












































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The Certified Authorization Professional CAP Ultimate Exam is designed for cybersecurity professionals responsible for information system authorization and risk management. This exam covers security frameworks, risk assessment, system categorization, security controls, continuous monitoring, compliance management, authorization processes, and governance principles. It helps candidates prepare for cybersecurity certification while strengthening their understanding of enterprise security and regulatory requirements.
Typology: Exams
1 / 52
This page cannot be seen from the preview
Don't miss anything!













































Question 1. Which of the following best describes the CIA triad? A) Confidentiality, Integrity, Authentication B) Confidentiality, Integrity, Availability C) Control, Identification, Authorization D) Confidentiality, Availability, Auditing Answer: B Explanation: The CIA triad—Confidentiality, Integrity, and Availability—is the foundational model for information security objectives. Question 2. In NIST SP 800-37, which step directly follows the “Prepare” phase? A) Categorize the system B) Select controls C) Authorize the system D) Monitor the system Answer: A Explanation: After preparing, the RMF process moves to categorizing the information system based on impact levels. Question 3. ISO 27001 requires which of the following as a mandatory component of the ISMS? A) Risk treatment plan B) Business continuity plan C) Asset classification scheme D) Statement of applicability (SoA) Answer: D Explanation: The SoA documents which controls are selected and why, and is required for ISO 27001 certification.
Question 4. Which SDLC phase is most appropriate for performing a threat modeling activity? A) Initiation B) Development/Acquisition C) Implementation D) Operations/Maintenance Answer: B Explanation: Threat modeling is typically performed during design and development to identify and mitigate threats early. Question 5. A physical control that restricts access to a data center is an example of which control type? A) Technical B) Administrative C) Physical D) Managerial Answer: C Explanation: Physical controls protect facilities and equipment, such as locks, guards, and badge readers. Question 6. Which governance document defines the organization’s security baseline? A) Procedure B) Policy C) Standard D) Guideline Answer: C Explanation: Standards provide specific, mandatory requirements that establish the security baseline.
Explanation: Payroll data contains personally identifiable information (PII) and is highly sensitive, warranting a high confidentiality impact. Question 10. In impact analysis, a “Moderate” impact on availability would most likely result in: A) Minor inconvenience to users B) Significant degradation of mission-critical operations C) Loss of life or severe financial loss D) No noticeable effect Answer: B Explanation: Moderate impact on availability means the system’s loss would degrade important operations but not cause catastrophic consequences. Question 11. Which NIST SP 800-53 control family addresses “audit and accountability”? A) AC B) AU C) IA D) SC Answer: B Explanation: The AU (Audit and Accountability) family contains controls for event logging, monitoring, and review. Question 12. When tailoring the baseline, a “parameter” refers to: A) A control that can be replaced with a compensating control B) A configurable setting that adjusts a control’s behavior C) A documented exception to a control D) A risk acceptance decision Answer: B
Explanation: Parameters allow organizations to customize baseline controls (e.g., password length) without removing them. Question 13. A compensating control is used when: A) The baseline control is too costly to implement B) The baseline control is not feasible due to technical constraints C) The organization wants to exceed the baseline D) The control is already covered by a policy Answer: B Explanation: Compensating controls provide equivalent protection when the standard control cannot be applied. Question 14. The primary purpose of the Security Assessment Plan (SAP) is to: A) Document the system’s architecture B) Outline the methods and schedule for testing controls C) List all identified vulnerabilities D) Define the risk tolerance of the organization Answer: B Explanation: The SAP details the assessment scope, methodology, and timeline for verifying control implementation. Question 15. In the System Security Plan (SSP), the “Control Implementation Summary” should contain: A) The cost of each control B) The control’s status (Implemented, Planned, Not Implemented) and how it meets the requirement C) The vendor’s contract details D) The risk rating for each control Answer: B
