CGRC Question #475: Real Exam Question with Answer & Explanation

The correct answer is C: System Security and Privacy Plan. The formal document that provides an overview of security requirements and describes the security controls for an information system is the System Security and Privacy Plan.

Implementation of Security and Privacy Controls

Question

What is the name of the formal document that provides an overview of security requirements for the information system and describes the security controls in place or planned for meeting those requirements? Response:

Options

ASecurity Assessment Plan (SAP)
BPlan of Action & Milestones (POA&M)
CSystem Security and Privacy Plan
DSecurity Assessment Report (SAR)

Explanation

The formal document that provides an overview of security requirements and describes the security controls for an information system is the System Security and Privacy Plan.

Common mistakes.

A. A Security Assessment Plan (SAP) outlines the methodology for assessing security controls, not the list of controls themselves.
B. A Plan of Action & Milestones (POA&M) documents remediation plans for identified vulnerabilities, not the overall system security posture.
D. A Security Assessment Report (SAR) summarizes the findings of a security assessment, but it is not the plan describing the security controls.

Concept tested. System Security Plan (SSP) purpose

Reference. csrc.nist.gov/publications/detail/sp/800-18/rev-1/archive/2006-02-14

Topics

#System Security Plan#NIST RMF#Security Documentation#Security Controls

Community Discussion

No community discussion yet for this question.

Full CGRC Practice Browse All CGRC Questions