ISSEP EXAM 2024 WITH 100%
CORRECT ANSWERS
The authority to accept residual risk resides in which role? - Answer ✔✔Authorizing Official
Which reference provides detailed guidance on risk assessments? - Answer ✔✔SP 800-30 Risk
Management Guide for Information Technology Systems
Which non-executive branch organization provides the President with advice on security and continuity
of communications systems? - Answer ✔✔National Security Telecommunications Advisory Committee
(NSTAC)
NCSC-5 establishes the National Policy for the use of cryptographic material when operating in high risk
environments. Which is NOT required by this policy? - Answer ✔✔Have a plan to operate without
cryptographic material if necessary
Who prepares the accreditation decision letter? - Answer ✔✔Designated Representative
Who develops and maintains information security policies, procedures, and control techniques to
address all applicable requirements? - Answer ✔✔Chief Information Officer
The Risk Management Equation includes: - Answer ✔✔Risk Assessment + Risk Mitigation + Evaluation
and Assessment
Who procures, develops, integrates, modifies, operates or maintains an information system? - Answer
✔✔Information System Owner
Who is responsible for preparing the system security plan and conducting the risk assessment? - Answer
✔✔Information System Owner
,You have just completed the Control Analysis step in the SP 800-30 process. What is the next step? -
Answer ✔✔Likelihood Determination
In which phase of the 800-30 process does one produce the Risk Assessment Report (RAR)? - Answer
✔✔Results Documentation
Which phase of the SP 800-30 process produces the Impact Rating? - Answer ✔✔Impact Analysis
Inputs to Step 3 Vulnerability Identification do NOT include: - Answer ✔✔List of Potential Vulnerabilities
Which of these is (are) NOT inputs to Step 1 System Characterization under SP 800-30? - Answer
✔✔System Boundary
Which of the following is a good source of information on system vulnerabilities maintained by the
NIST? - Answer ✔✔ICAD Database
Which of these are valid ways to mitigate risk? - Answer ✔✔Risk Avoidance, Risk Transference
During which phase of the NIST SP 800-37 System Authorization Process does the Information System
Owner conduct the initial risk assessment? - Answer ✔✔Initiation Phase
By regulation and law, information security must be: - Answer ✔✔Cost-effective
Executive Agencies must: - Answer ✔✔Authorize system processing prior to operation
Adequate Security is: - Answer ✔✔Commensurate with risk
Which phase follows the Validation Phase in the NIACAP process? - Answer ✔✔Post Accreditation Phase
Which phase of the IATF results in component and interface specifications that provides sufficient
information for acquisition of security products? - Answer ✔✔Develop Detailed Security Design
,Security Control Assessment tries to determine if the controls are - Answer ✔✔Producing desired
results
Which phase of the IATF does formal risk assessment begin? - Answer ✔✔Design System Security
Architecture
What is the minimum frequency periodic testing and evaluation of the effectiveness of policies can be
done? - Answer ✔✔Annually
Which of the following is NOT required to be part of the SSP under SP 800-37? - Answer ✔✔Results of
last awareness evaluation
Which of the following is NOT normally part of the Requirements Traceability Matrix? - Answer
✔✔POA&M findings
Which of the following is NOT accomplished as part of registration? - Answer ✔✔System Certification
IAW FIPS 199, what word is used to describe potential "LOW" impact items? - Answer ✔✔Limited
Initial CONOPS development begins in which phase of the IATF? - Answer ✔✔Define System Security
Requirements
The main purpose of C&A is? - Answer ✔✔Acceptance and management of risk
Certification is? - Answer ✔✔Evaluation of technical and non-technical controls
NIST SP 800-18, Guide for Developing Security Plans describes the purpose of security plans as: - Answer
✔✔provide an overview of the system security requirements and the controls in place
Which of these is NOT a phase of DITSCAP? - Answer ✔✔Initiation
, What is a disadvantage of the Spiral development method? - Answer ✔✔Production Paradox
Which of the following is NOT part of the Information Management Model (IMM)? - Answer
✔✔Information Protection Policy (IPP)
Harm to Information and Potentially Harmful Events are measured using - Answer ✔✔A metric such as a
seriousness rating
Who serves as principal staff advisor to the system owner on all matters involving the security of the
information system? - Answer ✔✔Information System Security Officer
IAW the IATF, classes of attack do NOT include? - Answer ✔✔Hackers
Who is responsible for ensuring that configuration and change control processes are followed? - Answer
✔✔Information System Manager
As part of the SSE-CMM evaluation, which of the following is NOT evaluated as part of the "Assess
Security Risk"? - Answer ✔✔Security Certification
Who is responsible for managing, coordinating, and overseeing all security authorization activities,
agency-wide? - Answer ✔✔Authorization Advocate
Which of the following is NOT part of how the IATF describes the Defense in Depth paradigm? - Answer
✔✔Respond
Who is responsible for representing the interests of the system acquisition or maintenance
organization? - Answer ✔✔Program Manager
Who provides an independent assessment of the system security plan? - Answer ✔✔Certification Agent