Explanation: System administrators implement and tune controls, balancing security with operational requirements. Question 19. Independence of the assessment team is required to avoid: A) Redundant testing B) Conflict of interest that could bias results C) Excessive documentation D) Delays in the authorization process Answer: B Explanation: Independent assessors provide objective evidence of control effectiveness. Question 20. The “Examine” method in the EIT assessment approach primarily involves: A) Interviewing personnel B) Reviewing policies, procedures, and documentation C) Running vulnerability scans D) Observing system operations in real time Answer: B Explanation: Examining focuses on reviewing artifacts to verify control implementation. Question 21. Which of the following is an example of a “test” activity in the EIT methodology? A) Reviewing configuration baselines B) Conducting a penetration test on a web application C) Interviewing the system owner about risk tolerance D) Examining the incident response plan Answer: B
Explanation: Testing involves active execution of techniques (e.g., penetration testing) to evaluate controls. Question 22. The Security Assessment Report (SAR) must include which of the following sections? A) Executive summary, findings, and remediation recommendations B) Detailed budget analysis C) User satisfaction survey results D) Future technology roadmap Answer: A Explanation: SAR provides an overview, detailed findings, and suggested remediation actions. Question 23. A “low-hanging fruit” vulnerability is best described as: A) A vulnerability that requires extensive resources to fix B) A minor issue that poses little risk C) An easily exploitable flaw that can be remedied quickly D) A vulnerability that only affects legacy systems Answer: C Explanation: “Low-hanging fruit” refers to simple, high-impact vulnerabilities that can be addressed with minimal effort. Question 24. A POA&M is primarily used to: A) Track the cost of security controls B) Document identified weaknesses, remediation actions, and milestones C) Record system performance metrics D) List all authorized users Answer: B
Explanation: Executives need concise, business-focused summaries that translate technical risk into operational impact. Question 28. Continuous Monitoring (CM) primarily addresses which of the following? A) Initial system design B) One-time compliance audit C) Ongoing assessment of control effectiveness and emerging threats D. Procurement of new hardware Answer: C Explanation: CM is an ongoing activity that ensures controls remain effective over time. Question 29. Configuration Management (CM) in the RMF context is most closely associated with: A) Asset disposal B) Change control and baseline maintenance C. Incident response planning D. User training programs Answer: B Explanation: Configuration Management tracks changes to hardware, software, and settings, maintaining a known baseline. Question 30. A periodic review of a subset of controls is known as: A) Full system assessment B) Continuous monitoring assessment (CMA) C) Risk acceptance D) Baseline deviation analysis Answer: B
Explanation: CMA selects representative controls for ongoing verification rather than re-assessing every control each cycle. Question 31. Which of the following triggers a re-authorization of a system? A) Routine patching of operating systems B) A change in the organization’s risk tolerance C. Completion of a quarterly CM activity D. A major architecture change that alters the system’s security posture Answer: D Explanation: Significant changes that affect security controls or impact levels require a new authorization. Question 32. Secure data disposal must ensure that data is: A) Archived for future reference B) Over-written or destroyed to prevent recovery C. Backed up to an off-site location D. Encrypted before deletion Answer: B Explanation: Secure disposal methods (e.g., shredding, degaussing, overwriting) prevent data reconstruction. Question 33. In FedRAMP, the “Joint Authorization Board” (JAB) provides: A) Independent pen-testing services B) A centralized ATO for cloud service providers C) Funding for cloud migrations D. Legal counsel for agencies Answer: B
D) Define user roles and responsibilities Answer: B Explanation: BIA assesses the impact of disruptions, establishing RTOs and impact ratings that inform risk decisions. Question 37. When assigning an impact level, “moderate” confidentiality impact typically means: A) No adverse effect on operations B) Loss of confidentiality could be expected to cause serious degradation of mission performance C) Loss of confidentiality would cause a severe or catastrophic impact D) Only a minor inconvenience to users Answer: B Explanation: Moderate impact indicates serious degradation but not catastrophic loss. Question 38. Which of the following is NOT a typical component of a security control baseline? A) Minimum required controls for a given impact level B) Tailoring guidance for organization-specific adjustments C) Detailed implementation scripts for each control D) Mapping to control families in NIST SP 800- 53 Answer: C Explanation: Baselines provide required controls and guidance; detailed scripts are implementation-specific, not part of the baseline. Question 39. Which NIST publication provides guidance on categorizing information types for privacy? A) SP 800- 53
