









Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This practice exam focuses on the Risk Management Framework (RMF) and security controls, referencing NIST SP 800 series publications. It covers roles, responsibilities, and processes in information security, including risk assessment, system authorization, and security control assessments. Questions address RMF aspects like system categorization, security plan development, and stakeholder roles (e.g., Information System Owner, Security Control Assessor, Authorizing Official). It also touches on FISMA and OMB Circular A-130 compliance, providing an overview of information security practices in federal systems. This exam tests knowledge of security concepts and their application, valuable for professionals seeking to enhance their understanding of information security and risk management.
Typology: Exams
1 / 17
This page cannot be seen from the preview
Don't miss anything!










CAP Practice Exam Which one the following roles is responsible for testing the non-technical controls in an information system? correct answer Security Control Assessor Which reference provides detailed guidance on risk mitigation for the State Department? correct answer SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations Which of the following roles has the responsibility to ensure that the enterprise architecture support the mission and business? correct answer Information Security Architect During which step of the Risk Managemernt Framework {RMF) does the Information System Owner register the information System? correct answer Categorize Information System Who signs the authorization decision letter? correct answer Authorizing Official Who develops and maintains information security policies, proc;edures, and control techniques to address all applicable requirements? correct answer Chief Information Officer A weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source is the definition of which key term? correct answer Vulnerability
You have just completed the Risk Asse.ssment defined by NIST SP 800-30. What reference identifies the risk management strategy alternatives that can be applied to the information system? correct answer NIST SP 800- In which phase of the NIST SP 800-30 process does one produce the first full Risk Assessment Report (RAR)? correct answer Step 2 Which step of the NIST SP 800-30 process would most likely identify the CVE dat abase as a risk assessment information source? correct answer Step 1 Organizations should view assessments as an information gathering activity, not as a security producing activity. In accordance with NIST SP 800-53A, security control assessments create the following benefits: identify potential problems or shortfalls in the organization's implementation of the NIST Risk Management Framework; support budgetary decisions and capital investment processes, and: correct answer Support information system authorizat ion decisions. The last step in the Risk Assessment process model is called? correct answer Maintain When using NIST SP 800-53A, during which SDLC phase are security assessments used to increase confidence or assurance that the security controls are working correctly for a system? correct answer Development, Implementation, and Operations and Maintenance Which of these is a valid response to address risk? correct answer Accept the risk to the system 0MB Circular A-130 states informatiorn security must: correct answer 3. Be risk~asedr and cost effective lnaccordancewith Public Law 107-347, Executive Agencies must: correct answer Authorize system processing prior to operation
The security assessment plan provides: correct answer The objectives for the security control assessment and a detailed roadmap of how to conduct such an assessment. The main purpose of System Authorization is: correct answer Acceptance and management of risk Security control assessment is: correct answer Evaluation of technical and non~technical controls NIST SP 800-18, Guide for Developing Security Plans describes the purpose of a security plan is to provide an overview of the system requirements, and: correct answer The controls in place The goals of NIST SP 800-39 include: encourage senior leaders to recognize the importance of engaging in the management of risk; encourage senior leaders to understand the role of information security in managing overall organization risk, and? correct answer Help individuals with information system implementation and operational responsibilities understand how the information security issues associated with their systems translate into organizational security concerns You have just completed the final Security Assessment Report, which RMF Step and SDLC phase are you about to enter? correct answer RMF Step 5, and the Implementation phase. In title Ill of the E-Govemment Act, known as the Federal Information Security Management Act (FISMA), states that effective information security programs include: correct answer Periodic assessment of risk In accordance with NIST SP 800-37, what follows the Implement Security Control step? correct answer Assess Security Controls Who serves as principal staff advisor to the Information System Owner on all matters involving the security of the information system? correct answer Information System Security Engineer
As described by NIST SP 800-39, the Risk Executive's role includes: promote the cooperation and collaboration among authorizing officials; provides senior leaders input and oversight for all risk management and information security activities, and? correct answer Identifies the overall risk posture based on the aggregated risk from each information system. Who is responsible for ensuring that configuration and change control processes are followed? correct answer Information System Owner Which of the following is NOT evaluated ais part of assessing security risk? correct answer Monitor changes over time Who is responsible for managing, coordinating, and overseeing a ll risk management activities, agency-wide? correct answer Risk Executive What does NIST SP 800-39 provide as the two factors affecting trustworthiness of an information system? correct answer Security functionality and security ass:urance Which of the following should be the MAIN consideration when establishing a trust relationship between two information systems? correct answer Business/Mission needs Who provides an independent assessment of the system security plan? correct answer Security Control Assessor Who is responsible for identifying mission and operational requirements? correct answer Authorizing Official The federal Risk Management Framework has si.x steps, in Task 2·2, which roles are primary, and what is the SDLC phase? correct answer ISO and ISA; and the Initia te phase. Who is primarily responsible for supporting the System Authorization process during the Implementation phase of the SDLC. correct answer Security Control Assessor
