








Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A series of questions and answers related to the cap (certified authorization professional) exam, focusing on information security concepts and practices. It covers topics such as security controls (management, technical, operational, common, system-specific, and hybrid), risk management, continuous monitoring, and security assessment. The questions address key aspects of the nist risk management framework (rmf), fisma requirements, and the roles and responsibilities of various stakeholders in ensuring information system security. It is useful for students and professionals preparing for the cap exam or seeking to deepen their understanding of information security principles and practices. A concise overview of essential concepts and terminology in the field of information security, making it a valuable resource for exam preparation and professional development.
Typology: Exams
1 / 14
This page cannot be seen from the preview
Don't miss anything!









CAP exam 125 Of the ensuing potential inputs to the Authorization package, one is not a living document. Which one? correct answer Supporting assessment documents The security controls for an information system that focus on the management of risk and the management of information system security are known as correct answer Management controls The security controls for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, and firmware components of the system are known as correct answer Technical controls If requested by the authorizing official, control assessors may provide recommendations for remediation actions. Such recommendations may also be provided by an automated security management and reporting tool. True or false? correct answer True The security controls for an information system that primarily are implemented by people (as opposed to systems) are known as correct answer Operational controls A System Owner (SO) is implementing a new system with their existing organization Information Technology (IT) environment. What objectives are considered when determining possible impact to risk? correct answer Integrity, Confidentiality, and Availability Besides the System Owner (SO), what role has the PRIMARY responsibility for implementing the security controls in the security and privacy plans for an Information Systems (IS)? correct answer Common Control Provider (CPP) A security control that is inherited by one or more organizational informational systems is known as a... correct answer Common control
A security control for an information system that has not been designated as a common control or the portion of a hybrid control that is to be implemented within an informational system is referred to as a... correct answer System Specific control A countermeasure or safeguard that is implemented in an informational system in part as a common control and in part as a system-specific control correct answer Hybrid Control Which of the following is principally used to verify that Information Systems (IS) are meeting their stated security goals and objectives? correct answer Security Plan (SP) What is the first step in the process of implementing an Information Security Continuous Monitoring (ISCM)? correct answer Define an ISCM strategy What is not a responsibility of the Risk Executive (Function) in an organization's ISCM? correct answer Participate in the configuration management process Which reference document describes the contents of a Plan of Action and Milestone (POA&M) updating and replacing OMB M 02-01? correct answer OMB M-02- According to NIST SP 800-53A, "the extent to which controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the system" defines which of the following terms? correct answer Control effectiveness Which NIST SP series document is concerned with continuous monitoring for federal information systems and organizations? correct answer SP 800- The primary responsibility to update authorization package documents lies on which of the following officials? correct answer System Owner and Common Control Provider
In which step of the NIST SP 800-30 Risk Assessment process are vulnerabilities paired with threats? correct answer Impact Analysis Which of the following provides instructions for annual FISMA reporting and emphasizes monitoring the security state of information systems on an ongoing bases with a frequency sufficient to make ongoing, risk-based decisions? correct answer OMB memorandum M-11-33, FY 2011 Which of the following created FISMA requirements, requiring System Authorization? correct answer An Act of Congress Security commensurate with risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information best defines one of the following. correct answer Adequate security Which of the following specifies security requirements for federal information and information systems in 17 security-related areas that represent a broad-based, balanced information security program? correct answer FIPS 200, Minimum Security Requirements for Federal Information and Information Systems What is the purpose for scoping guidance? correct answer To establish which controls will not be part of the baseline What is the purpose of the assess step? correct answer To determine if the selected controls are implement correctly, functioning as required, and producig the desired outcome From a system authorization perspective, why are potential system software patches tested prior to deployment? correct answer To identify potential security impacts that may be caused by the patch
