What task in the Risk Management Framework Prepare step identifies individuals and assigns key responsibilities for executing the Risk Management Framework?

A) Risk assessment – organization

Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event and is typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Which of the following BEST describes where information security risks arise?

C) From the loss of confidentiality, integrity, or availability of information or information systems, and reflect the potential adverse impacts to organizational operations, assets, and individuals.

A) From third party organizations having a stake in the information system.

B) From organizational mission and business functions that support the system.

D) From residual risks that remain in a system after the major risks have been mitigated.

One of the primary objectives of the Prepare Step of the RMF is to facilitate better communication between senior leaders and executives in the C-suite, and system owners and operators, in aligning organizational priorities with resource allocation and prioritization at the system level. If this objective is achieved, the following could benefit the organization except: A) It will reduce the information technology footprint and the attack surface of organization.

Guarantee a zero vulnerability of system level assets since security has been built from a top-down management approach.

It will promote IT modernization objectives and prioritize security and privacy activities to focus protection strategies on the most critical assets and systems.

Facilitate system readiness for system-specific tasks.

In assigning roles to individuals in an organization to run risk management processes, the organization must ensure that there are no conflicts of interest when assigning the same individual to multiple risk management roles. Which of the role pairs below constitute the most conflict of interest?

Authorizing official can serve as system owner for systems they authorize.

System owner can also serve as data custodian.

System security officer can serve as system engineer.

Chief information security officer can serve as the risk executive,

Which of the following is NOT an example of a risk assessment at the organizational tier (Tier 1)?

B) Assessment of the specific types of threats directed at organizations that may be different from other organizations and how those threats affect policy decisions.

A) Risk assessment for as-built or as-deployed information systems.

C) Assessment of systemic weaknesses or deficiencies discovered in multiple organizational information systems capable of being exploited by adversaries.

D) Risk assessment of the potential adverse impact on organizations from the loss or compromise of organizational information (either intentionally or unintentionally).

What would be the logical order for an organization to approach the components of risk management?

C) Assess risk, monitor risk, frame risk, and respond to risk.

A) Monitor risk, frame risk, respond to risk, and assess risk.

B) Frame risk, respond to risk, assess risk, and monitor risk.

D) Frame risk, assess risk, respond to risk, and monitor risk.

As a newly hired RMF reviewer for an organization, where would you find information on guidance to managing information security risk for an organization, mission and system?

The organization’s system security and privacy plans

One of the following statements is NOT related to an organization’s risk management strategy. Which is the odd statement?

B) Organizational missions and business functions influence the design and development of the mission or business processes that are created to carry out those missions and business functions.

A) It includes the strategic-level decisions and considerations for how senior leaders and executives are to manage security and privacy risks (including supply chain risks) to organizational operations, organizational assets, individuals, other organizations, and the Nation.

C) It guides and informs risk-based decisions including how security and privacy risk is framed, assessed, responded to, and monitored.

D) It makes explicit the threats, assumptions, constraints, priorities, trade-offs, and risk tolerance used for making investment and operational decisions.

Which of the following statements drawn from risk management literature, best describes “likelihood of occurrence”?

A) A condition that exists within an organization, information system, or environment of operation, which affects (i.e., increases or decreases) the likelihood that threat events, once initiated, result in adverse impacts to organizational operations and assets.

B) A weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.

C) A weighted risk factor based on an analysis of the probability that a given threat is capable of exploiting a given vulnerability (or set of vulnerabilities).

D) The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.

Risk management can BEST be defined as:

The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation.

Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.

Maintaining ongoing awareness of an organization’s risk environment, risk management program, and associated activities to support risk decisions.

Accepting, avoiding, mitigating, sharing, or transferring risk to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation.

A system impact-level prioritization is an optional organization-level task in the prepare step of the Risk Management Framework. When is this task typically completed?

D) After system categorization.

A) After security controls are assessed.

B) During the prepare step at the initiation phase of the SDLC.

C) After controls for the system are selected.

The annualized loss expectancy (ALE) is a quantitative measure used by organizations to complete risk assessments. How is the ALE calculated?

ALE = Single loss expectancy (SLE) x annualized rate of occurrence (ARO)

ALE = Single loss expectancy (SLE) + annualized rate of occurrence (ARO)

ALE = Single loss expectancy (SLE) - annualized rate of occurrence (ARO)

ALE = Single loss expectancy (SLE) + annualized rate of occurrence (ARO) (Minus residual risk)

Complete the last sentence below with an appropriate phrase from the given options: “Authorization boundaries that are too expansive (i.e., include too many system elements or components) make the risk management process unnecessarily complex. Conversely, authorization boundaries that are too limited (i.e., include too few system elements or components), increase the number of systems that must be separately managed and therefore...”

A) may unnecessarily inflate the information security and privacy costs for the organization.

B) require minimum management effort.

C) reduce the overall cost for management personnel.

D) guarantee total security for systems in the boundary.

An organization operates a system that tracks the Covid19 virus and its variants. The system is about to renew its initial authority to operate. What would be the most important activity at the prepare step the organization will be involved in, given that they just learnt of the emergence of the Omicron strain of the virus they are tracking?

The controls for the system need to be reassessed to make sure current implemented controls for the system are providing the right protection before additional processes are added to the system.

The organization will update its mission or business focus to reflect the investigation of omicron as a new Covid-19 virus strain.

The organization will update its security plan because the virus could be dangerous for the system.