In accordance with NIST SP 800-59, a National Security System must meet which one of the following criteria? correct answer Critical to the direct fulfillment of military or intelligence missions NIST SP 800-39 proscr ibes that the assessor's find ings should be: correct answer Factual and unbiased OMB's Busine.ss Reference Model (BRM} de-scribes four business areas containing 39 types of information. Which of the foll owing roles will be the PRIMARY user of this reference? correct answer Information Owner as part of the NIST SP 800.,60 analysis Personally Identifiable Information will be categorized at what minimum level? correct answer Moderate for Confidentialjty During the SP 800-60 analysis, which two values are considered by the security objectives? correct answer Data sensitivity, and criticality When doing cost4 benefit analysis for proposed new controls or enhanced controls, which of the following is NOT considered? correct answer Estimating the length of time to implement the new or enhanced controls Residual risk can be defined as: correct answer The risk remaining after the implementtation of new or enhanced controls During the FIPS 199 analysis the Information System Owner determines the system High Water Mark. How is the high water mark used in the system authorization process? correct answer It establishes the minimum baseline controls that MUST be employed to protect the information system
What risk management activity occurs during the Implementation phase of the System Development life Cycle? correct answer Risk management supports the assessment of the system implementation against the requirements What is the definition of a threat? correct answer Any circumstance or event with the potential to create adverse impacts Which organization created the FISMA requirement requiring System Authorization? correct answer Congress Security commensurate with risk, including the magnitude of harm1 defines: correct answer Adequate Security Which of the following is required by 0MB A-130? correct answer 3. Certification and Accreditation at le.ast every three years In accordance with (IAW) NIST SP 800·64, which of the following is NOT part of the System Development Life Cycle? correct answer Program Startup Phase Which security control identifies the organizational roles and responsibilities, how coordination of security is implemented, identifies the declared common controls, and should be protected from unauthorized disclosure and modification? correct answer PM-! Information Security Pro;gram Plan Compensatingc-ontrols are: correct answer Used in place of, or to augment, specific controls NIST SP 800-37 provides a process for: correct answer System Authorization What is the purpose ofscopingguidanoe? correct answer To establish and express guidanc-e on tailoring the security control baseline
Which of the following roles reviews the reports provided by the Information System Security Officer once correct answer Authorizing Official From a system authorization perspective, why are potential system software patches tested prior to correct answer To identify potential security impacts that may be caused by the patch Why is configuration management a concern during the continuous monitoring phase of NIST SP 800-37? correct answer To ensure that risks from new threats can be evaluate NIST SP 800-55 defines key pe rformance measures as? correct answer Measures of effectiveness, measures of efficiency., and impact measures. During the Continuous Monitoring Phase of NIST SP 800-37, the Information System Security Officer is NOT concerned with the following? correct answer Are the controls operating within the established budget? Why might the POAM need to be updated when the system completes security control testing in RMF Step 6? correct answer New vulnerabilities might have been identified that could not be correcte Which of the following is a goal of FISMA? correct answer Complete, reliable, and trustworthy information for Authorizing Officials. Reauthorization of a system every three years is required, except when: correct answer Robust continuous monitoring exists for the system, and the residual risk equals acceptable range Which of the following roles should NEVER be combimed with the role of Authorizing Official? correct answer Information System Owner The Authoring Official's Designated Representative may perform aU of the following, except? correct answer Sign the authorization decision document
Information is categorized using NIST SP 800-60 based on: correct answer Mission impact Trade Secrets are categorized as: correct answer Moderate for confidentiality In RMF Step 2, the system specific controls are determined by: correct answer Information System Owner, working with the Information Security Architect In accordance with NIST SP 800·53, the security control classes are based on? correct answer Operational, Management, and Technical NIST SP 800-53 describes a family of controls as: correct answer A grouping of like controls covering the same subject Organizations are encouraged to develop a broad-based, organization-wide strategy for conducting security assessments, facilitating more cost-effective and consistent assessments across the inventory of information systems. Which of the following is FALSE when considering how to accomplish this objective? correct answer 0. The Risk Management Framework cannot be use'Ct on multiple systems. Which factor does an organization not need to take into account when implementing a holistic approach to organizational risk management? correct answer Relationships between mission/ business processes and the supporting information systems As indicated in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37, the Risk Management Framework (RMF) begins with starting point inputs, which include architectural descriptions, system boundaries, and: correct answer Mission and business processes As indicated in NIST SP 800-37, the RMF starting point provides organizational inputs that include laws, directives, and policy guidance; strategic goals and objectives; and: correct answer Priorities and resource availability
