Multiple Choice Questions

OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002
  • OMB M-10-22
  • OMB M-10-23
  • OMB M-00-13
  • OMB M-03-22
Management of Federal Information Resources
  • OMB Circular A-123
  • OMB Circular A-11
  • OMB (no memo number)
  • OMB Circular A-130
Performance Measurement Guide for Information Security. This document is a guide for the specific development, selection, and implementation of information system-level and program level measures to indicate the implementation efficiency/effectiveness, and impact of security controls, and other security-related activities. It provides guidelines on how an organization, through the use of measures, identifies the adequacy of in-place security controls, policies, and procedures. It provides an approach to help management decide where to invest in additional information security resources, identify and evaluate nonproductive security controls, and prioritize security controls for continuous monitoring.
  • NIST SP 800-50
  • NIST SP 800-55
  • NIST SP 800-53
  • NIST SP 800-60
NIST Special Publication 800-39 is the flagship document in the series of information security standards and guidelines developed by NIST in response to FISMA. The purpose of SpecialPublication 800-39 is to provide guidance for an integrated, organization-wide program formanaging information security risk to organizational operations (i.e., mission, functions, image,and reputation), organizational assets, individuals, other organizations, and the Nation resultingfrom the operation and use of federal information systems. Special Publication 800-39 provides astructured, yet flexible approach for managing risk that is intentionally broad-based, with thespecific details of assessing, responding to, and monitoring risk on an ongoing basis provided byother supporting NIST security standards and guidelines. The guidance provided in thispublication is not intended to replace or subsume other risk-related activities, programs,processes, or approaches that organizations have implemented or intend to implement addressingareas of risk management covered by other legislation, directives, policies, programmaticinitiatives, or mission/business requirements. Rather, the risk management guidance describedherein is complementary to and should be used as part of a more comprehensive Enterprise Risk Management (ERM) program.
  • NIST SP 800-39
  • NIST SP 800-88
  • NIST SP 800-60
  • NIST SP 800-50
Recommended Security Controls for Federal Information Systems and Organizations. The purpose of this publication is to provide guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal government to meet the requirements of FIPS 200, Minimum Security Requirements for Federal Information and Information Systems. The guidelines apply to all components11 of an information system that process, store, or transmit federal information. The guidelines have been developed to help achieve more secure information systems and effective risk management within the federal government by:• Facilitating a more consistent, comparable, and repeatable approach for selecting andspecifying security controls for information systems and organizations;• Providing a recommendation for minimum security controls for information systemscategorized in accordance with FIPS 199, Standards for Security Categorization of FederalInformation and Information Systems;• Providing a stable, yet flexible catalog of security controls for information systems andorganizations to meet current organizational protection needs and the demands of futureprotection needs based on changing requirements and technologies;• Creating a foundation for the development of assessment methods and procedures fordetermining security control effectiveness; and• Improving communication among organizations by providing a common lexicon thatsupports discussion of risk management concepts.The guidelines in this special publication are applicable to all federal information systems12 other than those systems designated as national security systems as defined in 44 U.S.C., SectionThe guidelines have been broadly developed from a technical perspective to complement similar guidelines for national security systems and may be used for such systems with the approval of appropriate federal officials exercising policy authority over such systems.13 State, local, and tribal governments, as well as private sector organizations are encouraged to consider using these guidelines, as appropriate.
