d. 1, 2, 3, and 4
26. d. The process of uniquely assigning information resources (e.g., information, personnel, equipment, funds, and IT infrastructure) to an information system defines the security boundary for that system.
27. For new information systems, which of the following can be interpreted as having budgetary authority and responsibility for developing and deploying the information systems?
a. Security control
b. Management control
c. Operational control
d. Technical control
27. b. For new information systems, management control can be interpreted as having budgetary or programmatic authority and responsibility for developing and deploying the information systems. For current systems in the inventory, management control can be interpreted as having budgetary or operational authority for the day-to-day operation and maintenance of the information systems.
28. Which of the following actions should be implemented when a security function is unable to execute automated self-tests for verification?
1. Compensating controls
2. System-specific controls
3. Common controls
4. Accept the risk
a. 1 only
b. 2 and 3
c. 1, 2, and 3
d. 1, 2, 3, and 4
28. d. For those security functions that are unable to execute automated self-tests, organizations should either implement compensating controls (i.e., management, technical, and operational controls), system-specific controls, common controls, or a combination of these controls. Otherwise, organization’s management explicitly accepts the risk of not performing the verification process.
29. Compensating security controls for an information system should be used by an organization only under which of the following conditions?
1. Selecting compensating controls from the security control catalog
2. Providing justification for the use of compensating controls
3. Performing a formal risk assessment
4. Accepting the risk associated with the use of compensating controls
a. 1 only
b. 3 only
c. 1 and 3
d. 1, 2, 3, and 4
29. d. Compensating security controls for an information system should be used by an organization only under the following conditions: (i) the organization selects the compensating controls from the security control catalog, (ii) the organization provides a complete and convincing rationale and justification for how the compensating controls provide an equivalent security capability or level of protection for the information system, and (iii) the organization assesses and formally accepts the risk associated with using the compensating controls in the information system.
30. Common security controls can be applied to which of the following?
1. All of an organization’s information systems
2. A group of systems at a specific site
3. Common systems at multiple sites
4. Common subsystems at multiple sites
a. 1 only
b. 2 only
c. 1 and 2
d. 1, 2, 3, and 4
30. d. Common security controls can apply to (i) all of an organization’s information systems, (ii) a group of information systems at a specific site, or (iii) common information systems, subsystems, or applications, including hardware, software, and firmware, deployed at multiple operational sites.
31. Which of the following should form the basis for management authorization to process information in a system or to operate an information system?
a. A plan of actions
b. Milestones
c. System security plan
d. Assessment report
31. c. Management authorization to process information in a system or to operate a system should be based on the assessment of management, operational, and technical controls. Because the system security plan establishes and documents the security controls, it should form the basis for the authorization, supplemented by the assessment report and the plan of actions and milestones.
32. Periodic assessment of the system security plan requires a review of changes occurring in which of the following areas?
1. System status
2. System scope
3. System architecture
4. System interconnections
a. 1 and 2
b. 3 and 4
c. 1, 2, and 3
d. 1, 2, 3, and 4
