Question 1

Which of the following is NOT a best practice for implementing security controls according to NIST SP 800-53?

Options :

A : Implementing security controls in a phased approach

B : Providing security awareness training to personnel

C : Using automated tools to monitor security controls

D : Implementing only those security controls that are required by regulation or policy

Answer: D

Question 2

One Tech's AO has been informed of a significant change in the threat landscape, which increases the likelihood of a previously low-impact vulnerability being exploited. What should the AO do in response to this new information?

Options :

A : Immediately revoke the system-s ATO

B : Request an updated security control assessment focusing on the affected vulnerability

C : Consult with the system owner and security team to evaluate the increased risk and determine appropriate mitigation measures

D : Wait for the next scheduled security control assessment to review the risk

Answer: C

Question 3

Which of the following is a key consideration when implementing security controls for an information system?

Options :

A : The system-s hardware and software components

B : The budget and resource constraints of the organization

C : The potential risks to the information system

D : The organizational structure of the system-s users

Answer: C

Question 4

What is the purpose of a security control baseline?

Options :

A : To establish a standard set of security controls that can be applied to all federal information systems and organizations

B : To define the criticality of information assets and systems within an organization

C : To establish the requirements for compliance with legal and regulatory frameworks

D : To define the rules for incident response and reporting

Answer: A

Question 5

What is the main purpose of system categorization?

Options :

A : Determine if the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization.

B : Inform organizational risk management processes and tasks by determining the adverse impact with respect to the loss of confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems

C : Carry out essential activities to help prepare all levels of the organization to manage its security and privacy risks using the RMF

D : Maintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions

Answer: B

Smartly Prepare Exam with Free Online CGRC Practice Test

Buying Options: