Question 1

Your organization is preparing to authorize a new information system. As part of the Prepare phase of the NIST SP 800-37 Risk Management Framework, your team is working to identify the system's stakeholders and their roles. Which of the following stakeholders would be responsible for ensuring that the system's security controls are properly implemented and maintained?

Options :

A : The system owner

B : The authorizing official

C : The system administrator

D : The security manager

Answer: C

Question 2

Which of the following is a key factor in the success of a security awareness and training program?

Options :

A : Use of technical jargon and complex language

B : Delivery of training in a one-time, stand-alone format

C : Alignment with organizational goals and culture

D : Restriction of training to high-risk employees only

Answer: C

Question 3

A small organization has limited resources and is struggling to implement all of the necessary NIST SP 800-53 security controls. Which of the following is the BEST approach for the organization?

Options :

A : Implement only those controls that are required by regulation or policy

B : Implement only those controls that are relevant to the organization-s risk management strategy

C : Implement only those controls that are easy to implement

D : Outsource the implementation of all security controls to a third-party vendor

Answer: B

Question 4

One Tech's AO has been informed of a significant change in the threat landscape, which increases the likelihood of a previously low-impact vulnerability being exploited. What should the AO do in response to this new information?

Options :

A : Immediately revoke the system-s ATO

B : Request an updated security control assessment focusing on the affected vulnerability

C : Consult with the system owner and security team to evaluate the increased risk and determine appropriate mitigation measures

D : Wait for the next scheduled security control assessment to review the risk

Answer: C

Question 5

What are the objectives of the Prepare step in the NIST RMF framework?

Options :

A : Facilitating better communication between senior leaders and executives at the organization and mission and business process levels and system owners

B : Facilitating organization-wide identification of common controls and the development of organizationally tailored control baselines, reducing the workload on individual system owners and the cost of system development and asset protection

C : Reducing the complexity of the information technology and operations technology infrastructure using enterprise architecture concepts and models to consolidate, optimize, and standardize organizational systems, applications, and services

D : Ensuring that the implemented security controls continue to provide the intended level of protection for the information system and its data throughout the system-s lifecycle.

E : Identifying, prioritizing, and focusing resources on the organizationâ€™s high-value assets and high impact systems that require increased levels of protection and taking steps commensurate with the risk to such assets.

Answer: A,B,C,E