ISA 650 Final Exam Paper
ISA 650 Final Exam Study Guide
11/1/2012
ISA 650 Final Exam Study Guide & Sample Questions
True/False
Indicate whether the statement is true or false.
____
1. Congress has not written any legislation that has significant impact on Federal IT Security Policy.
____
2. Congress established the Office of Science and Technology Policy in 1976 with a broad mandate to advise the President and others within the Executive Office of the President on the effects of science and technology on domestic and international affairs.
____
3. The 1976 Act that established OSTP also authorizes it to lead interagency efforts to develop and implement sound science and technology policies and budgets, and to work with the private sector, …show more content…
state and local governments, the science and higher education communities, and other nations toward this end.
____
4. The National Security Council (NSC) serves as the President's principal arm for coordinating national security policies among various government agencies.
____
5. In accordance with the DoD Information Assurance Certification and Accreditation Process
(DIACAP), all the information relevant to the Certification and Accreditation (C&A) of a particular system is collected into the one document, the Systems Security Authorization
Agreement (SSAA).
____
6. The National Institute of Standards and Technology (NIST) is an agency of the Department of
Commerce.
____
7. The Office of Management and Budget (OMB) has the responsibility for improving the acquisition, use and disposal of Information Technology (IT) to improve Federal programs.
____
8. The Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard manner.
____
9. The Common Criteria is currently an international standard.
____
10. Consistent with OMB policy, the Federal IT Security Assessment Framework (FITSAF) requires all departments and agencies within the Federal Executive Branch (FEB) to implement and maintain a program to adequately secure its information and system assets.
____
11. CNSS provides policy, directives, and instructions binding upon all U.S. government departments and agencies for national security systems, including systems in the intelligence community and
DoD
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 1 of
ISA 650 Final Exam Study Guide
11/1/2012
____
12. The Government Management Reform Act (GMRA) of 1994 requires agencies to have comprehensive financial statements that are audited.
____
13. The Federal Financial Management Improvement Act (FFMIA) of 1996 seeks to hold agencies accountable for complying with the FASAB accounting standards, by requiring agencies to report lack of compliance.
____
14. An important aspect of the Government Performance and Results Act (GPRA) is linking dollars to results - a.k.a. performance-based budgeting.
____
15. The Federal Information Technology Assessment Framework establishes new security requirements on the acquisition, installation and use of IT assets within the Federal Executive
Branch.
____
16. The Chief Financial Officers Act (CFOA) of 1990 established a CFO at each agency, charged with implementing effective accounting and financial management systems.
____
17. The completion of system security plans is a requirement for all Federal Departments and
Agencies.
____
18. Electronic Data Interchange (EDI) can be formally defined as the transfer of structured data, by agreed message standards, from one computer system to another without human intervention.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 2 of
ISA 650 Final Exam Study Guide
11/1/2012
Multiple Choice
Identify the choice that best completes the statement or answers the question.
____
19. Who writes IT Security Policy within the FEB?
a. The Committee on National Security Systems (CNSS)
b. The Whitehouse
c. The Office of Management and Budget
d. All, or nearly all, Federal Executive Branch (FEB) Departments and Agencies (Ds
& As) write IT Security Policies.
____
20. The mission of the Office of Science and Technology Policy is to:
a. Provide the President and his senior staff with accurate, relevant, and timely scientific and technical advice on all matters of consequence.
b. Ensure that the scientific and technical work of the Executive Branch is properly coordinated so as to provide the greatest benefit to society.
c. Ensure that the policies of the Executive Branch are informed by sound science.
d. All of the above.
____
21. The National Security Council is Chaired by the President and is attended by:
a. The Secretary of State
b. The Chairman of the Joint Chiefs of Staff
c. The Secretary of the Treasury
d. Only a. and b.
e. a., b. and c.
____
22. The Rainbow Series was / is published by the:
a. National Security Agency (NSA)
b. National Institute of Standards and Technology (NIST)
c. Office of Science and Technology Policy (OSTP)
d. None of the above
____
23. Which of the following Intelligence Community instructions deals specifically with the office of the Chief Information Officer (CIO) and Information Technology.
a. ICD 700 Series
c. DCID 6/3
b. DCID 7/5
d. ICD 500 Series
____
24. What established the requirement for Chief Information Officers in high-level executive positions?
a. Federal Information Security Management Act (FISMA)
b. Information Technology Management Reform Act (ITMRA)
c. Office of Management & Budget, Federal Enterprise Architecture (OMB FEA)
d. Cyber Security Act
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 3 of
ISA 650 Final Exam Study Guide
____
25. The National Security Council (NSC) is Chaired by:
a. Chairman of the Joint Chiefs of Staff
b. The National Security Advisor
c. Director of National Intelligence
d. The President
____
26. The organizations and functions of the Department of Defense are set forth in:
a. The DoD Charter
b. Title 10 of the U.S. Code
c. DoD Directive 1000.1
d. Title 50 of the U.S. Code
____
27. The DoD / Military Command Structure was re-defined by:
a. Title 10 of the U.S. Code
b. The National Command Capability (NCC)
c. The Goldwater-Nichols Act of 1986
d. Title 50 of the U.S. Code
____
28. Which was the seminal publication with respect to Computer Security Evaluations?
a. The Orange Book
b. The Red Book
c. The Rainbow Series
d. The White Book
____
29. The Trusted Computer System Evaluation Criteria (TCSEC) defines security levels:
a. In accordance with the Common Criteria
b. As four main levels from D (the lowest) to A (the highest)
c. As “Approved,” “Tested,” “Minimal,” and “None”
d. None of the above
____
30. Which is the most current standard for DoD Certification and Accreditation?
a. DoD Information Technology Certification and Accreditation Program
(DITSCAP)
b. DoD Information Assurance Certification and Accreditation Program (DIACAP)
c. National Information Assurance Certification and Accreditation Program
(NIACAP)
d. C4I Certification and Accreditation Program (CCAP)
____
11/1/2012
31. What agency manages the National Information Assurance Partnership (NIAP)?
a. National Institute of Standards and Technology (NIST)
b. National Security Council (NSC)
c. National Security Agency (NSA)
d. Director of National Intelligence (DNI)
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 4 of
ISA 650 Final Exam Study Guide
11/1/2012
____
32. With respect to the Common Criteria, a Target of Evaluation (ToE) can be defined as:
a. the measures taken during development and evaluation to assure compliance with claimed security functionality.
b. a document which identified security requirements for a class of security devices.
c. the security properties of the subject of the evaluation.
d. the product or system that is the subject of the evaluation.
____
33. With respect to Information Assurance, development of the Risk Management Framework was / is lead by:
a. the National Security Agency (NSA)
b. the National Institute of Standards and Technology (NIST)
c. the Director of National Intelligence (DNI)
d. the National Information Assurance Partnership (NIAP)
____
34. The Computer Security Resource Center (CSRC) is maintained and updated by the Computer
Security Division of:
a. the National Institute of Standards and Technology (NIST)
b. the Central Intelligence Agency (CIA)
c. the National Security Agency (NSA)
d. the National Security Council (NSC)
____
35. Federal Information Processing Standards (FIPS) are published by
a. the National Security Council (NSC)
b. the Committee on National Security Systems (CNSS)
c. the National Institute of Standards and Technology (NIST)
d. the Office of Science and Technology Policy (OSTP)
____
36. Which organization has the responsibility for improving the acquisition, use, and disposal of IT to improve Federal programs?
a. the Department of Commerce
b. the Office of Science and Technology Policy (OSTP)
c. the Department of the Treasury
d. the Office of Management and Budget (OMB)
____
37. The Federal Government Executive Agent National Security Systems (NSS) is:
a. the National Security Council (NSC)
b. the Director of National Intelligence (DNI)
c. the Secretary of Defense (DoD)
d. the Director of the National Security Agency (NSA)
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 5 of
ISA 650 Final Exam Study Guide
11/1/2012
____
38. The Committee on National Security Systems (CNSS) is chaired by:
a. the Assistant Secretary of Defense for Network and Information Integration
(ASD/NII) (a.k.a, the DoD/CIO)
b. the National Security Advisor
c. the Director of the National Security Agency (NSA)
d. the Director of National Intelligence, Chief Information Officer (DNI/CIO)
____
39. The National Information Assurance Certification and Accreditation Process (NIACAP) is published by:
a. the National Institute of Standards and Technology (NIST)
b. the Department of Commerce (DoC)
c. the Committee on National Security Systems (CNSS)
d. the National Security Agency (NSA)
____
40. What is the significance of the Computer Security Act of 1987 with respect to Federal IT Security
Policy?
a. Requires the all federal agencies appoint a Chief Information Officer at the highest levels of the agency.
b. Requires the creation of Computer Security Plans
c. Assigns the responsibility to develop standards of minimum acceptable practices to NIST with the help of NSA.
d. Both b and c.
____
41. What is the significance of the Health Insurance Portability and Accountability Act (HIPAA) of
1996 with respect to Federal Information Security Policy?
a. It requires the establishment of national standards for electronic health care transactions. b. It requires national identifiers for providers, health insurance plans, and employers. c. It addresses the security and privacy of health data.
d. All of the above
____
42. Which of the following directed the development of Information Technology Architectures by federal agencies?
a. Computer Security Act of 1987
b. E-Government Act of 2002
c. Paperwork Reduction Act of 1995
d. Clinger Cohen Act (CCA) of 1996.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 6 of
ISA 650 Final Exam Study Guide
11/1/2012
____
43. Which of the following established the Chief Information Officer (CIO) Council and designated it the principal interagency forum for improving practices related to Federal government information resources? a. Clinger-Cohen Act (CCA) of 1996
b. Health Insurance Portability and Accountability Act (HIPAA)
c. E-Government Act of 2002
d. Paperwork Reduction Act of 1995
____
44. Which of the following explicitly emphasized a “... risk-based policy for cost-effective security
...”?
a. Federal Information Security Management Act (FISMA) of 2002
b. Computer Security Act of 1987
c. Paperwork Reduction Act of 1995
d. Information Technology Management Reform Act (ITMRA)
____
45. The Intelligence Community (IC) is defined by and gets its authority from:
a. Title 10 of the U.S. Code
b. The National Command Capability (NCC)
c. The Goldwater-Nichols Act of 1986
d. Title 50 of the U.S. Code
____
46. The Federal IT Security Assessment Framework (FITSA) requires all Federal departments and agencies to:
a. Protect information commensurate with the level of risk and magnitude of harm resulting from loss, misuse, unauthorized Access, or modification.
b. Assign a Chief Information Security Officer (CISO) at a very high level within the organization.
c. Assure that systems and applications operate effectively and provide appropriate
Confidentiality, Integrity, and Availability (CIA)
d. Both a and c.
____
47. Which of the following is used for the certification and accreditation of national security systems outside of DoD?
a. DoD Information Technology Security Certification & Accreditation Process
(DITSCAP)
b. Common Criteria
c. National Information Assurance Certification and Accreditation Process
(NIACAP)
d. NSA/CSS Information Systems Certification and Accreditation Process
(NISCAP)
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 7 of
ISA 650 Final Exam Study Guide
11/1/2012
____
48. The main function of the Federal Information Technology Assessment Framework is to aid in:
a. regulating IT spending within the Federal government.
b. ensuring interoperability among Federal IT assets.
c. the assessment of the status of security controls for a given asset or collection of assets. d. developing IT Strategic Plans within the Federal government.
____
49. The Federal IT Security Assessment Framework identifies five levels of security. The lowest, least secure level is labeled “documented security policy.” What is the highest, most secure level?
a. Tested and Reviewed Procedures and Controls
b. Fully Integrated Procedures and Controls
c. Implemented Procedures and Controls
d. Documented Procedures
____
50. Under FISMA, NIST is given the following responsibilities for systems not designated as national security systems:
a. develop standards and guidelines, and associated methods and techniques including minimum requirements, for providing adequate information security for all agency operations and assets.
b. operate and maintain the Federal IT infrastructure.
c. monitor implementation of Federal IT security controls.
d. ensure IT budgets accurately reflect legitimate IT needs.
____
51. The main purpose of the NIST Joint Task Force Transformation Initiative is to:
a. Develop and implement the Common Criteria standard within the Federal
Executive Branch.
b. Monitor Federal government migration from internally hosted networks to cloud computing. c. Monitor migration of major IT initiatives from one Federal agency to another.
d. Bring together representatives from NIST, DoD, and Intelligence Community to revise existing information security publications so that they can be applied across all federal agencies.
____
52. What is the first step in developing an Information Security / Information Assurance program plan? a. Conduct a risk assessment.
b. Establish a monetary ceiling in support of our efforts.
c. Obtain management buy-in.
d. Identify and capture our system definition and boundaries - the target of our security plan.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 8 of
ISA 650 Final Exam Study Guide
11/1/2012
____
53. In preparation for developing an IT Security Plan, we have several choices for capturing our system definition and boundaries. These include:
a. Federal Enterprise Architecture (OMB FEA)
b. DoD Architecture Framework (DoDAF)
c. Target of Evaluation (Common Criteria – NIAP)
d. All of the above.
