Blog

Which option below is designed to reduce the level of risk to the information system and its data to a level the organization deems acceptable?

Also known as white hat testing, this type of security testing involves a comprehensive evaluation of the network or system posture with an organization’s IT staff’s consent.

Which document should contain the controls for the system and environment of operation?

In an essay of no less than 250 words, answer the following:   In Week 5, we learned that security is a design problem. If security is a design problem, this must explicitly mean that the system must undergo a redesign to apply new security to an operational system. Identify the phases of the system development life cycle (SDLC), including the security activities during each phase. There is no need to detail the security activities and definitions. Focus on the SDLC activities in each phase; summarization is acceptable.  

Which of the following is not a valid authorizing official’s (AO) expressed authorization decision?

Decisions about managing security and privacy risks at the system level are closely linked to which of the following?

In an essay of no less than 250 words, answer the following:   According to the National Institute of Standards and Technology Special Publication (NIST SP) 800-100, “risk is a function of the likelihood of a given threat source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.” Therefore, risk is an equation that includes likelihood, threats, vulnerabilities, and impacts. Define an example information system and describe the risk assessment process and the resulting risk calculation applied to that hypothetical information system. Be sure to include the categorization/characterization of your theoretical information system as part of your calculation.

While the Risk Management Framework (RMF) steps are listed sequentially, they can be carried out in non-sequential order.

Which systems can receive an Authorization To Operate with a “Very High” not compliant (NC) control?

Which of the following is an input to the organization-level risk management plan?