186. b. A system’s impact can be defined in terms of low, moderate, or high. For example, a system determined to be of low impact may not require hands-on security testing and evaluation. Various techniques, such as questionnaires, interviews, documentation reviews, and automated scanning tools can be used to collect the information needed to fully characterize the system.
187. The level of effort and granularity of the risk assessment are based on which of the following?
a. Threat identification
b. Vulnerability identification
c. Risk analysis
d. Security categorization
187. d. The level of effort and the granularity (i.e., the level of depth at which the assessment investigates the security of the system) of the risk assessment are based on security categorization.
188. Which of the following can be used to augment the vulnerability source reviews in the risk assessment process of identifying vulnerabilities?
a. Penetration testing
b. Previous risk assessments
c. Previous audit reports
d. Vulnerability lists
188. a. Penetration testing and system security testing methods (e.g., use of automated vulnerability scanning tools and security, test, and evaluation methods) can be used to augment the vulnerability source reviews and identify vulnerabilities that may not have been previously identified in other sources.
189. The risk analysis steps performed during the risk assessment process do not include which of the following?
a. Control analysis
b. Likelihood determination
c. Vulnerability identification
d. Risk determination
189. c. Risk analysis includes four substeps: control analysis, likelihood determination, impact analysis, and risk determination. Vulnerability identification is performed prior to risk analysis. The control analysis results are used to strengthen the determination of the likelihood that a specific threat might successfully exploit a particular vulnerability. Checklists and questionnaires are used in the control analysis exercise.
190. Regarding external service providers operating in external system environments, which one of the following items is required when the other three items are not present to provide sufficient confidence?
a. Level of trust
b. Compensating controls
c. Level of control
d. Chain of trust
190. b. Where a sufficient level of trust, level of control, or chain of trust cannot be established in the external system and/or by the external service provider through a service-level agreement (SLA), an internal organization employs compensating controls or accepts a greater degree of risk. Compensating controls include management, operational, and technical controls in lieu of the recommended controls that provide equivalent or comparable protection. An external service provider operating and controlling an external information system can provide a service that is used by an internal organization in a consumer-producer relationship. Examples of these relationships include joint ventures, partnerships, outsourcing, licensing, and supply chain arrangements.
191. Security control recommendations made during the risk assessment process provide input for which of the following?
a. Impact analysis
b. Risk mitigation
c. Risk analysis
d. Control analysis
191. b. Risk analysis, impact analysis, and control analysis are done prior to security control recommendations. Therefore, security control recommendations are essential input for the risk mitigation process.
192. Which of the following should reflect the results of the risk assessment process?
1. Control recommendations
2. Risk determinations
3. Plans of action and milestones
4. System security plans
a. 1 and 2
b. 1 and 3
c. 2 and 4
d. 3 and 4
192. d. Organizations should ensure that the risk assessment results are appropriately reflected in the system’s plan of action and milestones and system security plans. Control recommendations and risk determinations are done prior to documenting the results of the risk assessment.
193. System security categorization is used in which of the following ways?
1. To determine minimum baseline security controls