____
54. The Federal Information Security Management Act of 2002 requires agencies to:
a. Submit annual IT budgets to congress for review and approval.
b. Manage IT funding in accordance with Federal accounting standards.
c. Integrate IT security into their capital planning and enterprise architecture processes, conduct annual IT security reviews of all programs and systems, and report the results of those reviews to the Office of Management and Budget
(OMB).
d. Compile a complete, detailed IT Enterprise Architecture for yearly submission to
OMB.
____
55. The information in OMB Exhibit 53, “Information Technology Investments,” each agency and
OMB to review and evaluate IT spending and to compare IT spending across the Federal
Government. Specifically this information helps the agency and OMB to:
a. Identify costs for providing IT security
b. Understand the amount being spent on development and modernization of IT
c. Provide a full and accurate accounting of IT investments
d. All of the above
____
56. OMB Exhibit 300 – Capital Asset Plans:
a. Include budget justification and reporting requirements for major information technology (IT) investments.
b. Ensure that agencies are always outfitted with the latest, most advanced technology. c. Established policy for planning, budgeting, acquisition and management of
Federal capital assets.
d. Both a and c.
____
57. OMB Exhibit 300's are business cases that provide:
a. A high level summary of the major IT investments.
b. Justification on why an investment should continue.
c. Justification for the President’s annual budget.
d. Both a and b.
____
58. An Incident Response Plan (IRP):
a. describes a preplanned response to very serious events.
b. details a first-level response, to events that are anticipated to occur occasionally.
c. ensures that a business can continue to operate through a disaster.
d. is required so operations can be moved (perhaps only temporarily) to another site.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 9 of
ISA 650 Final Exam Study Guide
11/1/2012
____
59. An Business Continuity Plan (BCP):
a. describes a preplanned response to very serious events.
b. details a first-level response, to events that are anticipated to occur occasionally.
c. contains a detailed response to failure of a system component.
d. is required so operations can be moved (perhaps only temporarily) to another site ensuring that the business can continue operations..
____
60. An Disaster Recovery Plan (DRP):
a. describes a preplanned response to very serious events.
b. details a first-level response, to events that are anticipated to occur occasionally.
c. contains a detailed response to failure of a system component.
d. is required so operations can be moved (perhaps only temporarily) to another site ensuring that the business can continue operations..
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 10 of
ISA 650 Final Exam Study Guide
11/1/2012
Multiple Response
Identify one or more choices that best complete the statement or answer the question.
____
61. The Office of Science and Technology Policy (OSTP) sponsored which of the following? (Select all that apply.)
a. Net Centric Command and Control Architecture (NC3A)
b. Continuity Communication Enterprise Architecture (CCEA)
c. Unified Command Structure (UCS)
d. National Command Capability (NCC)
____
62. The purpose of the Continuity Communications Enterprise Architecture (CCEA) was to: (Select all that apply.)
a. Develop a CC FEA Framework
b. Populate the National Communications Register (NCR)
c. Oversee development of the CC FEA
d. Support FEB Minimum Essential Functions under all circumstances
____
63. The responsibilities of the Committee on National Security Systems (CNSS) include providing:
a. reliable, continuous assessments of threats and vulnerabilities
b. effective countermeasures
c. a technical base within the Federal Government to achieve security goals
d. support from the private sector to enhance the technical base
____
64. The Federal Information Technology Security Assessment Framework (FITSAF):
(Select all that apply.)
a. Provides a method for agency officials to determine the current status of their security programs relative to existing policy.
b. Is consistent with Office of Management and Budget (OMB) policy.
c. Does NOT establish new security requirements.
d. Provides a method for agency officials to establish a target for improvement where necessary.
____
65. The Chief Financial Officers Act (CFOA) of 1990 established:
a. The Federal Enterprise Architecture
b. A Chief Financial Officer (CFO) at each agency
c. The Federal Accounting Standards Advisory Board (FASAB)
d. The Chief Information Officer Council
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 11 of
ISA 650 Final Exam Study Guide
11/1/2012
____
66. The Government Performance and Results Act (GPRA) of 1993 is based on three elements. They are: a. agencies are required to develop five-year strategic plans that must contain a mission statement for the agency, and long term results-oriented goals.
b. agencies must submit their IT budgets to Congress for approval.
c. agencies must prepare annual performance reports that review the agency’s success or failure in meeting its targeted performance goals.
d. agencies are required to prepare annual performance plans that establish the performance goals for the applicable fiscal year, a brief description of how these goals are to be met, and a description of how these performance goals can be verified. ____
67. Some of the problems / issues with OMB Exhibit 300s include:
a. Developing solutions at the sub-agency or bureau level that could be addressed more efficiently at the enterprise level.
b. Receiving inadequate guidance on matters like Risk Management, Alternatives
Analysis, Enterprise Architecture, and Cost Benefits Analysis
c. Getting lost in poorly prepared or non-existent templates for Business Case
Documents.
d. Inadequate training and technical assistance about the process.
____
68. Business impact analysis (BIA):
a. starts with a Risk Assessment to identify risks and enable management to decide what (if anything) should be done about them.
b. describes an approach to mitigating disasters.
c. is the first set of activities in contingency planning.
d. is an essential Pay-For-Performance metric.
____
69. Key aspects of the Government Performance and Results Act (GPRA) and related legislation include: a. a Focus on Results
b. Financial Accountability
c. Budgets Tied to Performance Goals
d. Pay-for-Performance
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 12 of
ISA 650 Final Exam Study Guide
11/1/2012
Completion
Complete each statement.
70. The authors of the Trusted Network Interpretation of the TCSEC were __________ and
__________ .
71. The Information Assurance Technical Framework (IATF) is lead by ______________ in partnership with _______________ .
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 13 of
ISA 650 Final Exam Study Guide
11/1/2012
Matching
Select the best match from the selections below.
Match each legislation with it’s most significant impact on Federal IT Security Policy.
(No answer should be used more than once.)
a. Clinger-Cohen Act of 1996
b. Paperwork Reduction Act of 1995
c. E-Government Act of 2002
d. Federal Information Security Management Act (FISMA) of 2002
e. Health Insurance Portability and Accountability Act (HIPAA) of 1996
f. Computer Security Act of 1987
g. Information Technology Management Reform Act (ITMRA) of 1996
h. Homeland Security Act (HSA)
i. Electronic Communications Privacy Act (ECPA)
j. Counterfeit Access Device and Computer Fraud and Abuse Act (CADCFAA)
____
72. Also known as the Clinger-Cohen Act.
____
73. Requires the creation of computer security plans, and the appropriate training of system users or owners where the systems house sensitive information.