Answer: B Explanation: SP 800-60 offers a catalog of information types and recommended impact levels for both security and privacy. Question 40. In the RMF, the “Monitor” step includes which of the following activities? A) Selecting controls B) Conducting a risk assessment C. Performing continuous monitoring and periodic assessments D. Developing the SSP Answer: C Explanation: Monitoring encompasses ongoing evaluation of control effectiveness and emerging risks. Question 41. Which of the following best illustrates a “technical control”? A) Security awareness training B) Encryption of data at rest C) Physical badge access to a server room D) Written incident response procedures Answer: B Explanation: Encryption is a technology-based safeguard that protects data confidentiality. Question 42. An “administrative control” is primarily concerned with: A) Physical barriers to entry
C. Data backup D. Physical lock on a server rack Answer: B Explanation: Detective controls identify and alert on security events after they occur. Question 46. A “preventive” control is intended to: A) Detect security incidents after they happen B) Stop an incident from occurring in the first place C. Recover data after a breach D. Document the incident response process Answer: B Explanation: Preventive controls aim to block threats before they can succeed. Question 47. Which of the following best defines “risk tolerance”? A) The maximum acceptable level of risk an organization is willing to accept B) The total amount of risk present in a system C) The likelihood of a threat occurring D) The cost of implementing all possible controls Answer: A Explanation: Risk tolerance sets the threshold for acceptable residual risk. Question 48. During the “Select” step, which document provides the baseline controls for a moderate-impact system? A) NIST SP 800-53 Rev 5 (Moderate baseline) B. ISO 27001 Annex A C. COBIT 5 Process Reference Model D. NIST SP 800- 30
Answer: A Explanation: NIST SP 800-53 includes specific baseline controls for low, moderate, and high impact levels. Question 49. When an organization uses “parameterization” to tailor a control, which of the following is an example? A) Replacing a password policy with a biometric factor B) Setting the maximum password length to 12 characters C. Removing the control entirely D. Adding a compensating control for network segmentation Answer: B Explanation: Parameterization adjusts a control’s configuration (e.g., password length) without eliminating it. Question 50. Which of the following is a primary purpose of a POA&M? A) To document the system’s architecture B) To track remediation actions, responsible parties, and target dates for identified weaknesses C) To list all security policies in effect D) To calculate the system’s total cost of ownership Answer: B Explanation: POA&M provides a structured plan for addressing residual findings. Question 51. An “interim authority to test” (IATT) is typically issued for: A) A system that has completed full RMF authorization B) A system undergoing development that needs limited testing privileges C) A system that has been denied an ATO D. A system that is being decommissioned Answer: B
Answer: C Explanation: FedRAMP adopts the NIST SP 800-53 control families directly, including SC. Question 55. Which of the following is considered a “privacy impact assessment” (PIA) activity? A) Evaluating the encryption strength of a database B) Determining whether personal data collection is necessary and proportionate C. Conducting a network penetration test D. Reviewing firewall rule sets Answer: B Explanation: A PIA assesses privacy risks, focusing on necessity, proportionality, and compliance. **Question 56. Which ISO standard provides guidance on risk management principles that can be applied across all types of risk, including information security? ** A) ISO 27001 B) ISO 31000 C) ISO 9001 D. ISO 27701 Answer: B Explanation: ISO 31000 specifies generic risk management principles and framework. Question 57. When performing a “test” during an assessment, which of the following is a key consideration to maintain system integrity? A) Use production data without restriction B. Conduct testing on a non-production environment or with sanitized data C. Disable logging to avoid clutter
D. Change configuration settings without documentation Answer: B Explanation: Testing on a non-production or sanitized environment prevents unintended impact on live operations. Question 58. The “authorizing official” (AO) is ultimately responsible for: A) Writing security policies B. Selecting technical controls C. Accepting residual risk and issuing the ATO or DATO D. Performing system configuration management Answer: C Explanation: The AO makes the final risk decision and issues the authorization outcome. Question 59. Which of the following best describes a “gap analysis” in the context of control selection? A) Comparing the organization’s current controls against the baseline to identify missing controls B. Measuring system performance metrics C. Conducting a cost-benefit analysis of all controls D. Assessing user satisfaction with security controls Answer: A Explanation: Gap analysis identifies where existing controls fall short of required baseline controls. Question 60. An organization’s “risk appetite” is: A) The total amount of risk the organization can bear financially B) The level of risk it is willing to accept in pursuit of its objectives C. The likelihood of a specific threat occurring