(Isc)2 Guide To The CAP Review Questions

181 Questions | Total Attempts: 959

SettingsSettingsSettings
Please wait...
Management Quizzes & Trivia

.


Questions and Answers
  • 1. 
    During which RMF step is the system security plan initially approved?
    • A. 

      RMF Step 1 Categorize Information System

    • B. 

      RMF Step 2 Select Security Controls

    • C. 

      RMF Step 3 Implement Security Controls

    • D. 

      RMF Step 5 Authorize Information System

  • 2. 
    Which organizational official is responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system?
    • A. 

      Information system security engineer (ISSE)

    • B. 

      Chief information officer (CIO)

    • C. 

      Information system owner (ISO)

    • D. 

      Information security architect

  • 3. 
    Which authorization approach considers time elapsed since the authorization results were produced, the environment of operation, the criticality/sensitivity of the information, and the risk tolerance of the other organization?
    • A. 

      Leveraged

    • B. 

      Single

    • C. 

      Joint

    • D. 

      Site specific

  • 4. 
    System authorization programs are marked by frequent failure due to, among other things, poor systems inventory, failure to fix responsibility at the system level, and
    • A. 

      Inability to work with remote teams.

    • B. 

      Lack of a project management office.

    • C. 

      Insufficient system rights.

    • D. 

      Lack of management support.

  • 5. 
    In what phases of the Risk Management Framework (RMF) and system development life cycle (SDLC), respectively, does documentation of control implementation start?
    • A. 

      Categorization and initiation

    • B. 

      Implement security controls and development/acquisition

    • C. 

      Authorization and operations/maintenance

    • D. 

      Monitor and sunset

  • 6. 
    The tiers of the National Institute of Standards and Technology (NIST) risk management framework are
    • A. 

      Operational, management, system.

    • B. 

      Confidentiality, integrity, availability.

    • C. 

      Organization, mission/business process, information system

    • D. 

      Prevention, detection, recovery

  • 7. 
    NIST guidance classifies security controls as
    • A. 

      Production, development, and test.

    • B. 

      People, process, and technology.

    • C. 

      System-specific, common and hybrid.

    • D. 

      Technical, administrative, and program.

  • 8. 
    Which of the following specifies security requirements for federal information and information systems in 17 security-related areas that represent a broad-based, balanced information security program?
    • A. 

      Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems

    • B. 

      FIPS 200, Minimum Security Requirements for Federal Information and Information Systems

    • C. 

      Committee on National Security Systems (CNSS) Instruction No. 1253, Security Categorization and Control Selection for National Security Systems

    • D. 

      Section 3541 Title 44 U.S.C. Federal Information Security Management Act of 2002

  • 9. 
    After a monthly change control board meeting at which the team determined the security impact  of proposed changes to an application, what would be the team's next action?
    • A. 

      Prepare the plan of action and milestones based on the findings and recommendations of the security assessment report excluding any remediation actions taken.

    • B. 

      Prepare the security assessment report documenting the issues, findings, and recommendations from the security control assessment.

    • C. 

      Update the security plan, security assessment report, and plan of action and milestones based on the results of the change control board's security impact analysis.

    • D. 

      Assess a selected subset of the security controls employed within and inherited by the application in accordance with the organization-defined monitoring strategy.

  • 10. 
    When an authorization to operate (ATO) is issued, which of the following roles authoritatively accepts residual risk on behalf of the organization?
    • A. 

      Information owner

    • B. 

      Chief information security officer (CISO)

    • C. 

      Authorizing official (AO)

    • D. 

      AO or the AO's designated representative (DR)

  • 11. 
    When attempting to categorize a system, which two Risk Management Framework (RMF) starting point inputs should be accounted for?
    • A. 

      Federal laws and organizational policies

    • B. 

      Federal laws and Office of Management and Budget (OMB) policies

    • C. 

      Federal Information Security Management Act (FISMA) and the Privacy Act

    • D. 

      Architectural descriptions and organizational inputs

  • 12. 
    Documenting the description of the system in the system security plan is the primary responsibility of which RMF role?
    • A. 

      Authorizing official (AO)

    • B. 

      Information owner

    • C. 

      Information system security officer (ISSO)

    • D. 

      Information system owner

  • 13. 
    The registration of the system directly follows which RMF task?
    • A. 

      Categorized the system

    • B. 

      Describe the system

    • C. 

