Download Isc2 Cap Practice Test Questions: |1-50 Questions with 100% Correct Answers | Verified | U and more Exams Advanced Education in PDF only on Docsity! Isc2 Cap Practice Test Questions: |1-50 Questions with 100% Correct Answers | Verified | Updated 2023 1. Continuously observing and evaluating the information system security controls during the system life cycle to determine whether changes have occurred that will negatively impact the system security" best describes which process in the certification and accreditation methodology? a. Continuous monitoring b. Continuous improvement c. Continuous management d. Continuous development - Correct Answer-Continuous monitoring 2. Which one of the following activities is not a component of the continuous monitoring process? a. Operation and maintenance b. Security control monitoring and impact analyses c. Status reporting and documentation d. Configuration management and control - Correct Answer- Operation and maintenance pg. 1 professoraxe l 3. Which one of the following publications provides details of the continuous monitoring process? a. NIST SP 800-14 b. NIST SP 800-42 c. NIST SP 800-37 d. NIST SP 800-41 - Correct Answer-NIST SP 800-37 4. Which one of the following best describes when continuous monitoring takes place? a. Before the initial system certification b. After the initial system security accreditation c. Before and after the initial system security accreditation d. During the system design phase - Correct Answer-After the initial system security accreditation 5. Which one of the following questions is not asked as part of the continuous monitoring process? a. Could any of the changes to the information system affect the current, identified vulnerabilities in the system or introduce new vulnerabilities into the system? pg. 2 professoraxe l c. Enter the system development life cycle (SDLC) d. Select subsets of controls and monitor them at intervals - Correct Answer-Select subsets of controls and monitor them at intervals 10.Selecting controls to be monitored can be best aided by what document? a. FIPS 199 b. NIST SP 800-37 c. FISMA d. NIST SP 800-18 - Correct Answer-FIPS 199 11.What document provides a standard approach to the assessment of NIST SP 800-53 security controls? a. FIPS 199 b. NIST SP 800-53A c. NIST SP 800-30 d. NIST SP 800-66 - Correct Answer-NIST SP 800-53A 12.Appendix D of NIST SP 800-53A describes what three basic types of assessment methods? pg. 5 professoraxe l a. The interview, the examination, and testing b. The interview, the validation, and testing c. The interview, the examination, and remediation d. The interview, the verification, and testing - Correct Answer-The interview, the examination, and testing 13.NIST SP 800-53A defines which of the following three types of interviews, depending on the level of assessment conducted? a. Initial, substantial, comprehensive b. Abbreviated, substantial, comprehensive c. Abbreviated, moderate, comprehensive d. Abbreviated, substantial, detailed - Correct Answer- Abbreviated, substantial, comprehensive 14.What NIST SP 800-53A assessment method is used to review, inspect, and analyze assessment objects such as polices, plans, requirements, designs, hardware, firmware, and security activities to determine the effectiveness of information system security controls? a. Verification b. Interview pg. 6 professoraxe l c. Examination d. Validation - Correct Answer-Examination 15.Observing or conducting the operation of physical devices, hardware, software, and firmware and determining whether they exhibit the desired and expected behavior describes what type of SP 800-53A assessment method? a. Examination b. Testing c. Validation d. Remediation - Correct Answer-Testing 16. In continuous monitoring, tracking of proposed or actual changes to the information system, including operating system patches, hardware, software, and firmware is called: a. Systems engineering b. The system development life cycle (SDLC) c. Configuration management and controls d. Security categorization - Correct Answer-Configuration management and controls pg. 7 professoraxe l b. Authorizing official and senior agency information security officer c. Senior agency information security officer d. User - Correct Answer-Authorizing official and senior agency information security officer 23. In continuous monitoring, what personnel will normally be using the updated plans in the documentation report to guide future assessment activities? a. The senior agency information security officer b. The authorizing official c. The information system owner and security assessor d. All the above - Correct Answer-All the above 24.The frequency of generating the system security plan and the plan of action and milestones is at the discretion of which of the following personnel? a. The authorizing official b. The information system owner c. The agency information system security officer d. All the above - Correct Answer-The information system owner pg. 10 professoraxe l 25.Generating the system security plan and plan of action and milestones should be done at what frequency? a. Every three months b. Reasonable intervals to ensure that significant changes to the security posture of the information system are reported c. At the discretion of the authorizing official d. Every three years - Correct Answer-Reasonable intervals to ensure that significant changes to the security posture of the information system are reported 26.Who determines whether a security reaccreditation is required after reviewing the plan of actions and milestones? a. The senior information system security officer b. The authorizing official c. The senior information security officer and the authorizing official d. The information system owner - Correct Answer-The senior information security officer and the authorizing official 27.The following events are used to determine whether which activity has to be initiated? pg. 11 professoraxe l • Modifications to the information system have negatively