What is the MOST appropriate action to take after weaknesses or deficiencies in controls are corrected? correct answer The remediated controls are reassessed Organizations implement safeguards and countermeasures to protect information resources from risks. One of the following is an adminitrative safeguard family implemented by the management of an organization. correct answer Certification and accreditation A discussion-based exercise where personnel with roles and responsibilities in a particular IT plan meet in a classroom setting or in breakout groups to validate the content of the plan by discussing their roles during an emergency and their responses to a particular emergency situation. A facilitator initiates the discussion by presenting a scenario and asking questions based on the scenario. This best defines a... correct answer Tabletop Exercise Which of the following best defines a general support system? correct answer An interconnected set of information resources under the same direct management control that shares common functionality. One of the primary goals in conducting analysis of the test results from a scan during Security Control Assessment (SCA) is to correct answer Categorize vulnerabilities Which of the following is a goal of Public Law? correct answer Complete, reliable, and trustworthy information for Authorizing Officials The security control assessor for Colvine Tech will be conducting a comprehensive level assessment on an information system at Colvine Tech. Which controls must be assessed separately, not by the assessor for colvine Tech? correct answer Common Controls Which NIST publication document is concerned with security categorization of federal information and information systems? correct answer FIPS 199 There are different types of control assessments depending on the assessment objectives. Which of the following is not a type of control assessments? correct answer Risk Assessmet
Which of the following is not part of the contents of a plan of action and milestones? correct answer Rules of engagement Why are subsystems within complex systems not treated as indipendent entities whereas the subsystems may exist as complete systems? correct answer Because subsystems are typically interdependent and interconnected During an annual assessment, numerous high-risk findings are discovered on a critical organizational system. The system's Federal Information Processing Standard (FIPS) 199 rating is "high" integrity, "high" confidentiality, and "low" availability. The organization has a very low risk tolerance. What is the best decision that should be made in this situation? correct answer The authorization official should deny operation of the system until risk is reduced to an acceptable level. Common activities within organizations can cause changes to systems or the environments of operation and can have significant impact on the security posture of systems. Which of the following is not an example of system a system change? correct answer Moving to a new facility When an ATO is issued, which of the following roles authoritatively accepts residual risk on behalf of the organization? correct answer Authorizing official One of the inputs to the risk determination task is the employment of risk assessments to provide information that may influence the risk analysis and risk determination. What publication provides guidance on conducting risk assessments? correct answer NIST SP 800- An authorization approach where multiple organizational officials either from the same organization or different organizations, have a shared interest in authorizing a system is known as: correct answer Joint authorization What is the purpose of a Privacy impact assessment? correct answer To determine the level of impact of the violation of the confidentiality of PII
An organization's decision on acceptable degrees of residual risks should be based on; choose one. correct answer Organization Risk Tolerance When attempting to categorize a system, which two RMF starting point inputs should be accounted for? correct answer Architecture descriptions and organizational inputs A system in which at least one security objective is assigned a FIPS Publication 199 potential impact value of high best defines... correct answer A high-Impact System Tailoring refers to the process by which a security control baseline is modified based on all but one of the following: correct answer The security categorization of the information system An effective continuous monitoring program can be used to: correct answer Support the Federal Information Security Management Act (FISMA) requirement for annual assessment of the security controls in information systems. Likelihood of occurrence is a weighted risk factor that is assessed based on adversary intent, advesary targetting, and one of the following. Which one? correct answer Threat capability As indicated in NIST SP 800-37, and NIST SP 800-53 the RMF provides architectural description inputs to the risk management strategy, including mission/business processes, FEA reference models, segment and solution architecture and: correct answer Laws, directives and policy guidance When an authorizing official (AO) submits the security authorization decision, what responses should the information system owner (ISO) expect to receive? correct answer Authorized to operate (ATO) or denial authorization to operate (DATO), the conditions for the authorization placed on the information system and owner, and the authorization termination date. Documenting the description of the system in the SSP is the primary responsibility of which RMF role? correct answer Information System Owner
What may Colvine Tech do if they determine that the root cause of an unauthorized change is an adversarial attack? correct answer All of the above The registration of the system directly follows which RMF task? correct answer Task P- Requirements allocation Ongoing authorizations and reporting can be time- and event-driven. Which official has the primary responsibility for ongoing authorizations? correct answer Authorizing Official Failure to authorize an operational system to process demonstrates that management has not exercised due care in protecting the system in the event of a security incident. Which of the following Acts has been violated? correct answer FISMA, 2002 Which of the following control families belongs to the management class of security controls? correct answer System & Service Acquisition The authrization package may be provided to the authorizing official in (1) hard copy or (2) electronically or (3) may be generated using and automated security/privacy management and reporting tool. Which of the three provides information in the most efficient and timely manner? correct answer Automated tools During which RMF step is the system security plan initially approved? correct answer RMF STEP 3 The use of automation to manage changes to the information system or its environment of operation facilitates correct answer Remediation plans Who has the responsibility to track corrective actions to their completion keeping the approving authority informed with periodic updates as directed? correct answer The ISO