____
74. Requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and
employers.
____
75. Requires each agency to appoint an agency Chief Information Officer (CIO) with visibility and management responsibility.
____
76. Requires each agency is to develop and maintain a strategic IRM plan to help accomplish agency missions. ____
77. Establishes the CIO Council and designating it as the principal interagency forum for improving agency practices related to the design, acquisition, development, modernization, use, operation, sharing, and performance of Federal government information resources.
____
78. Requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
____
79. Extended government restrictions on wire taps and protects wire, oral, and electronic communications while in transit.
____
80. Created the Department of Homeland Security.
____
81. The first piece of federal legislation to focus directly on computer abuses.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 14 of
ISA 650 Final Exam Study Guide
11/1/2012
Short Answer
Briefly answer the following questions. Be sure to answer all parts of each question.
82. What is the primary difference between Information Security and Information Assurance? Why is it significant? Explain briefly.
83. What is the difference between data, information and knowledge? Explain.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 15 of
ISA 650 Final Exam Study Guide
11/1/2012
84. What is the underlying philosophy behind the Common Criteria? What problem does it attempt to solve? Explain.
85. Describe the National Checklist Program (NCP). Who runs it? What are some of the goals?
Briefly explain the concept.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 16 of
ISA 650 Final Exam Study Guide
11/1/2012
86. Describe the Risk Management Framework. Where was it developed? Why? Briefly explain the process. 87. What is the relationship between Enterprise Architecture and Information Security efforts?
Explain.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 17 of
ISA 650 Final Exam Study Guide
11/1/2012
88. What is the significance of OMB Circular A-130?
89. Briefly, describe the “Quagmire” of Federal Information Security Policy. Briefly explain its impact on Federal Information Security / Assurance.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 18 of
ISA 650 Final Exam Study Guide
11/1/2012
90. What is the Simple Security Property with respect to Information Security / Information
Assurance? Explain briefly.
91. With respect to Information Security / Information Assurance, what is the Star (*) Property?
Explain briefly.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 19 of
ISA 650 Final Exam Study Guide
11/1/2012
92. Define Multi-Level Security and briefly explain how it works.
93. Briefly describe the function and purpose of the Federal Information Technology Security
Assessment Framework (FITSA). What does it do? How are the results used?
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 20 of
ISA 650 Final Exam Study Guide
11/1/2012
94. From a Federal Information Security Policy perspective, briefly describe the main differences between NIST responsibilities and CNSS responsibilities.
95. Briefly describe the Information Assurance Technical Framework. What is it? Who leads it?
Who participates?
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 21 of
ISA 650 Final Exam Study Guide
11/1/2012
96. Briefly describe the focus and function of the Federal CIO Council.
97. Briefly explain the Government Performance and Results Act (GPRA) concept of Performance
Based Budgeting. What are some of the issues / concerns associated with such a system?
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 22 of
ISA 650 Final Exam Study Guide
11/1/2012
98. Briefly explain the concept of Pay-For-Performance with respect to federal IT managers. What are some of the issues / concerns associated with such a system?
99. There are three basic types of policy for information and information system security. Name and briefly describe those three types of IT policy.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 23 of
ISA 650 Final Exam Study Guide
11/1/2012
100. In the context of IT Security Policy, briefly define and describe the differentiating factors between
Practices, Procedures and Guidelines.
101. Briefly describe the main difficulty with the concept of Pay for Performance as it relates to Federal
IT Security Policy and Civil Service Reform.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 24 of
ISA 650 Final Exam Study Guide
11/1/2012
Essay
102. In your opinion, what is the most significant issue related to Federal Information Security Policy within the FEB and how would you go about fixing it? Describe the problem and explain the ramifications with respect to policy development, management and compliance. Identify and describe a methodology for fixing, or at least improving, this issue. Your proposed solution must at least have some reasonable chance of success in the existing environment. Be specific.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 25 of
ISA 650 Final Exam Study Guide
11/1/2012
103. Suppose you are responsible for Information Security in some Federal Department or Agency let’s say … The Federal Bureau of Investigation (FBI). With which, of the many Federal IT
Security Policies that we have mentioned (and/or those we have not even gotten to) would you be require to comply? How would you know? Where / how would you start? How can you be sure you’ve captured them all? Explain a viable research process that you might implement to capture the required information.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 26 of
ISA 650 Final Exam Study Guide
11/1/2012
104. Describe the Federal Information Technology Security Assessment Framework (FITSAF). What is it for? What are the levels? How is it used?
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 27 of
ISA 650 Final Exam Study Guide
11/1/2012
105. As it applies to Federal Information Systems, describe the key aspects of government reform with respect to the Government Performance and Results Act (GPRA) and related legislation (i.e., the
Chief Financial Officers Act (CFOA), the Government Management Reform Act (GMRA) and the
Federal Financial Management Improvement Act (FFMIA)).
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 28 of
ISA 650 Final Exam Study Guide
11/1/2012
106. Describe the Office of Management and Budget Federal Enterprise Architecture (OMB FEA) initiative. What is the purpose / goal? What are the constructs?
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 29 of
ISA 650 Final Exam Study Guide
11/1/2012
107. Describe the DoD Architecture Framework (DoDAF). What is it’s purpose / goal? How is it constructed? Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 30 of
ISA 650 Final Exam Study Guide
11/1/2012
108. Define Policies, Standards, Practices, Procedures and Guidelines and describe the relationships among them.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 31 of
ISA 650 Final Exam Study Guide
11/1/2012
109. The National Reconnaissance Office (NRO) is composed of elements from the U.S. Army, Navy and Air Force and well as the Central Intelligence Agency (CIA) with connectivity to many major
Combatant Commands (COCOMs) and other government agencies such as the National
Geospatial Intelligence Agency (NGA) among others. In other words, the NRO has connections to multiple Federal Executive Branch (FEB) Departments and Agencies (Ds&As). Suppose you are a newly appointed NRO Information System Security Officer (ISSO). With which of the many
Federal IT Security Policies that we have mentioned (and/or those we have not even gotten to) would you be required to comply? How would you know? Where / how would you start? How can you be sure you’ve captured them all? Explain a viable research process that you might follow to capture the required information.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 32 of
11/1/2012
ISA 650 Final Exam Study Guide & Sample Questions
True/False
Indicate whether the statement is true or false.