  • NIST SP 800-50
  • NIST SP 800-53
  • NIST SP 800-61
  • NIST SP 800-37
Safeguarding Personally Identifiable Information
  • OMB M-06-16
  • OMB M-06-15
  • OMB M-06-19
  • OMB M-03-22
Information Security Handbook; A Guide for Managers
  • NIST SP 800-30
  • NIST SP 800-34
  • NIST SP 800-55
  • NIST SP 800-100
Guide for Assessing the Security Controls in Federal Information Systems. The purpose of this publication is to provide guidelines for building effective security assessment plans and a comprehensive set of procedures for assessing the effectiveness of security controls employed in information systems supporting the executive agencies of the federal government. The guidelines apply to the security controls defined in NIST Special Publication 800-53 (as amended), Recommended Security Controls for Federal Information Systems, and any additional security controls developed by the organization. The guidelines have been developed to help achieve more secure information systems within the federal government by: • Enabling more consistent, comparable, and repeatable assessments of security controls; • Facilitating more cost-effective assessments of security controls contributing to the determination of overall control effectiveness; • Promoting a better understanding of the risks to organizational operations, organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems; and • Creating more complete, reliable, and trustworthy information for organizational officials—to support security accreditation decisions, information sharing, and FISMA compliance.The guidelines provided in this special publication are applicable to all federal information systems other than those systems designated as national security systems as defined in 44 U.S.C., SectionThe guidelines have been broadly developed from a technical perspective to complement similar guidelines for national security systems and may be used for such systems with the approval of the Director of National Intelligence (DNI), the Secretary of Defense (SECDEF), the Chairman of the Committee on National Security Systems (CNSS), or their designees. State, local, and tribal governments, as well as private sector organizations that compose the critical infrastructure of the United States, are also encouraged to consider the use of these guidelines, as appropriate. Organizations should use as a minimum, NIST Special Publication 800-53A in conjunction with an approved security plan in developing a viable security assessment plan for producing and compiling the information necessary to determine the effectiveness of the security controls employed in the information system. This publication has been developed with the intention of enabling organizations to tailor and supplement the basic assessment procedures provided. The assessment procedures should be used as a starting point for and as input to the security assessment plan. In developing effective security assessment plans, organizations should take into consideration existing information about the security controls to be assessed (e.g., results from organizational assessments of risk, platform-specific dependencies in the hardware, software, or firmware,10 and any assessment procedures needed as a result of organization-specific controls not included in NIST Special Publication 800-53). The selection of appropriate assessment procedures for a particular information system depends on three factors: • The security categorization of the information system in accordance with FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, and NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories; • The security controls identified in the approved security plan, including those from NIST Special Publication 800-53 (as amended) and any organization-specific controls;11 and • The level of assurance that the organization must have in determining the effectiveness of the security controls in the information system. The extent of security control assessments should always be risk-driven. Organizations should determine the most cost-effective implementation of this key element in the organization's information security program by applying the results of risk assessments, considering the maturity and quality level of the organization's risk management processes, and taking advantage of the flexibility in NIST Special Publication 800-53A. The use of Special Publication 800-53A as a starting point in the process of defining procedures for assessing the security controls in information systems, promotes a more consistent level of security within the organization and offers the needed flexibility to customize the assessment based on organizational policies and requirements, known threat and vulnerability information, operational considerations, information system and platform dependencies, and tolerance for risk.12 Ultimately, organizations should view assessment as an information gathering activity, not a security producing activity. The information produced during security control assessments can be used by an organization to: • Identify potential problems or shortfalls in the organization's implementation of the NIST Risk Management Framework; • Identify information system weaknesses and deficiencies; • Prioritize risk mitigation decisions and associated risk mitigation activities; • Confirm that identified weaknesses and deficiencies in the information system have been addressed; • Support information system authorization (i.e., security accreditation) decisions; and • Support budgetary decisions and the capital investment process. Organizations are not expected to employ all of the assessment methods and assessment objects contained within the assessment procedures identified in this document. Rather, organizations have the flexibility to determine the security control assessment level of effort and resources expended (e.g., which assessment methods and objects are employed in the assessment). This determination is made on the basis of what will most cost-effectively accomplish the assessment objectives defined in this publication with sufficient confidence to support the subsequent determination of the resulting mission or business risk.