The two primary roles defined in RMF Step 1 are: correct answer Information system owner (150) and the information owner (10) The three tasks for RMF Step 1 are: correct answer Security categorization, information system description, and information system registration The system security plan should exist: correct answer After the system boundary is established A risk assessment can be started: correct answer After the system boundary has been established What is the role of the common control provider (CCP) in RMF Step 17 correct answer Primary, because the common control system includes an information type To assign the system security categorization, NIST SP 800-60 has four steps. What are they? correct answer Identify, select, review, and assign Information system registration is completed by: correct answer The ISO, assisted by the ISSO Subsystems in a service-oriented architecture (SOA) or net-centric architecture are registered in RMF Task 1-3 by: (1) establishing a separate registration process, (2) as a subset of systems or registered separately as a dynamic subsystem, and: correct answer Proper identification during system categorization NIST SP 800-53 defines how many security control families without add ing in the privacy control catalog found in Appendix J? correct answer 18 When is a privacy impact assessment (PIA) required? correct answer Before a system enters the development phase of the system development life cycle (SDLC), at which time privacy information will be incorporated
The security control tailoring process includes scoping considerations, compensating controls, organization-defined parameters, and: correct answer Identifying and designating common controls, supplementing baselines, and providing additional specification information for control implementation, if needed Which of the following options is defined as a specification that may be more or less stringent than the original criteria for sec,urity controls, control enhancements, supplemental guidance, and other supporting information employed during the tailoring process, and is intended to complement (and further refine) security control baselines? correct answer Overlay Common controls can be based on and incorporated from which security control classes? correct answer Management, operational, and technical In RMF Task 2-4, the approval of the system security plan (SSP) can be performed by which NIST-defined role? correct answer Either the AO or the DR The minimum security controls required for safeguarding an information technology system based on its identified impact levels for confidentiality, integrity, and availability are known as: correct answer Baseline security The two fundamental components that affect the trustworthiness of information systems are which types of security? correct answer Functionality-related and assurance-related What is the origin of the requirement for a privacy impact assessment (PIA), which is an analysis of how information is handled: (1) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; (2) to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system; and (3) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks? correct answer The E-Government Act of 2002 Under what conditions does FISMA provide for a waiver of FIPS publications, such as FIPS 2007 correct answer FIPS publications cannot be waive
A system has a low system impact level. According to NIST SP 800-34, what is the recommended backup/recovery strategy? correct answer Tape backup or cold sites What is the test methodology that assumes explicit and substantial knowledge of the internal structure and implementation details of the assessment object? correct answer Comprehensive testing Security control effectiveness is evaluated in accordance with CA-2 (Security Assessments) and is used to determine whether a security control demonstrates which of the following conditions? correct answer The control was implemented correctly, operating as intended, and producing the desired outcome. As defined in NIST SP 800-53A, assessment cases for conducting security control assessments have which logical flow? correct answer Assessment procedures, assessment objectives, and assessment objects, all of which are evaluated using assessment methods Analysis of security assessment results occurs in which RMF task? correct answer Task 4- Which of the following terms d escribes results produced by the application of assessment procedures to security controls or control enhancements to achieve an assessment objective, and the execution of a determination statement within an assessment procedure by an assessor that results in either a "satisfied" or other than satisfied condition? correct answer Assessment finding An external service provider has security assessments that were performed by independent and technically competent assessors, conducted in accordance with ISO 27001. The authorizing official determines that: correct answer The organization can accept the assessment but must determine gaps that exist, then conduct a supplemental assessment on those gaps based on NIST SP 800-53, Appendix H (International Information Security Standards) and other compliance standards.
Beyond NIST SP 800-37, the primary references used for correct answer NIST SP 800-SJA and SP 800- Security control assessments provide organizational officials with: (1) evidence about the effectiveness of security controls in organizational information systems, (2) information about the strengths and weaknesses of information systems which are supporting organizational missions and business functions, and: correct answer An indication of the quality of the risk management processes employed within the organization Assessment objects include specifications, mechanisms, activities, and: correct answer Individuals Assessment methods define the nature of the assessor actions and include the examine method, the interview method, and the: correct answer Test method Who has primary responsibility to prepare the plan of action and milestones (POAM) based on the findings and recommendations identified in the SAR? correct answer Common control provider An authorization to operate (ATO) is the official management decision to formally accept risk and authorize operation of an information system. Who is responsible for issuing an ATO? correct answer Only the authorizing official The document that identifies tasks that need to be accomp lished by detailing the resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduling completion dates for the milestones is called the: correct answer Plan of action and milestones (POAM) What documents form the security authorization package? correct answer The system security plan, security assessment report, the plan of action and milestones for the specific system to be authorized, and the same documents for all common control systems that are used to mitigate risk