____
1. Congress has not written any legislation that has significant impact on Federal IT Security Policy.
____
2. Congress established the Office of Science and Technology Policy in 1976 with a broad mandate to advise the President and others within the Executive Office of the President on the effects of science and technology on domestic and international affairs.
____
3. The 1976 Act that established OSTP also authorizes it to lead interagency efforts to develop and implement sound science and technology policies and budgets, and to work with the private sector, …show more content…
state and local governments, the science and higher education communities, and other nations toward this end.
____
4. The National Security Council (NSC) serves as the President's principal arm for coordinating national security policies among various government agencies.
____
5. In accordance with the DoD Information Assurance Certification and Accreditation Process
(DIACAP), all the information relevant to the Certification and Accreditation (C&A) of a particular system is collected into the one document, the Systems Security Authorization
Agreement (SSAA).
____
6. The National Institute of Standards and Technology (NIST) is an agency of the Department of
Commerce.
____
7. The Office of Management and Budget (OMB) has the responsibility for improving the acquisition, use and disposal of Information Technology (IT) to improve Federal programs.
____
8. The Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard manner.
____
9. The Common Criteria is currently an international standard.
____
10. Consistent with OMB policy, the Federal IT Security Assessment Framework (FITSAF) requires all departments and agencies within the Federal Executive Branch (FEB) to implement and maintain a program to adequately secure its information and system assets.
____
11. CNSS provides policy, directives, and instructions binding upon all U.S. government departments and agencies for national security systems, including systems in the intelligence community and
DoD
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 1 of
ISA 650 Final Exam Study Guide
11/1/2012
____
12. The Government Management Reform Act (GMRA) of 1994 requires agencies to have comprehensive financial statements that are audited.
____
13. The Federal Financial Management Improvement Act (FFMIA) of 1996 seeks to hold agencies accountable for complying with the FASAB accounting standards, by requiring agencies to report lack of compliance.
____
14. An important aspect of the Government Performance and Results Act (GPRA) is linking dollars to results - a.k.a. performance-based budgeting.
____
15. The Federal Information Technology Assessment Framework establishes new security requirements on the acquisition, installation and use of IT assets within the Federal Executive
Branch.
____
16. The Chief Financial Officers Act (CFOA) of 1990 established a CFO at each agency, charged with implementing effective accounting and financial management systems.
____
17. The completion of system security plans is a requirement for all Federal Departments and
Agencies.
____
18. Electronic Data Interchange (EDI) can be formally defined as the transfer of structured data, by agreed message standards, from one computer system to another without human intervention.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 2 of
ISA 650 Final Exam Study Guide
11/1/2012
Multiple Choice
Identify the choice that best completes the statement or answers the question.
____
19. Who writes IT Security Policy within the FEB?
a. The Committee on National Security Systems (CNSS)
b. The Whitehouse
c. The Office of Management and Budget
d. All, or nearly all, Federal Executive Branch (FEB) Departments and Agencies (Ds
& As) write IT Security Policies.
____
20. The mission of the Office of Science and Technology Policy is to:
a. Provide the President and his senior staff with accurate, relevant, and timely scientific and technical advice on all matters of consequence.
b. Ensure that the scientific and technical work of the Executive Branch is properly coordinated so as to provide the greatest benefit to society.
c. Ensure that the policies of the Executive Branch are informed by sound science.
d. All of the above.
____
21. The National Security Council is Chaired by the President and is attended by:
a. The Secretary of State
b. The Chairman of the Joint Chiefs of Staff
c. The Secretary of the Treasury
d. Only a. and b.
e. a., b. and c.
____
22. The Rainbow Series was / is published by the:
a. National Security Agency (NSA)
b. National Institute of Standards and Technology (NIST)
c. Office of Science and Technology Policy (OSTP)
d. None of the above
____
23. Which of the following Intelligence Community instructions deals specifically with the office of the Chief Information Officer (CIO) and Information Technology.
a. ICD 700 Series
c. DCID 6/3
b. DCID 7/5
d. ICD 500 Series
____
24. What established the requirement for Chief Information Officers in high-level executive positions?
a. Federal Information Security Management Act (FISMA)
b. Information Technology Management Reform Act (ITMRA)
c. Office of Management & Budget, Federal Enterprise Architecture (OMB FEA)
d. Cyber Security Act
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 3 of
ISA 650 Final Exam Study Guide
____
25. The National Security Council (NSC) is Chaired by:
a. Chairman of the Joint Chiefs of Staff
b. The National Security Advisor
c. Director of National Intelligence
d. The President
____
26. The organizations and functions of the Department of Defense are set forth in:
a. The DoD Charter
b. Title 10 of the U.S. Code
c. DoD Directive 1000.1
d. Title 50 of the U.S. Code
____
27. The DoD / Military Command Structure was re-defined by:
a. Title 10 of the U.S. Code
b. The National Command Capability (NCC)
c. The Goldwater-Nichols Act of 1986
d. Title 50 of the U.S. Code
____
28. Which was the seminal publication with respect to Computer Security Evaluations?
a. The Orange Book
b. The Red Book
c. The Rainbow Series
d. The White Book
____
29. The Trusted Computer System Evaluation Criteria (TCSEC) defines security levels:
a. In accordance with the Common Criteria
b. As four main levels from D (the lowest) to A (the highest)
c. As “Approved,” “Tested,” “Minimal,” and “None”
d. None of the above
____
30. Which is the most current standard for DoD Certification and Accreditation?
a. DoD Information Technology Certification and Accreditation Program
(DITSCAP)
b. DoD Information Assurance Certification and Accreditation Program (DIACAP)
c. National Information Assurance Certification and Accreditation Program
(NIACAP)
d. C4I Certification and Accreditation Program (CCAP)
____
11/1/2012
31. What agency manages the National Information Assurance Partnership (NIAP)?
a. National Institute of Standards and Technology (NIST)
b. National Security Council (NSC)
c. National Security Agency (NSA)
d. Director of National Intelligence (DNI)
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 4 of
ISA 650 Final Exam Study Guide
11/1/2012
____
32. With respect to the Common Criteria, a Target of Evaluation (ToE) can be defined as:
a. the measures taken during development and evaluation to assure compliance with claimed security functionality.
b. a document which identified security requirements for a class of security devices.
c. the security properties of the subject of the evaluation.
d. the product or system that is the subject of the evaluation.