  • NIST SP 800-60
  • NIST SP 800-122
  • NIST SP 800-53A
  • NIST SP 800-18
Guide to Malware Incident Prevention and Handling. This publication is intended to help organizations understand the threats posed by malware and mitigate the risks associated with malware incidents. In addition to providing background information on the major categories of malware, it provides practical, real-world guidance on preventing malware incidents and responding to malware incidents in an effective, efficient manner.
  • NIST SP 800-88
  • NIST SP 800-92
  • NIST SP 800-83
  • NIST SP 800-122
Technical Guide to Information Security Testing and Assessment. The purpose of this document is to provide guidelines for organizations on planning and conducting technical information security testing and assessments, analyzing findings, and developing mitigation strategies. It provides practical recommendations for designing, implementing, and maintaining technical information relating to security testing and assessment processes and procedures, which can be used for several purposes—such as finding vulnerabilities in a system or network and verifying compliance with a policy or other requirements. This guide is not intended to present a comprehensive information security testing or assessment program, but rather an overview of the key elements of technical security testing and assessment with emphasis on specific techniques, their benefits and limitations, and recommendations for their use. (This document replaces NIST Special Publication 800-42, Guideline on Network Security Testing.)
  • NIST SP 800-115
  • NIST SP 800-60
  • NIST SP 800-47
  • NIST SP 800-50
Federal Information Processing Standards Publication (FIPS). FIPS Publication 199 addresses the first task cited—to develop standards for categorizing information and information systems. Security categorization standards for information and information systems provide a common framework and understanding for expressing security that, for the federal government, promotes: (i) effective management and oversight of information security programs, including the coordination of information security efforts throughout the civilian, national security, emergency preparedness, homeland security, and law enforcement communities; and (ii) consistent reporting to the Office of Management and Budget (OMB) and Congress on the adequacy and effectiveness of information security policies, procedures, and practices. Subsequent NIST standards and guidelines will address the second and third tasks cited.
  • NIST SP 800-60
  • NIST SP 800-122
  • NIST SP 800-92
  • FIPS 199
Protection of Sensitive Agency Information
  • OMB M-06-16
  • OMB M-06-19
  • OMB M-05-04
  • OMB M-01-05
The Privacy Act of 1974, 5 U.S.C. § 552a (2006), which has been in effect since September 27, 1975, can generally be characterized as an omnibus "code of fair information practices" that attempts to regulate the collection, maintenance, use, and dissemination of personal information by federal executive branch agencies.
  • NIST SP 800-64
  • Section 3541 Title 44 U.S.C.
  • Privacy Act of 1974
  • CNNS Instruction No. 1253
Federal Information Security Management Act of 2002
  • NIST SP 800-100
  • Section 3541 Title 44 U.S.C.
  • NIST SP 800-64
  • FIPS 199
Computer Security Incident Handling Guide. This publication seeks to assist organizations in mitigating the risks from computer security incidents by providing practical guidelines on responding to incidents effectively and efficiently. It includes guidelines on establishing an effective incident response program, but the primary focus of the document is detecting, analyzing, prioritizing, and handling incidents. Agencies are encouraged to tailor the recommended guidelines and solutions to meet their specific security and mission requirements.
  • NIST SP 800-60
  • NIST SP 800-40
  • NIST SP 800-92
  • NIST SP 800-61
Guidance on Inter-Agency Sharing of Personal Data Protecting Personal Privacy
  • OMB M-10-23
  • OMB M-10-22
  • OMB M-03-22
  • OMB M-01-05
Management's Responsibility for Internal Control
  • OMB Circular A-123
  • OMB (no memo number)
  • OMB M-06-15
  • OMB Circular A-11
Creating a Patch and Vulnerability Management Program. This publication is designed to assist organizations in implementing security patch and vulnerability remediation programs. It focuses on how to create an organizational process and test the effectiveness of the process. It also seeks to inform the reader about the technical solutions that are available for vulnerability remediation.
