CAP Test Q's Flashcards
These are the example test questions
Best security practice requires that personnel implementing changes to production systems should…
- be the same personnel who develop the change.
- not be the same personnel who develop the change
- not be the primary system administrators responsible for the system being changed.
- implement the change at a random time to present attacks when a systems security controls are known to be turned off.
not be the same personnel who develop the change
The monitoring of security controls applies to which System Development Life Cycle (SDLC) phases?
Initiation; development/acquisition; implementation; operations and maintenance; and disposal
An organization utilizes a commercial service provider for pickup and offsite storage of backup media. The information system owner of one of the organization’s information systems has established backup data encryption and media marking procedures prior to backup media pickup by the commercial service provider. This is an example of:
compensating controls.
Which of he following defines National Security Systems?
Section 3541 Title 44 U.S.C. Federal Information Security Management Act of 2002 (FISMA).
The results of the security categorization process will MOST influence the
selection of appropriate security controls
Which of the following must b documented and implemented according to the United States Office of Management and Budget (OMB)?
United States Government Configuration Baseline (USGCB)
Which Risk Management Framework (RMF) step determines the extent to which security controls are implemented correctly, operating as intended and producing the desire result with respect to meeting security requirements?
Assess Security Controls
An organization-wide incident response plan is established which requires that all information system incidents are reported to the organization’s incident response team. The policy also establishes that the incident response team is responsible for all follow-up investigation and reporting. Incident response security controls have been developed, implemented, assessed, and authorized in an organization-wide information system security plan. An information system security plan for an information system in this organization will identify the incident response controls as
common
When the level of trust in the external provider of a subsystem is below expectations, the organization should do which of the following?
Employ Compensating control and accept a greater degree of risk.
The Risk Management Framework (RMF) and associated RMF tasks apply to
both information systems and common controls
What individual within your organization can make an executive decisions in determining whether risk is acceptable?
Authorizing Official (AO)
An information system is currently in the initiation phase of the system Development Life Cycle (SDLC) and has been categorized high impact. The information system owner wants to inherit common controls provided by another organizational information system that is protected for the information system?
Supplement the common controls with system-specific or hybrid controls to achieve the required protection for the system.
Which of the following documents describes the relationship between the Risk Management Framework (RMF) steps and the security authorization process?
NIST SP 800-37
Common control identification occurs in what phase of the Risk Management Framework (RMF) and System Development Life Cycle (SDLC)?
Select and Initiation
Results from a security control assessment require remediation actions. Who among the following is responsible to take the remedial actions?
Information System Owner (ISO)
When contracting for services to process or store a federal organization’s information, the information system used by the contractor to process or store federal information must…
be registered in the organization’s information system inventory and treated in an identical manner as a federal owned and operated system.
After residual risks identified during the security control assessment have been evaluated and prior to a security authorization decision, the Authorizing Official (AO) or designated representative makes a final risk determination based on input obtained DIRECTLY from the following individuals?
Risk executive, Information System Owner (ISO) and Common Control Provider
What is the last step before an information system is placed into operation?
Acceptance of risk by Authorizing Official (AO)
The purpose of the security assessment plan is to:
establish expectations for the security control assessment
An effective continuous monitoring program can be used to
support the FISMA requirement for annual assessment of the security controls in information systems.
The unauthorized modification or destruction of information is a loss of
integrity
The level of effort required to ensure appropriate security for a particular information system depends upon the:
Security categorization of the information system.
Which of the following is an example of a common control being inherited?
- Specialized training used for a firearms tracking system
- A custom authentication system used for an accounting system
- A webserver’s SSL certificate used exclusively for a major web application
- Physical security at a datacenter hosting several applications and systems
Physical security at a datacenter hosting several applications and systems.
When selecting security controls, which NIST Special Publication provides recommended security controls for federal information systems?
- NIST SP 800-199
- NIST SP 800-12
- NIST SP 800-53
- NIST SP 800-34
NIST SP 800-53
According to the Office of Management and Budget (OMB) a Plan of Action and Milestones (POAM) must contain
the type of weakness, the office or organization responsible for the weakness, estimated resources, scheduled completion date, key milestones, milestone changes, the source of discovery for the weakness and the present status.
