1. Explain the each of the 3 different ways to assess a security control and give an example of how each one is used.
2. Explain the difference between a General Support System, Major Application, and a Minor Application and how do you determine the accreditation boundary for each type?
3. Explain how to determine a Systems Categorization and why is this important?
4. Explain the process of how you determine the minimum security requirements for a system.
5. Explain why FEDRAMP is important to cloud companies? Also, explain what is the biggest advantage of the FEDRAMP process?
6. Explain the difference between a PIA and BIA. Please provide examples of each?
7. Explain what is a CP? Also, in today's world, provide an example of what is a possible solution for a CP for the users of an organization?
8. Explain what is the purpose of the CMP and then explain the Change Control Process?
Please explain why Security Awareness and Training is so important and explain the difference between the two types? Also, explain why an IRP is needed, explain the steps on how to handle an issue, and provide an example of an incident.
9. Explain what a ROB is and how it is used in the absence of a technical solution for a security vulnerability?
10. Explain the process of converting "findings" into "POAMS"?