impacted the system security controls. • Modifications to the information system have introduced new vulnerabilities into the system. • A specified time period has elapsed, requiring the information system to be reauthorized in accordance with federal or agency policy (typically 3 years). • The risk to agency operations, agency assets, or individuals has been increased. a. Reaccreditation b. Maintenance c. Peer review d. Security categorization - Correct Answer-Reaccreditation 28.Continuous monitoring documentation reports are also used to meet which one of the following reporting requirements? a. NIST b. FISMA c. HIPAA d. FBI - Correct Answer-FISMA pg. 12 professoraxe l security control being assessed using a limited body of evidence or documentation" refers to which one of the following examination assessment types? a. Functional b. Abbreviated c. Substantial d. Comprehensive - Correct Answer-Abbreviated 34.What are the types of Security Controls for information systems that can be deployed by an organization? a. Common controls, intra-relational controls, system specific controls b. Common controls, intra-relational controls, hybrid controls c. System specific controls, inter-relational controls, hybrid controls d. System specific controls, common controls, hybrid controls - Correct Answer-System specific controls, common controls, hybrid controls 35.Which type controls provide a security capability for a particular information system only? a. Common controls pg. 15 professoraxe l b. Inter-relational controls c. System specific controls d. Hybrid controls - Correct Answer-System specific controls 36.Which type controls provide a security capability for multiple information systems? a. Common controls b. Intra-relational controls c. Hybrid controls d. System specific controls - Correct Answer-Common controls 37.Which type controls promote more cost-effective and consistent information security across the organization? a. Inter-relational controls b. Inherited controls c. Common controls d. System specific controls - Correct Answer-Common controls 38.Why does implementing as many common controls as possible make sense for the company? pg. 16 professoraxe l a. It simplifies risk management activities by not having to reassess inherited common controls b. It provides more consistent information security by using inherited common controls c. It provides less consistent information security by using inherited common controls d. Both a and b - Correct Answer-Both a and b 39.What is the last step before an information system is placed into operation? a. Move to Activity 5 in the Enterprise Information Technology Defense Repository (EITDR) b. The explicit acceptance of risk by the authorizing official c. Replacement of all CMOS batteries on Desktop and Laptop computers to provide the greatest amount protection against loss of BIOS information d. The explicit acceptance of risk by the authorizing official and the CIO - Correct Answer-The explicit acceptance of risk by the authorizing official 40.Organizations using RMF Steps 1 through 3, for legacy systems, to confirm that the security categorization has been completed and is appropriate and that the requisite security pg. 17 professoraxe l b. __ AUTHORIZE INFORMATION SYSTEM c. __ SELECT SECURITY CONTROLS ' d. __ MONITOR SECURITY CONTROLS e. __ IMPLEMENT SECURITY CONTROLS f. __ CATEGORIZE INFORMATION SYSTEM - Correct Answer- f=1, c=2, e=3, a=4, b=5, d=6 45.Where would you find the individual or group who has the primary responsibility for carrying out each of the Risk Management Framework RMF tasks? a. The United States of America Federal RMF Users Guide b. NIST SP 800-53A c. The Risk Management Framework RMF task description in NIST SP 800-37 rev 1 d. Minimum Security Requirements for Federal Information and Information Systems in FIPS 200 - Correct Answer-The Risk Management Framework RMF task description in NIST SP 800-37 rev 1 46. Including a sprinkler system in the house blueprints, and installing the sprinkler system as the house is being built, and inspecting the sprinkler system as the house is being built, rather than retrofitting the sprinkler system after the house is pg. 20 professoraxe l built, which is obviously more efficient and cost effective, is simile for building in security using what? a. Risk Management Framework RMF b. System Development Life Cycle SDLC c. Risk Assessment process found in NIST 800-18 d. It's not a simile, if anything it's a metaphor - Correct Answer-System Development Life Cycle SDLC 47.What documents the results of the security control assessment and provides the authorizing official with essential information needed to make a risk-based decision on whether to authorize operation of an information system or a designated set of common controls? a. Authorization package b. Security Plan, Security Assessment Report, POA&M c. RAR and SAR d. Both a and b, because b is what makes up the Authorization Package - Correct Answer-Both a and b, because b is what makes up the Authorization Package 48.What part of the Authorization Package provided to the Authorizing Official, or Designated Representative is the formal document that provides an overview of the security pg. 21 professoraxe l requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements? a. Security Plan b. POA&M c. Security Assessment Report d. Risk Assessment Report - Correct Answer-Security Plan 49.What part of the Authorization Package provided to the Authorizing Official, or Designated Representative shows the security control assessment results and recommended corrective actions for control weaknesses or deficiencies? a. Security Plan b. POA&M c. Security Assessment Report d. Risk Assessment Report - Correct Answer-Security Assessment Report 50.What part of the Authorization Package provided to the Authorizing Official, or Designated Representative shows measures planned to correct weaknesses or deficiencies and to reduce or eliminate known vulnerabilities. pg. 22 professoraxe l