According to NIST SP 800-37A “Guide for applying the Risk Management Framework to Federal Information Systems”, “determine the risk to organizational operations (including missions, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation” is the description for…
Risk Determination
What is the last required step before an information system is placed into operation?
Explicit acceptance of risk by the authorizing official.
The security authorization package contains which of the following documents?
- Security Assessment Report (SAR), security audit logs and security plan
- Security Assessment Report (SAR), security plan and Plan of Action and Milestones (POAM)
- Security Assessment Report (SAR), security audit logs and Plan of Action Milestones (POAM)
- security audit logs, security plan and Plan of Action Milestones (POAM)
Security Assessment Report (SAR), security plan and Plan of Action and Milestones (POAM)
What role is responsible for implementing security controls in a general support system?
Chief Information Security Officer (CISO)
Which individual is selected by the Authorizing Official (AO), empowered to make certain decisions, coordinates activities required by the Security Authorization process, and is responsible for preparing authorization decision letters?
Authorizing Official Designated Representative
When should the information system owner document the information system and authorization boundary description in the Security Plan?
After Security Categorization
What is the MAIN Purpose of the addendum to the final Security Assessment Report (SAR)?
Information provided in the addendum is considered by authorizing officials in their risk-based authorization decisions.
The Security Control Assessor has finished their assessment of the National Library’s Computer Network and discovered that some controls were not implemented as described in the security plan. There were issues with identification and authentication implementation. Their system security policy states that all new account passwords will be given to the individual directly by the help desk personnel after identity verification. The assessor was given their new system account login and password by the Information System Owner (ISO). What control was NOT properly implemented?
- AC-3 Access Enforcement
- IA-5 Authenticator Management
- PS-2 Position Categorization
- SC-2 Applications Partitioning
IA-5 Authenticator Management
A large organization has documented information security policy that is reviewed and approved by senior officials and is readily available to all organization staff. This information security policy explicitly addresses each of the control families in NIST SP 800-53, Revision 3. The policy also establishes procedures for the management class of security controls. The information system security plans for each of the organization’s information systems, AC-1 Access Control Policy and Procedures (a technical class security control) must be identified as what type of control.
Hybrid
NOTE: This is a poorly worded question… It is hybrid because this question refers to enterprise common controls and system-specific controls.
The final, agreed-upon set of security controls is documented with appropriate rationale for the information system in which artifact?
The Security Plan
Who determines the required level of independence for security control assessors?
Authorizing Official (AO)
Using the Risk Management Framework (RMF), conducting initial remediation actions on security controls is part of
Step 4 - Assess Security Controls
The Risk Management Framework (RMF) and the System Development Life Cycle (SDLC)
- integrate information security into software/system development.
- are competing methodologies for developing secure software.
- serve different security requirements and have no relationship.
- are waterfall methodologies with the RMF preceding the SDLC.
Integrate information security into software/system development.
In determining risk, what position is responsible for supplying the Executive Risk Committee with assessment information related to a common control?
Common Control Provider
The identification of common controls is MOST effectively accomplished…
- as an organization-wide exercise.
- by the common control provider.
- by the information system owner.
- during security control documentation.
as an organization-wide exercise.
An information system categorized as HIGH has implemented significant technology upgrades. Conducting security impact analysis of the associated changes are BEST performed during this Risk Management Framework (RMF) step?
- Step 3 - Implement Security Controls
- Step 6 - Monitoring Security Controls
- Step 2 - Select Security Controls
- Step 1 - Categorize Information Systems
Step 6 - Monitoring Security Controls
The Security Assessment Plan provides the objectives for the security control assessment, a detailed roadmap of how the conduct such an assessment, and
test procedures
An information system processes information types that have a potential impact of MODERATE and LOW. One of the information system’s four subsystems processes an information type that has potential impact of HIGH but the subsystem is only accessed by a small group of users with security clearances. What is the appropriate Security Categorization for the entire information system?
HIGH
The formula shown below is used to express security category. The formula is described in which of the following?
- OMB Circular A-127 Financial Management System
- NIST SP 800-55 Performance Measurement Guide for Information Security
- NISTIR 7358 Program Review for Information Security Management Assistance (PRISMA)
- FIPS 199 Standards for Security Categorization of Federal Information and Information Systems.
FIPS 199 Standards for Security Categorization of Federal Information and Information Systems.