      Review and approve the system security plan

    • D. 

      Select security controls

  • 14. 
    When should the information system owner document the information system and authorization boundary description in the security plan?
    • A. 

      After security controls are implemented

    • B. 

      While assembling the authorization package

    • C. 

      After security categorization

    • D. 

      When reviewing the security control assessment plan

  • 15. 
    Information developed from Federal Information Processing Standard (FIPS) 199 may be used as an input to which authorization package document?
    • A. 

      Security assessment report (SAR)

    • B. 

      System security plan (SSP)

    • C. 

      Plan of actions and milestones (POA&M)

    • D. 

      Authorization decision document

  • 16. 
    An organization's information systems are a mix of Windows and UNIX systems located in a single computer room. Access to the computer room is restricted by the use of door locks that require proximity cards and personal identification numbers. Only a small percentage of the organization's employees have access to the computer room. The computer room access restriction is an example of what type of security control relative to the hardware in the computer room?
    • A. 

      Managerial

    • B. 

      System specific

    • C. 

      Technical

    • D. 

      Inherited

  • 17. 
    Why is security control volatility an important consideration in the development of a security control monitoring strategy?
    • A. 

      It identifies needed security control monitoring exceptions.

    • B. 

      It indicates a need for compensating controls.

    • C. 

      It establishes priority for security control monitoring.

    • D. 

      It provides justification for revisions to the configuration management and control plan.

  • 18. 
    An information system is currently in the initiation phase of the system development life cycle (SDLC) and has been categorized high impact. the information system owner wants to inherit common controls provided by another organizational information system that is categorized moderate impact. How does the information system owner ensure that the common controls will provide adequate protection for the information system?
    • A. 

      Supplement the common controls with system-specific or hybrid controls to achieve the required protection for the system.

    • B. 

      Ask the common control provider for the system security plan for the common controls.

    • C. 

      Consult with the information system security engineer and the information security architect.

    • D. 

      Perform rigorous testing of the common controls to determine if they provide adequate protection.

  • 19. 
    An effective security control monitoring strategy for an information system includes
    • A. 

      Monitoring the security controls of interconnecting information systems outside the authorization boundary.

    • B. 

      Active involvement by authorizing officials in the ongoing management of information system-related security risks.

    • C. 

      The annual assessment of all security controls in the information system.

    • D. 

      All controls listed in NIST SP 800-53, Revision 3.

  • 20. 
    A large organization has a documented information security policy that has been reviewed and approved by senior officials and is readily available to all organizational staff. This information security policy explicitly addresses each of the 17 control families in NIST SP 800-53, Revision 3. Some system owners also established procedures for the technical class of security controls on certain of their systems. In their respective system security plans, control AC-1 Access Control Policy and Procedures (a technical class security control) must be identified as what type of control?
    • A. 

      Fully inheritable

    • B. 

      Hybrid

    • C. 

      System specific

    • D. 

      Inherited

  • 21. 
    When determining the applicability of a specific security control, the security professional should utilize which type of guidance?
    • A. 

      Categorization

    • B. 

      Selection

    • C. 

      Scoping

    • D. 

      Remediation

  • 22. 
    When making a determination regarding the adequacy of the implementation of inherited controls for their respective systems, and information system owner (ISO) can refer to the authorization package prepared by which of the following?
    • A. 

      Information owner/steward (IO)

    • B. 

      Information system security engineer (ISSE)

    • C. 

      Information systems security officer (ISSO)

    • D. 

      Common control provider (CCP)

  • 23. 
    The initial security plan for a new application has been approved. What is the next activity in the RMF?
    • A. 

      Develop a new strategy for the continuous monitoring of security control effectiveness.

    • B. 

      Assemble the security authorization package.

    • C. 

      Implement the security controls specified in the security plan.

    • D. 

      Assess a selected subset of the security controls inherited by the information system.

  • 24. 
    Which role has the supporting responsibility to coordinate changes to the system, assess the security impact, and update the system security plan?
    • A. 

      Information system security officer (ISSO)

    • B. 

      Information system owner (ISO)

    • C. 

      Common Control Provider

    • D. 

      Senior agency information security officer

  • 25. 
    Who is primarily responsible for the development of system-specific procedures?
    • A. 

      System owner

    • B. 

      Information systems security officer (ISSO)

    • C. 

      System architect

    • D. 

      System administrator