____
33. With respect to Information Assurance, development of the Risk Management Framework was / is lead by:
a. the National Security Agency (NSA)
b. the National Institute of Standards and Technology (NIST)
c. the Director of National Intelligence (DNI)
d. the National Information Assurance Partnership (NIAP)
____
34. The Computer Security Resource Center (CSRC) is maintained and updated by the Computer
Security Division of:
a. the National Institute of Standards and Technology (NIST)
b. the Central Intelligence Agency (CIA)
c. the National Security Agency (NSA)
d. the National Security Council (NSC)
____
35. Federal Information Processing Standards (FIPS) are published by
a. the National Security Council (NSC)
b. the Committee on National Security Systems (CNSS)
c. the National Institute of Standards and Technology (NIST)
d. the Office of Science and Technology Policy (OSTP)
____
36. Which organization has the responsibility for improving the acquisition, use, and disposal of IT to improve Federal programs?
a. the Department of Commerce
b. the Office of Science and Technology Policy (OSTP)
c. the Department of the Treasury
d. the Office of Management and Budget (OMB)
____
37. The Federal Government Executive Agent National Security Systems (NSS) is:
a. the National Security Council (NSC)
b. the Director of National Intelligence (DNI)
c. the Secretary of Defense (DoD)
d. the Director of the National Security Agency (NSA)
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 5 of
ISA 650 Final Exam Study Guide
11/1/2012
____
38. The Committee on National Security Systems (CNSS) is chaired by:
a. the Assistant Secretary of Defense for Network and Information Integration
(ASD/NII) (a.k.a, the DoD/CIO)
b. the National Security Advisor
c. the Director of the National Security Agency (NSA)
d. the Director of National Intelligence, Chief Information Officer (DNI/CIO)
____
39. The National Information Assurance Certification and Accreditation Process (NIACAP) is published by:
a. the National Institute of Standards and Technology (NIST)
b. the Department of Commerce (DoC)
c. the Committee on National Security Systems (CNSS)
d. the National Security Agency (NSA)
____
40. What is the significance of the Computer Security Act of 1987 with respect to Federal IT Security
Policy?
a. Requires the all federal agencies appoint a Chief Information Officer at the highest levels of the agency.
b. Requires the creation of Computer Security Plans
c. Assigns the responsibility to develop standards of minimum acceptable practices to NIST with the help of NSA.
d. Both b and c.
____
41. What is the significance of the Health Insurance Portability and Accountability Act (HIPAA) of
1996 with respect to Federal Information Security Policy?
a. It requires the establishment of national standards for electronic health care transactions. b. It requires national identifiers for providers, health insurance plans, and employers. c. It addresses the security and privacy of health data.
d. All of the above
____
42. Which of the following directed the development of Information Technology Architectures by federal agencies?
a. Computer Security Act of 1987
b. E-Government Act of 2002
c. Paperwork Reduction Act of 1995
d. Clinger Cohen Act (CCA) of 1996.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 6 of
ISA 650 Final Exam Study Guide
11/1/2012
____
43. Which of the following established the Chief Information Officer (CIO) Council and designated it the principal interagency forum for improving practices related to Federal government information resources? a. Clinger-Cohen Act (CCA) of 1996
b. Health Insurance Portability and Accountability Act (HIPAA)
c. E-Government Act of 2002
d. Paperwork Reduction Act of 1995
____
44. Which of the following explicitly emphasized a “... risk-based policy for cost-effective security
...”?
a. Federal Information Security Management Act (FISMA) of 2002
b. Computer Security Act of 1987
c. Paperwork Reduction Act of 1995
d. Information Technology Management Reform Act (ITMRA)
____
45. The Intelligence Community (IC) is defined by and gets its authority from:
a. Title 10 of the U.S. Code
b. The National Command Capability (NCC)
c. The Goldwater-Nichols Act of 1986
d. Title 50 of the U.S. Code
____
46. The Federal IT Security Assessment Framework (FITSA) requires all Federal departments and agencies to:
a. Protect information commensurate with the level of risk and magnitude of harm resulting from loss, misuse, unauthorized Access, or modification.
b. Assign a Chief Information Security Officer (CISO) at a very high level within the organization.
c. Assure that systems and applications operate effectively and provide appropriate
Confidentiality, Integrity, and Availability (CIA)
d. Both a and c.
____
47. Which of the following is used for the certification and accreditation of national security systems outside of DoD?
a. DoD Information Technology Security Certification & Accreditation Process
(DITSCAP)
b. Common Criteria
c. National Information Assurance Certification and Accreditation Process
(NIACAP)
d. NSA/CSS Information Systems Certification and Accreditation Process
(NISCAP)
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 7 of
ISA 650 Final Exam Study Guide
11/1/2012
____
48. The main function of the Federal Information Technology Assessment Framework is to aid in:
a. regulating IT spending within the Federal government.
b. ensuring interoperability among Federal IT assets.
c. the assessment of the status of security controls for a given asset or collection of assets. d. developing IT Strategic Plans within the Federal government.
____
49. The Federal IT Security Assessment Framework identifies five levels of security. The lowest, least secure level is labeled “documented security policy.” What is the highest, most secure level?
a. Tested and Reviewed Procedures and Controls
b. Fully Integrated Procedures and Controls
c. Implemented Procedures and Controls
d. Documented Procedures
____
50. Under FISMA, NIST is given the following responsibilities for systems not designated as national security systems:
a. develop standards and guidelines, and associated methods and techniques including minimum requirements, for providing adequate information security for all agency operations and assets.
b. operate and maintain the Federal IT infrastructure.
c. monitor implementation of Federal IT security controls.
d. ensure IT budgets accurately reflect legitimate IT needs.
____
51. The main purpose of the NIST Joint Task Force Transformation Initiative is to:
a. Develop and implement the Common Criteria standard within the Federal
Executive Branch.
b. Monitor Federal government migration from internally hosted networks to cloud computing. c. Monitor migration of major IT initiatives from one Federal agency to another.
d. Bring together representatives from NIST, DoD, and Intelligence Community to revise existing information security publications so that they can be applied across all federal agencies.
____
52. What is the first step in developing an Information Security / Information Assurance program plan? a. Conduct a risk assessment.
b. Establish a monetary ceiling in support of our efforts.
c. Obtain management buy-in.
d. Identify and capture our system definition and boundaries - the target of our security plan.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 8 of
ISA 650 Final Exam Study Guide
11/1/2012
____
53. In preparation for developing an IT Security Plan, we have several choices for capturing our system definition and boundaries. These include:
a. Federal Enterprise Architecture (OMB FEA)
b. DoD Architecture Framework (DoDAF)
c. Target of Evaluation (Common Criteria – NIAP)
d. All of the above.