  • NIST SP 800-50
  • NIST SP 800-61
  • NIST SP 800-41
  • NIST SP 800-40
Guidelines for Media Sanitization. This document will assist organizations in implementing a media sanitization program with proper and applicable techniques and controls for sanitization and disposal decisions, considering the security categorization of the associated system's confidentiality. The objective of this special publication is to assist with decision making when media require disposal, reuse, or will be leaving the effective control of an organization. Organizations should develop and use local policies and procedures in conjunction with this guide to make effective, risk-based decisions on the ultimate sanitization and/or disposition of media and information. The information in this guide is best applied in the context of current technology and applications. It also provides guidance for information disposition sanitization and control decisions to be made throughout the system life cycle. Forms of media exist that are not addressed by this guide, and media are yet to be developed and deployed that are not covered by this guide. In those cases, the intent of this guide outlined in the procedures section applies to all forms of media based on the evaluated security categorization of the system's confidentiality according to FIPS 199, Standards for Security Categorization of Federal Information and Information Systems.
  • NIST SP 800-88
  • NIST SP 800-122
  • NIST SP 800-60
  • NIST SP 800-92
The National Institute of Standards and Technology (NIST) created NIST Special Publication (SP) 800-53, "Recommended Security Controls for Federal Information Systems and Organizations," to establish a standardized set of information security controls for use within the United States (U.S.) Federal Government. NIST collaborated with the Intelligence Community (IC), Department of Defense (DoD), and the Committee on National Security Systems (CNSS) to ensure NIST SP 800-53 contains security controls to meet the requirements of National Security Systems (NSS).2 As a result of these collaborative efforts, the Director of National Intelligence and the Secretary of Defense have directed that the processes described in NIST SP 800-53 (as amended by this Instruction) and the security and programmatic controls contained in Appendices F and G, respectively, shall apply to NSS within the National Security Community. This means NIST SP 800-53 now provides a common foundation for information security controls across the U.S. Federal Government. (Guidance on how to implement the processes described in NIST SP 800-53)
  • NIST SP 800-122
  • NIST SP 800-39
  • Privacy Act of 1974
  • CNNS Instruction No. 1253
This document seeks to assist organizations in understanding the capabilities of firewall technologies and firewall policies. It provides practical guidance on developing firewall policies and selecting, configuring, testing, deploying, and managing firewalls.
  • NIST SP 800-92
  • NIST SP 800-61
  • NIST SP 800-83
  • NIST SP 800-41
Preparations, Submission, and Execution of the Budget
  • OMB Circular A-11
  • NIST SP 800-100
  • OMB M-06-16
  • OMB (no memo number)
Development of Homeland Security Presidential Directive (HSPD) - 7 Critical Infrastructure Protection Plans to Protect Federal Critical Infrastructures and Key Resources
  • OMB M-00-13
  • OMB M-04-15
  • OMB M-06-19
  • OMB M-07-16
Guide for Mapping Types of Information and Information Systems to Security Categories. NIST SP 800-60 addresses the FISMA direction to develop guidelines recommending the types of information and information systems to be included in each category of potential security impact. This guideline is intended to help agencies consistently map security impact levels to types of: (i) information (e.g., privacy, medical, proprietary, financial, contractor sensitive, trade secret, investigation); and (ii) information systems (e.g., mission critical, mission support, administrative). This guideline applies to all Federal information systems other than national security systems. National security systems store, process, or communicate national security information.
  • NIST SP 800-83
  • NIST SP 800-122
  • NIST SP 800-92
  • NIST SP 800-60
Policies for Federal Agency Public Websites
  • OMB M-10-22
  • OMB M-04-04
  • OMB M-05-04
  • OMB M-10-23
Guidance for Online Use of Web Measurement and Customization Technologies
  • OMB M-10-22
  • OMB M-10-23
  • OMB M-01-05
  • OMB M-03-22
0 h : 0 m : 1 s

Multiple Choice Questions
Answered Not Answered Not Visited Correct : 0 Incorrect : 0