verify that they have done what any ____________________ organization would do in similar circumstances.

One of the factors critical to the success of an information security performance program is practical information security ____________________ and procedures.

Security Certification & Accreditation initiative offers several benefits.Which of the following is NOT one of them?

Which of the following would NOT be a valuable performance measure?

Which of the following is NOT a goal of the NIST System Certification and Accreditation Project:

Under the NIST SP 800-37 security controls model,systems are classified into a specific security certification level.Which of the following is the level of certification for high-priority systems?

Best security practices balance the need for information ____________________ with the need for adequate protection while simultaneously demonstrating fiscal responsibility.

A problem with benchmarking is that recommended practices are a(n)____________________; that is,knowing what happened a few years ago does not necessarily tell you what to do next.

According to NIST SP 800-37,the first step in the security controls selection process is to ____.

The ____________________ standard is a model level of performance that demonstrates industrial leadership,quality,and concern for the protection of information.

Organizations typically use three types of performance measures,including those that assess the impact of a(n)____________________ or other security event on the organization or its mission.

In future certification and accreditation practices,NIST will focus less on certification and accreditation strategies,and more on ____.

It is no longer sufficient to simply assert effective information security; an organization must demonstrate that it is taking effective measures in the spirit of ____________________.

The typical length of certification and/or accreditation is ____.

When an organization applies statistical and quantitative forms of mathematical analysis to the data points collected to measure the activities and outcomes of the InfoSec program,it is using InfoSec ____________________.

The purpose of NIST SP 800-53 (R3) as part of the NIST System C&A Project is to establish a set of standardized,minimum security controls for IT systems addressing low,moderate,and high levels of concern for ____.

In the future,NIST plans to replace accreditation with and certification with .