____
54. The Federal Information Security Management Act of 2002 requires agencies to:
a. Submit annual IT budgets to congress for review and approval.
b. Manage IT funding in accordance with Federal accounting standards.
c. Integrate IT security into their capital planning and enterprise architecture processes, conduct annual IT security reviews of all programs and systems, and report the results of those reviews to the Office of Management and Budget
(OMB).
d. Compile a complete, detailed IT Enterprise Architecture for yearly submission to
OMB.
____
55. The information in OMB Exhibit 53, “Information Technology Investments,” each agency and
OMB to review and evaluate IT spending and to compare IT spending across the Federal
Government. Specifically this information helps the agency and OMB to:
a. Identify costs for providing IT security
b. Understand the amount being spent on development and modernization of IT
c. Provide a full and accurate accounting of IT investments
d. All of the above
____
56. OMB Exhibit 300 – Capital Asset Plans:
a. Include budget justification and reporting requirements for major information technology (IT) investments.
b. Ensure that agencies are always outfitted with the latest, most advanced technology. c. Established policy for planning, budgeting, acquisition and management of
Federal capital assets.
d. Both a and c.
____
57. OMB Exhibit 300's are business cases that provide:
a. A high level summary of the major IT investments.
b. Justification on why an investment should continue.
c. Justification for the President’s annual budget.
d. Both a and b.
____
58. An Incident Response Plan (IRP):
a. describes a preplanned response to very serious events.
b. details a first-level response, to events that are anticipated to occur occasionally.
c. ensures that a business can continue to operate through a disaster.
d. is required so operations can be moved (perhaps only temporarily) to another site.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 9 of
ISA 650 Final Exam Study Guide
11/1/2012
____
59. An Business Continuity Plan (BCP):
a. describes a preplanned response to very serious events.
b. details a first-level response, to events that are anticipated to occur occasionally.
c. contains a detailed response to failure of a system component.
d. is required so operations can be moved (perhaps only temporarily) to another site ensuring that the business can continue operations..
____
60. An Disaster Recovery Plan (DRP):
a. describes a preplanned response to very serious events.
b. details a first-level response, to events that are anticipated to occur occasionally.
c. contains a detailed response to failure of a system component.
d. is required so operations can be moved (perhaps only temporarily) to another site ensuring that the business can continue operations..
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 10 of
ISA 650 Final Exam Study Guide
11/1/2012
Multiple Response
Identify one or more choices that best complete the statement or answer the question.
____
61. The Office of Science and Technology Policy (OSTP) sponsored which of the following? (Select all that apply.)
a. Net Centric Command and Control Architecture (NC3A)
b. Continuity Communication Enterprise Architecture (CCEA)
c. Unified Command Structure (UCS)
d. National Command Capability (NCC)
____
62. The purpose of the Continuity Communications Enterprise Architecture (CCEA) was to: (Select all that apply.)
a. Develop a CC FEA Framework
b. Populate the National Communications Register (NCR)
c. Oversee development of the CC FEA
d. Support FEB Minimum Essential Functions under all circumstances
____
63. The responsibilities of the Committee on National Security Systems (CNSS) include providing:
a. reliable, continuous assessments of threats and vulnerabilities
b. effective countermeasures
c. a technical base within the Federal Government to achieve security goals
d. support from the private sector to enhance the technical base
____
64. The Federal Information Technology Security Assessment Framework (FITSAF):
(Select all that apply.)
a. Provides a method for agency officials to determine the current status of their security programs relative to existing policy.
b. Is consistent with Office of Management and Budget (OMB) policy.
c. Does NOT establish new security requirements.
d. Provides a method for agency officials to establish a target for improvement where necessary.
____
65. The Chief Financial Officers Act (CFOA) of 1990 established:
a. The Federal Enterprise Architecture
b. A Chief Financial Officer (CFO) at each agency
c. The Federal Accounting Standards Advisory Board (FASAB)
d. The Chief Information Officer Council
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 11 of
ISA 650 Final Exam Study Guide
11/1/2012
____
66. The Government Performance and Results Act (GPRA) of 1993 is based on three elements. They are: a. agencies are required to develop five-year strategic plans that must contain a mission statement for the agency, and long term results-oriented goals.
b. agencies must submit their IT budgets to Congress for approval.
c. agencies must prepare annual performance reports that review the agency’s success or failure in meeting its targeted performance goals.
d. agencies are required to prepare annual performance plans that establish the performance goals for the applicable fiscal year, a brief description of how these goals are to be met, and a description of how these performance goals can be verified. ____
67. Some of the problems / issues with OMB Exhibit 300s include:
a. Developing solutions at the sub-agency or bureau level that could be addressed more efficiently at the enterprise level.
b. Receiving inadequate guidance on matters like Risk Management, Alternatives
Analysis, Enterprise Architecture, and Cost Benefits Analysis
c. Getting lost in poorly prepared or non-existent templates for Business Case
Documents.
d. Inadequate training and technical assistance about the process.
____
68. Business impact analysis (BIA):
a. starts with a Risk Assessment to identify risks and enable management to decide what (if anything) should be done about them.
b. describes an approach to mitigating disasters.
c. is the first set of activities in contingency planning.
d. is an essential Pay-For-Performance metric.
____
69. Key aspects of the Government Performance and Results Act (GPRA) and related legislation include: a. a Focus on Results
b. Financial Accountability
c. Budgets Tied to Performance Goals
d. Pay-for-Performance
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 12 of
ISA 650 Final Exam Study Guide
11/1/2012
Completion
Complete each statement.
70. The authors of the Trusted Network Interpretation of the TCSEC were __________ and
__________ .
71. The Information Assurance Technical Framework (IATF) is lead by ______________ in partnership with _______________ .
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 13 of
ISA 650 Final Exam Study Guide
11/1/2012
Matching
Select the best match from the selections below.
Match each legislation with it’s most significant impact on Federal IT Security Policy.
(No answer should be used more than once.)
a. Clinger-Cohen Act of 1996
b. Paperwork Reduction Act of 1995
c. E-Government Act of 2002
d. Federal Information Security Management Act (FISMA) of 2002
e. Health Insurance Portability and Accountability Act (HIPAA) of 1996
f. Computer Security Act of 1987
g. Information Technology Management Reform Act (ITMRA) of 1996
h. Homeland Security Act (HSA)
i. Electronic Communications Privacy Act (ECPA)
j. Counterfeit Access Device and Computer Fraud and Abuse Act (CADCFAA)
____
72. Also known as the Clinger-Cohen Act.
____
73. Requires the creation of computer security plans, and the appropriate training of system users or owners where the systems house sensitive information.