The information types will be reviewed to include literature on the Omicron virus which the organization is about to add to the system.

What is the primary objective of the Risk Management Framework Prepare step?

To facilitate better communication between senior leaders and system owners

To identify all potential threats to the organization

To establish risk management roles within the organization

To conduct a detailed security assessment of the system

Why is it important for organizations to update their security plan when new virus strains emerge?

To adapt to the changing threat landscape

To ensure compliance with regulatory authorities

To prevent the spread of the new virus strain

What role does the risk executive play in the Risk Management Framework?

Coordinating with senior leaders to consider all types and sources of risk

Establishing risk management roles and responsibilities

Authorizing the operation of information systems

Conducting risk assessments at the system level

CGRC Practice Exam December 2023

Authored by Avinash Borse

Other

3rd Grade

AI Actions

Add similar questions

Adjust reading levels

Convert to real-world scenario

Translate activity

More...

Content View

Student View

27 questions

Show all answers

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

In determining system boundaries for systems either partially or wholly managed, maintained, or operated by external providers, an agreement clearly describing authorization boundaries ensures what?

Security

Interconnection agreements

Accountability

Understanding

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

What risk assessment approach typically employs a set of methods, principles, or rules for assessing risk based on nonnumerical categories or levels?

A) Quantitative assessment

B) Qualitative assessment

C) Semi-quantitative assessment

D) Empirical assessment

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Which of the following is NOT a merit when an organization identifies and understands how information types are processed during all stages of the life cycle?

It helps organizations identify considerations for protecting the information, informs the organization’s security and privacy risk assessments, and informs the selection and implementation of controls.

Identification and understanding of the information life cycle facilitates the employment of practices to help ensure, for example, that organizations have the authority to collect or create information.

Organizations that process highly classified information types can allow all organizational employees to identify and know the value and impact of the information they work with for safe keeping.

It helps develop rules related to the processing of information in accordance with its impact level, create agreements for information sharing, and follow retention schedules for the storage and disposition of information.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Identify the entity that establishes the compliance schedules for the National Institutes of Standards and Technology security standards and guidelines.

A) The Office of Management and Budget in policies, directives, or memoranda

B) The department of Commerce

C) The FedRAMP JAB

D) Third party assessor organizations

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

The Prepare step has two risk assessment tasks: one for the organization level, and the other for the system level. The potential input for one of these risk assessments includes the following: assets to be protected; mission, business functions the system will support; business impact analyses or criticality analyses; system stakeholder information; and information about other systems that interact with the system. What will be the main output after the risk assessment?

Organization-level risk assessment results.

Organizational systems prioritized into low-, moderate-, and high-impact sub-categories.

Security and privacy assessment report.

Security and privacy risk assessment report.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

What name is given to a risk management concept that is related to the level of risk or degree of uncertainty that is acceptable to organizations and is a key element of the organizational risk frame?

A) Risk Monitoring

B) Risk Response

C) Risk tolerance

D) Risk Assessment

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

The risk executive (function) coordinates with senior leaders to do the following, except:

A) establish risk management roles and responsibilities.

B) establish organization-wide forums to consider all types and sources of risk.

C) ensure that security authorization decisions consider all factors necessary for mission and business success.

D) authorizing the operation of an information system, thereby accepting the risk to the organization.

Access all questions and much more by creating a free account

Create resources

Host any resource

Get auto-graded reports

Continue with Google

Continue with Email

Continue with Classlink

Continue with Clever

or continue with

Microsoft

Apple

Others

Already have an account?

Similar Resources on Wayground

24 questions

Higher AIT - 1.2 Effective Teams

Quiz

•

KG - University

25 questions

Name The Brand!

Quiz

•

3rd Grade - University

22 questions

Reading Multisyllabic Words with Prefixes in-, im- ELD Lesso

Quiz

•

KG - 4th Grade

22 questions

TIKTOK

Quiz

•

KG - Professional Dev...

22 questions

Icebreakers

Quiz

•

KG - 12th Grade

25 questions

DBZ Quiz

Quiz

•

KG - Professional Dev...

25 questions

National 5 Bus Mgt External and Internal Factors

Quiz

•

KG - University

28 questions

Permit Practice Test

Quiz

•

KG - Professional Dev...

Popular Resources on Wayground

7 questions

History of Valentine's Day

Interactive video

•

4th Grade

15 questions

Fractions on a Number Line

Quiz

•

3rd Grade

20 questions

Equivalent Fractions

Quiz

•

3rd Grade

25 questions

Multiplication Facts

Quiz

•

5th Grade

$fractions$

22 questions

fractions

Quiz

•

3rd Grade

15 questions

Valentine's Day Trivia

Quiz

•

3rd Grade

20 questions

Main Idea and Details

Quiz

•

5th Grade

20 questions

Context Clues

Quiz

•

6th Grade

Discover more resources for Other

15 questions

Fractions on a Number Line

Quiz

•

3rd Grade

20 questions

Equivalent Fractions

Quiz

•

3rd Grade

$fractions$

22 questions

fractions

Quiz

•

3rd Grade

15 questions

Valentine's Day Trivia

Quiz

•

3rd Grade

18 questions

Comparing Fractions with same numerator or denominator

Quiz

•

3rd Grade

15 questions

Valentines Day Trivia

Quiz

•

3rd Grade

12 questions

Presidents' Day

Quiz

•

KG - 5th Grade

10 questions

History and Traditions of Valentine's Day

Interactive video

•

3rd - 6th Grade