Bash, the Crucial Exams Chat Bot
AI Bot
Risk Management Framework (ISC2 CGRC) Flashcards
ISC2 Governance, Risk and Compliance (CGRC) Flashcards
| Front | Back |
| How often should security controls be assessed for effectiveness | Regularly and as part of the continuous monitoring process |
| What activities are included in continuous monitoring | Ongoing assessments, vulnerability scanning, and incident tracking |
| What category under NIST 800-53 emphasizes privacy controls | Privacy controls are addressed in Appendix J |
| What document defines roles and responsibilities for RMF participants | NIST Special Publication 800-37 |
| What does FIPS 199 provide | Standards for security categorization of federal information and information systems |
| What framework is typically used to select security controls | NIST Special Publication 800-53 |
| What is a common type of risk assessment methodology | NIST Special Publication 800-30 |
| What is a Security Control Baseline | A predefined set of controls for systems with a particular impact level |
| What is POAM in the context of RMF | Plan of Actions and Milestones, used to track remediation efforts |
| What is the fifth step in the RMF process | Authorize the System |
| What is the first step in the RMF process | Categorize the Information System |
| What is the fourth step in the RMF process | Assess Security Controls |
| What is the goal of continuous monitoring | To maintain an up-to-date security posture and address new risks as they arise |
| What is the main focus of Step 1 (Categorization) | Identifying system characteristics and potential impacts of risks |
| What is the primary objective of the Risk Management Framework | A structured approach to manage security and privacy risks in organizational systems |
| What is the primary purpose of an Authorization to Operate (ATO) | To formally accept risk and allow system operation |
| What is the purpose of assessing security controls | To verify that the controls have been implemented correctly, operate as intended, and meet security requirements |
| What is the purpose of categorizing an information system | To determine the level of impact a potential security breach would have on the organization |
| What is the role of a Security Categorization | Identifies impact levels for confidentiality, integrity, and availability |
| What is the role of the Information System Owner (ISO) in RMF | Oversees the system's overall security posture |
| What is the second step in the RMF process | Select Security Controls |
| What is the sixth step in the RMF process | Monitor Security Controls |
| What is the third step in the RMF process | Implement Security Controls |
| What is typically created to document the implementation of security controls | System Security Plan (SSP) |
| What NIST guideline aids in the selection of security controls | NIST Special Publication 800-53 |
| What NIST publication outlines the RMF process | NIST Special Publication 800-37 |
| What principle emphasizes integrating RMF tasks into the system development lifecycle | Early and ongoing integration |
| What publication provides guidelines for categorizing information and systems | NIST Special Publication 800-60 |
| What step involves reviewing the system's security and privacy documentation | Assess Security Controls |
| What type of threat data informs the RMF process | Threat intelligence and risk assessments |
| Who typically grants the Authority to Operate (ATO) | Authorizing Official (AO) |
This deck covers the steps and core principles of the RMF, focusing on each phase from categorization to monitoring, as defined in NIST guidelines.