Examice

Exam 712-50 All QuestionsBrowse all questions from this exam

Question 152

You have been hired as the Information System Security Officer (ISSO) for a US federal government agency. Your role is to ensure the security posture of the system is maintained. One of your tasks is to develop and maintain the system security plan (SSP) and supporting documentation.

Which of the following is NOT documented in the SSP?

The controls in place to secure the system

Name of the connected system

The results of a third-party audits and recommendations

Type of information used in the system

Correct Answer: C

The System Security Plan (SSP) is a comprehensive document outlining the security requirements and controls for a system within a federal agency. It includes details such as the security controls implemented, the type of information used in the system, and the connections to other systems. However, the results of third-party audits and their specific recommendations are typically documented separately to maintain the focus and integrity of the SSP. Therefore, this information is not included in the SSP.

Discussion

johndoe69Option: C

Reference: NIST Special Publication 800-18 Revision 1: Guide for Developing Security Plans for Federal Information Systems "The SSP should include the system name and identifier, system owner, system operational status, general description/purpose, and the system's security requirements, among other things. However, detailed results of third-party audits and specific audit recommendations are typically documented separately."

skafOption: D

Usually it's not included in this kind of document

chockalingamOption: B

The system security plan describes the system components that are included within the system, the environment in which the system operates, how the security requirements are implemented, and the relationships with or connections to other systems. https://csrc.nist.gov/glossary/term/information_system_security_plan#:~:text=The%20system%20security%20plan%20describes,or%20connections%20to%20other%20systems.

arifbhatkarOption: B

Option B, "Name of the connected system," is NOT typically documented in the System Security Plan (SSP). The SSP focuses on providing a comprehensive overview of the security controls and measures implemented for the specific system. It includes information such as the security controls in place, the type of information used in the system, the results of third-party audits and recommendations, and other details relevant to the security of the system.