____
74. Requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and
employers.
____
75. Requires each agency to appoint an agency Chief Information Officer (CIO) with visibility and management responsibility.
____
76. Requires each agency is to develop and maintain a strategic IRM plan to help accomplish agency missions. ____
77. Establishes the CIO Council and designating it as the principal interagency forum for improving agency practices related to the design, acquisition, development, modernization, use, operation, sharing, and performance of Federal government information resources.
____
78. Requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
____
79. Extended government restrictions on wire taps and protects wire, oral, and electronic communications while in transit.
____
80. Created the Department of Homeland Security.
____
81. The first piece of federal legislation to focus directly on computer abuses.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 14 of
ISA 650 Final Exam Study Guide
11/1/2012
Short Answer
Briefly answer the following questions. Be sure to answer all parts of each question.
82. What is the primary difference between Information Security and Information Assurance? Why is it significant? Explain briefly.
83. What is the difference between data, information and knowledge? Explain.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 15 of
ISA 650 Final Exam Study Guide
11/1/2012
84. What is the underlying philosophy behind the Common Criteria? What problem does it attempt to solve? Explain.
85. Describe the National Checklist Program (NCP). Who runs it? What are some of the goals?
Briefly explain the concept.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 16 of
ISA 650 Final Exam Study Guide
11/1/2012
86. Describe the Risk Management Framework. Where was it developed? Why? Briefly explain the process. 87. What is the relationship between Enterprise Architecture and Information Security efforts?
Explain.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 17 of
ISA 650 Final Exam Study Guide
11/1/2012
88. What is the significance of OMB Circular A-130?
89. Briefly, describe the “Quagmire” of Federal Information Security Policy. Briefly explain its impact on Federal Information Security / Assurance.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 18 of
ISA 650 Final Exam Study Guide
11/1/2012
90. What is the Simple Security Property with respect to Information Security / Information
Assurance? Explain briefly.
91. With respect to Information Security / Information Assurance, what is the Star (*) Property?
Explain briefly.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 19 of
ISA 650 Final Exam Study Guide
11/1/2012
92. Define Multi-Level Security and briefly explain how it works.
93. Briefly describe the function and purpose of the Federal Information Technology Security
Assessment Framework (FITSA). What does it do? How are the results used?
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 20 of
ISA 650 Final Exam Study Guide
11/1/2012
94. From a Federal Information Security Policy perspective, briefly describe the main differences between NIST responsibilities and CNSS responsibilities.
95. Briefly describe the Information Assurance Technical Framework. What is it? Who leads it?
Who participates?
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 21 of
ISA 650 Final Exam Study Guide
11/1/2012
96. Briefly describe the focus and function of the Federal CIO Council.
97. Briefly explain the Government Performance and Results Act (GPRA) concept of Performance
Based Budgeting. What are some of the issues / concerns associated with such a system?
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 22 of
ISA 650 Final Exam Study Guide
11/1/2012
98. Briefly explain the concept of Pay-For-Performance with respect to federal IT managers. What are some of the issues / concerns associated with such a system?
99. There are three basic types of policy for information and information system security. Name and briefly describe those three types of IT policy.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 23 of
ISA 650 Final Exam Study Guide
11/1/2012
100. In the context of IT Security Policy, briefly define and describe the differentiating factors between
Practices, Procedures and Guidelines.
101. Briefly describe the main difficulty with the concept of Pay for Performance as it relates to Federal
IT Security Policy and Civil Service Reform.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 24 of
ISA 650 Final Exam Study Guide
11/1/2012
Essay
102. In your opinion, what is the most significant issue related to Federal Information Security Policy within the FEB and how would you go about fixing it? Describe the problem and explain the ramifications with respect to policy development, management and compliance. Identify and describe a methodology for fixing, or at least improving, this issue. Your proposed solution must at least have some reasonable chance of success in the existing environment. Be specific.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 25 of
ISA 650 Final Exam Study Guide
11/1/2012
103. Suppose you are responsible for Information Security in some Federal Department or Agency let’s say … The Federal Bureau of Investigation (FBI). With which, of the many Federal IT
Security Policies that we have mentioned (and/or those we have not even gotten to) would you be require to comply? How would you know? Where / how would you start? How can you be sure you’ve captured them all? Explain a viable research process that you might implement to capture the required information.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 26 of
ISA 650 Final Exam Study Guide
11/1/2012
104. Describe the Federal Information Technology Security Assessment Framework (FITSAF). What is it for? What are the levels? How is it used?
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 27 of
ISA 650 Final Exam Study Guide
11/1/2012
105. As it applies to Federal Information Systems, describe the key aspects of government reform with respect to the Government Performance and Results Act (GPRA) and related legislation (i.e., the
Chief Financial Officers Act (CFOA), the Government Management Reform Act (GMRA) and the
Federal Financial Management Improvement Act (FFMIA)).
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 28 of
ISA 650 Final Exam Study Guide
11/1/2012
106. Describe the Office of Management and Budget Federal Enterprise Architecture (OMB FEA) initiative. What is the purpose / goal? What are the constructs?
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 29 of
ISA 650 Final Exam Study Guide
11/1/2012
107. Describe the DoD Architecture Framework (DoDAF). What is it’s purpose / goal? How is it constructed? Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 30 of
ISA 650 Final Exam Study Guide
11/1/2012
108. Define Policies, Standards, Practices, Procedures and Guidelines and describe the relationships among them.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 31 of
ISA 650 Final Exam Study Guide
11/1/2012
109. The National Reconnaissance Office (NRO) is composed of elements from the U.S. Army, Navy and Air Force and well as the Central Intelligence Agency (CIA) with connectivity to many major
Combatant Commands (COCOMs) and other government agencies such as the National
Geospatial Intelligence Agency (NGA) among others. In other words, the NRO has connections to multiple Federal Executive Branch (FEB) Departments and Agencies (Ds&As). Suppose you are a newly appointed NRO Information System Security Officer (ISSO). With which of the many
Federal IT Security Policies that we have mentioned (and/or those we have not even gotten to) would you be required to comply? How would you know? Where / how would you start? How can you be sure you’ve captured them all? Explain a viable research process that you might follow to capture the required information.
Copyright © 2010, Raymond J. Curts. All Rights Reserved.
32
Page 32 of