An initial remediation action was taken by the information system owner (ISO) based on findings from the security assessment report (SAR). What is the next appropriate step based on the Risk Management Framework (RMF)? correct answer Include the remediation action taken by the ISO in as an addendum in the SAR. Tailored control baselines may also be referred to as correct answer Overlays How frequently must key authorization package documents be updated to achieve near real- time risk management? correct answer On an ongoing bases Information developed from FIPS 199 may be used as an input to which authorization package document? correct answer SSP Who is responsible for reviewing the assessment reports and plans of action and milstones and determining whether the identified risks need to be mitigated prior to authorization? correct answer The Authorizing Official The authorization boundary of a system undergoing assessment includes correct answer The information System (IS) elements to be authorized for operation When determining the applicability of a specific security control, the security professional should utilize which type of guidance? correct answer Scoping guidance You are the Risk Analyst for Colvine Tech consulting. A new system user just asked you when risk assessments should be conducted in the system development life cycle. What will be the best answer? correct answer Throughout the system development life cycle Which authorization approach considers time elapse since the authorization results were produced, the environment of operation, the criticality/sensitivity of the information, and the risk tolerance of the other organization? correct answer Leveragad
An effective security control monitoring strategy for an information system includes which of the following? correct answer Active involvement by authorizing officials in the ongoing management of information system-related related risks. Who has the responsibility to review and ensure that only substantive items are incorporated in the plan of action and milestones? correct answer Authorizing Official Colvine-Tech hardware (10 computers) are located in a single computer room and access to the room is permitted only to the few system users who have the required privileges. To access the computer room which is restricted by door locks, proximity cards and personal identification pins are required. Relative to the hardware in the computer room, the doorlock and the PIN are examples of what type of security control? correct answer Common The use of automation to conduct security control assessments should be maximized to do the following except one. correct answer Enable authorizing official to have ready access to the current security state of the system and PTA. An information system is currently in the initiation phase of the SDLC and has been categorized as high impact. The ISO wants to inherit common controls provided by another organizational information system that is categorized as moderate impact. How does the ISO ensure that the common controls will provide adequate protection for the information system? correct answer Supplement the common controls with system-specific or hybrid controls to achieve the required protection for the system. Functional description of security control implementation must include which of the following, primarily as related to technical controls employed in the system? correct answer Planned inputs, expected behavior, and expected outputs. Why is security control volatility an important consideration in the development of a security control monitoring strategy? correct answer It establishes priority for security control monitoring.
According to NIST SP 800-37 Rev 2, which role has a primary responsibility to report the security status of the information system to the authorizing official (OA) and other appropriate organizational officials on an ongoing basis in accordance with the monitoring strategy? correct answer Common Control Provider When should the ISO document the information system and authorization boundary description in the system security plan? correct answer After security categorization An updated risk assessment in response to the security control assessment along with inputs from the risk executive helps to determine and prioritize... correct answer Initial remediation actions The initial security plan for a new application has been approved. What is the next activity in the Risk Management Framework? correct answer Implement the security controls specified in the system security plan. Which organizational official is responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system? correct answer ISO The essential difference between a joint authorization and a traditional authorization is the addition of multiple authorizing officials, true or false? correct answer TRUE Which role has the primary responsibility to conduct ongoing assessments after an initial system authorization? correct answer Security Control Assessor When making a determination regarding the adequacy of the implementation of inherited controls for their respective systems, an ISO can refer to the authorization package prepared by which of the following? correct answer Common Control Provider