Bash, the Crucial Exams Chat Bot
AI Bot
Risk Management Framework (ISC2 CGRC) Flashcards
ISC2 Governance, Risk and Compliance (CGRC) Flashcards
Study our Risk Management Framework (ISC2 CGRC) flashcards for the ISC2 Governance, Risk and Compliance (CGRC) exam with 31+ flashcards. View as flashcards, a searchable table, or as a fun matching game.
| Front | Back |
| How often should security controls be assessed for effectiveness | Regularly and as part of the continuous monitoring process |
| What activities are included in continuous monitoring | Ongoing assessments, vulnerability scanning, and incident tracking |
| What category under NIST 800-53 emphasizes privacy controls | Privacy controls are addressed in Appendix J |
| What document defines roles and responsibilities for RMF participants | NIST Special Publication 800-37 |
| What does FIPS 199 provide | Standards for security categorization of federal information and information systems |
| What framework is typically used to select security controls | NIST Special Publication 800-53 |
| What is a common type of risk assessment methodology | NIST Special Publication 800-30 |
| What is a Security Control Baseline | A predefined set of controls for systems with a particular impact level |
| What is POAM in the context of RMF | Plan of Actions and Milestones, used to track remediation efforts |
| What is the fifth step in the RMF process | Authorize the System |
| What is the first step in the RMF process | Categorize the Information System |
| What is the fourth step in the RMF process | Assess Security Controls |
| What is the goal of continuous monitoring | To maintain an up-to-date security posture and address new risks as they arise |
| What is the main focus of Step 1 (Categorization) | Identifying system characteristics and potential impacts of risks |
| What is the primary objective of the Risk Management Framework | A structured approach to manage security and privacy risks in organizational systems |
| What is the primary purpose of an Authorization to Operate (ATO) | To formally accept risk and allow system operation |
| What is the purpose of assessing security controls | To verify that the controls have been implemented correctly, operate as intended, and meet security requirements |
| What is the purpose of categorizing an information system | To determine the level of impact a potential security breach would have on the organization |
| What is the role of a Security Categorization | Identifies impact levels for confidentiality, integrity, and availability |
| What is the role of the Information System Owner (ISO) in RMF | Oversees the system's overall security posture |
| What is the second step in the RMF process | Select Security Controls |
| What is the sixth step in the RMF process | Monitor Security Controls |
| What is the third step in the RMF process | Implement Security Controls |
| What is typically created to document the implementation of security controls | System Security Plan (SSP) |
| What NIST guideline aids in the selection of security controls | NIST Special Publication 800-53 |
| What NIST publication outlines the RMF process | NIST Special Publication 800-37 |
| What principle emphasizes integrating RMF tasks into the system development lifecycle | Early and ongoing integration |
| What publication provides guidelines for categorizing information and systems | NIST Special Publication 800-60 |
| What step involves reviewing the system's security and privacy documentation | Assess Security Controls |
| What type of threat data informs the RMF process | Threat intelligence and risk assessments |
| Who typically grants the Authority to Operate (ATO) | Authorizing Official (AO) |
About the Flashcards
Flashcards for the ISC2 Governance, Risk and Compliance (CGRC) exam guide you through every phase of the Risk Management Framework, from initial categorization to continuous monitoring. Review key NIST references such as SP 800-37, 800-53, 800-60, and FIPS 199, and connect each publication to tasks like selecting control baselines, documenting SSPs, and preparing POAMs.
These cards reinforce crucial terminology-impact levels, security categorization, ATO, AO, ISO-and clarify the purpose of assessments, threat intelligence, and ongoing integration within the system development lifecycle. Use them to cement the sequence of RMF steps, understand required documentation, and recall the roles responsible for safeguarding information systems on exam day.
Topics covered in this flashcard deck:
- Risk Management Framework
- NIST special publications
- Security control lifecycle
- Authorization to Operate
- Continuous monitoring
- Roles and responsibilities