CORRECT ANSWERS
The authority to accept residual risk resides in which role? - Answer ✔✔Authorizing Official
Which reference provides detailed guidance on risk assessments? - Answer ✔✔SP 800-30 Risk
Management Guide for Information Technology Systems
Which non-executive branch organization provides the President with advice on security and continuity
of communications systems? - Answer ✔✔National Security Telecommunications Advisory Committee
(NSTAC)
NCSC-5 establishes the National Policy for the use of cryptographic material when operating in high risk
environments. Which is NOT required by this policy? - Answer ✔✔Have a plan to operate without
cryptographic material if necessary
Who prepares the accreditation decision letter? - Answer ✔✔Designated Representative
Who develops and maintains information security policies, procedures, and control techniques to
address all applicable requirements? - Answer ✔✔Chief Information Officer
The Risk Management Equation includes: - Answer ✔✔Risk Assessment + Risk Mitigation + Evaluation
and Assessment
Who procures, develops, integrates, modifies, operates or maintains an information system? - Answer
✔✔Information System Owner
Who is responsible for preparing the system security plan and conducting the risk assessment? - Answer
✔✔Information System Owner
,You have just completed the Control Analysis step in the SP 800-30 process. What is the next step? -
Answer ✔✔Likelihood Determination
In which phase of the 800-30 process does one produce the Risk Assessment Report (RAR)? - Answer
✔✔Results Documentation
Which phase of the SP 800-30 process produces the Impact Rating? - Answer ✔✔Impact Analysis
Inputs to Step 3 Vulnerability Identification do NOT include: - Answer ✔✔List of Potential Vulnerabilities
Which of these is (are) NOT inputs to Step 1 System Characterization under SP 800-30? - Answer
✔✔System Boundary
Which of the following is a good source of information on system vulnerabilities maintained by the
NIST? - Answer ✔✔ICAD Database
Which of these are valid ways to mitigate risk? - Answer ✔✔Risk Avoidance, Risk Transference
During which phase of the NIST SP 800-37 System Authorization Process does the Information System
Owner conduct the initial risk assessment? - Answer ✔✔Initiation Phase
By regulation and law, information security must be: - Answer ✔✔Cost-effective
Executive Agencies must: - Answer ✔✔Authorize system processing prior to operation
Adequate Security is: - Answer ✔✔Commensurate with risk
Which phase follows the Validation Phase in the NIACAP process? - Answer ✔✔Post Accreditation Phase
Which phase of the IATF results in component and interface specifications that provides sufficient
information for acquisition of security products? - Answer ✔✔Develop Detailed Security Design
,Security Control Assessment tries to determine if the controls are - Answer ✔✔Producing desired
results
Which phase of the IATF does formal risk assessment begin? - Answer ✔✔Design System Security
Architecture
What is the minimum frequency periodic testing and evaluation of the effectiveness of policies can be
done? - Answer ✔✔Annually
Which of the following is NOT required to be part of the SSP under SP 800-37? - Answer ✔✔Results of
last awareness evaluation
Which of the following is NOT normally part of the Requirements Traceability Matrix? - Answer
✔✔POA&M findings
Which of the following is NOT accomplished as part of registration? - Answer ✔✔System Certification
IAW FIPS 199, what word is used to describe potential "LOW" impact items? - Answer ✔✔Limited
Initial CONOPS development begins in which phase of the IATF? - Answer ✔✔Define System Security
Requirements
The main purpose of C&A is? - Answer ✔✔Acceptance and management of risk
Certification is? - Answer ✔✔Evaluation of technical and non-technical controls
NIST SP 800-18, Guide for Developing Security Plans describes the purpose of security plans as: - Answer
✔✔provide an overview of the system security requirements and the controls in place
Which of these is NOT a phase of DITSCAP? - Answer ✔✔Initiation
, What is a disadvantage of the Spiral development method? - Answer ✔✔Production Paradox
Which of the following is NOT part of the Information Management Model (IMM)? - Answer
✔✔Information Protection Policy (IPP)
Harm to Information and Potentially Harmful Events are measured using - Answer ✔✔A metric such as a
seriousness rating
Who serves as principal staff advisor to the system owner on all matters involving the security of the
information system? - Answer ✔✔Information System Security Officer
IAW the IATF, classes of attack do NOT include? - Answer ✔✔Hackers
Who is responsible for ensuring that configuration and change control processes are followed? - Answer
✔✔Information System Manager
As part of the SSE-CMM evaluation, which of the following is NOT evaluated as part of the "Assess
Security Risk"? - Answer ✔✔Security Certification
Who is responsible for managing, coordinating, and overseeing all security authorization activities,
agency-wide? - Answer ✔✔Authorization Advocate
Which of the following is NOT part of how the IATF describes the Defense in Depth paradigm? - Answer
✔✔Respond
Who is responsible for representing the interests of the system acquisition or maintenance
organization? - Answer ✔✔Program Manager
Who provides an independent assessment of the system security plan? - Answer ✔✔Certification Agent
