ISC2-CGRC Domain 6: Authorization/Approval of Information Systems Welcome to your ISC2-CGRC Domain 6: Authorization/Approval of Information Systems 1. CGRC: Authorization/Approval of Information Systems Which component is critical in the Risk Management Framework (RMF) for obtaining an Authorization to Operate (ATO) for an information system? A. Risk assessment report B. User acceptance testing results C. Software development lifecycle documentation D. Vendor service level agreements (SLAs) None 2. CGRC: Authorization/Approval of Information Systems In the context of system authorization, what role does the Designated Approving Authority (DA A. play? A) Selecting the information system's security controls B. Performing the system's technical implementation C. Officially accepting the risk associated with operating the system D. Providing financial approval for the system procurement None 3. CGRC: Authorization/Approval of Information Systems Which document is essential for defining the roles, responsibilities, and expectations for all entities involved in the system authorization process? A. Information Security Policy B. Service Level Agreement (SLA) C. Memorandum of Understanding (MOU)/Agreement (MOA) D. User Manual None 4. CGRC: Authorization/Approval of Information Systems How does the concept of "security inheritance" facilitate the authorization process for information systems? A. By allowing systems to inherit security controls from other authorized systems or shared services B. By transferring security responsibilities to the system with the highest classification level C. By mandating a uniform security posture for all systems within an organization D. By requiring all systems to use the same security software and hardware None 5. CGRC: Authorization/Approval of Information Systems What is the primary goal of the Federal Information Security Management Act (FISM A. within the context of information system authorization? A) To promote the use of open-source software within federal systems B. To ensure federal information systems meet standardized security requirements C. To decrease the overall IT spending by federal agencies D. To increase transparency in government procurement of IT systems None 6. CGRC: Authorization/Approval of Information Systems In the authorization of information systems, what role does the "Security Requirements Traceability Matrix" (SRTM) play? A. It tracks budget allocations for security investments. B. It maps security requirements to security controls to ensure comprehensive coverage. C. It schedules the deployment of security patches and updates. D. It lists all authorized users of the system and their access levels. None 7. CGRC: Authorization/Approval of Information Systems What significance does the concept of "reciprocity" hold in the authorization and approval process of information systems? A. It allows systems to share security resources and infrastructure. B. It permits the acceptance of security assessments and authorizations across different agencies or organizations. C. It encourages the development of shared software applications. D. It enables the mutual exchange of data between systems without security checks. None 8. CGRC: Authorization/Approval of Information Systems During the information system authorization process, what is the significance of the "e-authentication risk assessment"? A. It determines the economic viability of the authentication mechanisms. B. It assesses the risk associated with electronic authentication processes. C. It identifies the optimal user interface for authentication screens. D. It measures the speed of authentication protocols. None 9. CGRC: Authorization/Approval of Information Systems How does the implementation of the "Common Criteria for Information Technology Security Evaluation" 'CC' contribute to the authorization process? A. By providing a clear framework for user interface design B. By offering a standardized approach for evaluating the security properties of IT products and systems C. By reducing the time required for system development D. By ensuring compatibility between different operating systems None 10. CGRC: Authorization/Approval of Information Systems What is the purpose of "security categorization" in the Federal Information Processing Standards (FIPS) 199? A. To prioritize systems for budget allocations B. To classify information and information systems according to their importance to national security C. To determine the level of impact on confidentiality, integrity, and availability D. To organize systems based on their technological complexity None 11. CGRC: Authorization/Approval of Information Systems In the context of information system authorization, what is the role of the "Information System Contingency Plan" (ISCP)? A. To outline the procedures for regular system maintenance B. To detail the actions to be taken in response to a system breach C. To provide a comprehensive plan for system recovery in the event of a disaster or failure D. To describe the process for system upgrades and patches None 12. CGRC: Authorization/Approval of Information Systems What is the primary focus of the "System and Services Acquisition" process in the context of system authorization? A. To ensure that all system acquisitions are within the approved budget B. To secure the best possible pricing from vendors C. To integrate customer relationship management tools D. To ensure that security requirements are integrated into the acquisition process None 13. CGRC: Authorization/Approval of Information Systems How does the "Security and Privacy Controls for Federal Information Systems and Organizations" (NIST SP 800-53) assist in the authorization process? A. By mandating the use of specific encryption algorithms B. By providing a catalog of security and privacy controls for federal information systems to protect against threats C. By outlining the financial models for IT security investments D. By specifying the physical dimensions for secure data center facilities None 14. CGRC: Authorization/Approval of Information Systems The concept of "defense in depth" is integral to information system security. How does it influence the authorization and approval process? A. By ensuring that all security personnel are adequately trained B. By requiring the implementation of multiple layers of security controls C. By mandating continuous monitoring of network traffic D. By specifying the minimum number of security audits per year None 15. CGRC: Authorization/Approval of Information Systems When assessing an information system for authorization, which factor is MOST critical in determining the system's risk impact level? A. The physical location of the system's servers. B. The volume of data processed by the system. C. The sensitivity of the information processed and stored. D. The number of users with access to the system. None 16. CGRC: Authorization/Approval of Information Systems In the context of information system authorization, what role does the Security Control Assessor 'SCA' play? A. Designing the security architecture of the system. B. Implementing security controls within the system. C. Evaluating the effectiveness of security controls. D. Managing the day-to-day security operations of the system. None 17. CGRC: Authorization/Approval of Information Systems During the authorization process, which document is MOST critical for outlining the responsibilities of the system owner? A. The System Security Plan (SSP). B. The Risk Assessment Report. C. The Security Assessment Report (SAR). D. The Plan of Action and Milestones (POA&M). None 18. CGRC: Authorization/Approval of Information Systems What is the PRIMARY purpose of continuous monitoring in the context of information system authorization? A. To ensure compliance with industry standards. B. To provide ongoing assessment of security control effectiveness. C. To facilitate periodic system audits. D. To support the system's change management process. None 19. CGRC: Authorization/Approval of Information Systems In the authorization process for an information system, which factor is MOST crucial when determining the Level of Concern for privacy risks? A. The total number of system users. B. The categories of data processed by the system. C. The frequency of system audits performed. D. The geographic distribution of the data centers. None 20. CGRC: Authorization/Approval of Information Systems What is the PRIMARY objective of incorporating the concept of "Least Privilege" in the authorization/approval process of information systems? A. To minimize operational complexity within the system. B. To reduce the cost of implementing security controls. C. To ensure that users have only the access necessary to perform their duties. D. To streamline the process of security audit and compliance. None 1 out of 20 Time is Up! Time's up
