Bash, the Crucial Exams Chat Bot
AI Bot
Risk Management Framework (ISC2 CGRC) Flashcards
ISC2 Governance, Risk and Compliance (CGRC) Flashcards
| Front | Back |
| How often should security controls be assessed for effectiveness | Regularly and as part of the continuous monitoring process |
| What activities are included in continuous monitoring | Ongoing assessments, vulnerability scanning, and incident tracking |
| What category under NIST 800-53 emphasizes privacy controls | Privacy controls are addressed in Appendix J |
| What document defines roles and responsibilities for RMF participants | NIST Special Publication 800-37 |
| What does FIPS 199 provide | Standards for security categorization of federal information and information systems |
| What framework is typically used to select security controls | NIST Special Publication 800-53 |
| What is a common type of risk assessment methodology | NIST Special Publication 800-30 |
| What is a Security Control Baseline | A predefined set of controls for systems with a particular impact level |
| What is POAM in the context of RMF | Plan of Actions and Milestones, used to track remediation efforts |
| What is the fifth step in the RMF process | Authorize the System |
| What is the first step in the RMF process | Categorize the Information System |
| What is the fourth step in the RMF process | Assess Security Controls |
| What is the goal of continuous monitoring | To maintain an up-to-date security posture and address new risks as they arise |
| What is the main focus of Step 1 (Categorization) | Identifying system characteristics and potential impacts of risks |
| What is the primary objective of the Risk Management Framework | A structured approach to manage security and privacy risks in organizational systems |
| What is the primary purpose of an Authorization to Operate (ATO) | To formally accept risk and allow system operation |
| What is the purpose of assessing security controls | To verify that the controls have been implemented correctly, operate as intended, and meet security requirements |
| What is the purpose of categorizing an information system | To determine the level of impact a potential security breach would have on the organization |
| What is the role of a Security Categorization | Identifies impact levels for confidentiality, integrity, and availability |
| What is the role of the Information System Owner (ISO) in RMF | Oversees the system's overall security posture |
| What is the second step in the RMF process | Select Security Controls |
| What is the sixth step in the RMF process | Monitor Security Controls |
| What is the third step in the RMF process | Implement Security Controls |
| What is typically created to document the implementation of security controls | System Security Plan (SSP) |
| What NIST guideline aids in the selection of security controls | NIST Special Publication 800-53 |
| What NIST publication outlines the RMF process | NIST Special Publication 800-37 |
| What principle emphasizes integrating RMF tasks into the system development lifecycle | Early and ongoing integration |
| What publication provides guidelines for categorizing information and systems | NIST Special Publication 800-60 |
| What step involves reviewing the system's security and privacy documentation | Assess Security Controls |
| What type of threat data informs the RMF process | Threat intelligence and risk assessments |
| Who typically grants the Authority to Operate (ATO) | Authorizing Official (AO) |
Front
What is the first step in the RMF process
Click the card to flip
Back
Categorize the Information System
Front
What is the primary purpose of an Authorization to Operate (ATO)
Back
To formally accept risk and allow system operation
Front
What NIST guideline aids in the selection of security controls
Back
NIST Special Publication 800-53
Front
What is the role of a Security Categorization
Back
Identifies impact levels for confidentiality, integrity, and availability
Front
What does FIPS 199 provide
Back
Standards for security categorization of federal information and information systems
Front
What is typically created to document the implementation of security controls
Back
System Security Plan (SSP)
Front
How often should security controls be assessed for effectiveness
Back
Regularly and as part of the continuous monitoring process
Front
What activities are included in continuous monitoring
Back
Ongoing assessments, vulnerability scanning, and incident tracking
Front
What is the second step in the RMF process
Back
Select Security Controls
Front
What publication provides guidelines for categorizing information and systems
Back
NIST Special Publication 800-60
Front
What framework is typically used to select security controls
Back
NIST Special Publication 800-53
Front
What is the sixth step in the RMF process
Back
Monitor Security Controls
Front
What category under NIST 800-53 emphasizes privacy controls
Back
Privacy controls are addressed in Appendix J
Front
What is the primary objective of the Risk Management Framework
Back
A structured approach to manage security and privacy risks in organizational systems
Front
What is a common type of risk assessment methodology
Back
NIST Special Publication 800-30
Front
What step involves reviewing the system's security and privacy documentation
Back
Assess Security Controls
Front
Who typically grants the Authority to Operate (ATO)
Back
Authorizing Official (AO)
Front
What is the role of the Information System Owner (ISO) in RMF
Back
Oversees the system's overall security posture
Front
What is the main focus of Step 1 (Categorization)
Back
Identifying system characteristics and potential impacts of risks
Front
What is a Security Control Baseline
Back
A predefined set of controls for systems with a particular impact level
Front
What is the purpose of categorizing an information system
Back
To determine the level of impact a potential security breach would have on the organization
Front
What document defines roles and responsibilities for RMF participants
Back
NIST Special Publication 800-37
Front
What is the third step in the RMF process
Back
Implement Security Controls
Front
What is the fourth step in the RMF process
Back
Assess Security Controls
Front
What is the goal of continuous monitoring
Back
To maintain an up-to-date security posture and address new risks as they arise
Front
What is the purpose of assessing security controls
Back
To verify that the controls have been implemented correctly, operate as intended, and meet security requirements
Front
What principle emphasizes integrating RMF tasks into the system development lifecycle
Back
Early and ongoing integration
Front
What is the fifth step in the RMF process
Back
Authorize the System
Front
What NIST publication outlines the RMF process
Back
NIST Special Publication 800-37
Front
What type of threat data informs the RMF process
Back
Threat intelligence and risk assessments
Front
What is POAM in the context of RMF
Back
Plan of Actions and Milestones, used to track remediation efforts
1/31
This deck covers the steps and core principles of the RMF, focusing on each phase from categorization to monitoring, as defined in NIST guidelines.