Who has primary responsibility for compliance with Risk Management Framework (RMF), Step 6 Monitor Security Controls, Task 6-1: Determine the security impact of proposed or actual changes to the information system and its environment of operation?
Information System Owner (ISO) or Common Control Provider.
FIPS 199 Standards for Security Categorization of Federal Information and Information Systems defines the potential impact of a security breach based on…
data confidentiality, integrity, or availability.
Which of the following BEST represents the drivers of determining security status reporting frequency?
- Organizational financial reporting requirements and System of Record Notice (SORN)
- Personnel schedules and privacy impact of the system
- Legal requirements and organizational specific requirements based on risk
- Federal Information Security Management Act (FISMA) and system maintenance.
Legal requirements and organizational specific requirements based on risk
Who prepares the plan of action milestones?
Security Control Assessor
When referring to the System Development Life Cycle Phase (SDLC), during what phase does the Information System Owner (ISO) assemble the Security Authorization Package?
Implementation
When making a determination regarding the adequacy of the implementation of inherited controls for their respective systems, an information System Owner (ISO) can refer to the authorization package prepared by which of the following?
Common Control Provider
Information system boundaries are established in coordination with the security categorization process and
before the development of security plans.
Which role is primarily responsible for ongoing risk determination and acceptance?
Authorizing Official (AO)
Continuous monitoring of security controls to include ongoing remediation actions is defined in the:
Risk Management Framework (RMF) Step 6.
Who has the primary responsibility to comply with Risk Management Framework (RMF), Step 6-Monitor Security Controls, Task 6-3: Conduct remediation actions based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the plan of action and milestones?
Information System Owner (ISO) or Common Control Provider
The creation of the Security Control Assessment Plan requires supporting materials to be identified to give the Information System Owner (ISO) and their staff time to gather all requested data. Supporting material includes various logs, reports, records showing evidence of security control implementation and…
procedures
When implementing information system security controls, the Information System Owner (ISO) must ensure consistency with…
organizational enterprise architecture and information security architecture.
A Chief Information Security Officer (CISO) must build a continuous monitoring program to ensure risk visibility and management. Which option provides the best approach? (Look at Q#57 for choices)
Divide the NIST SO 800-53 controls into four groups. One group is controls tested every year or more frequently with the remaining controls divided into three separate groups over three years. Testing will occur every year and all controls will be tested by the end of the third year. Report risk in accordance with laws and organizational policy to the Authorizing Official (AO) and the risk executive function.
An initial remediation action was taken by the information system owner based on findings from the Security Assessment Report (SAR). What is the next appropriate step based on the Risk Management Framework (RMF)?
Remedial action taken is sent for review to the Information System Security Officer (ISSO)
Several weakness or deficiencies in security controls were corrected based on the Security Assessment Report (SAR) and the remediated controls were reassessed for effectiveness. What is the next step?
Assessors update the SAR with the findings from the reassessment.
An information system categorization has been completed for a federal information system. Which two documents ensure appropriate security requirements and security controls are applied?
FIPS 200 and NIST SP 800-53
In a multi-tiered organization, Tier 1 deals with organization, Tier 2 with business processes in the organization and Tier 3 with day to day operations of processes. Information security should be incorporated at which of the following Tiers?
All Tiers
The Security Control Assessor (SAR) has completed the assessment, what is the next step?
Analyze the test results
What is the final step in the Risk Management Framework (RMF) Step 4 - Assess Security Controls?
Remediation Actions
Tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions is performed during which Risk Management Framework (RMF) step?
Step 2 - Select Security Controls
The Risk Management Framework (RMF) provides a structured process that integrates information security and risk management activities into the…
System Develop Life Cycle (SDLC)
Which of the following control families belongs to the Management class of security controls?
- Risk Assessment
- Media Protection
- Access Control
- Configuration Management
Risk Assessment
The criteria for selecting security controls to be monitored post deployment and for determining the frequency of such monitoring is established…
before development of the security control monitoring strategy.
Which of the following BEST describes the risk executive (function)?
- The authorization to operate decision based on acceptability of residual risk to an information system.
- An individual or group within an organization that helps to provide a comprehensive, organization-wide, holistic approach for addressing risk.
- The process for ensuring that the organization’s risk management approach is comprehensive.
- The highest-level official or executive within an organization with the overall responsibility to provide information security protections.
An individual or group within an organization that helps to provide a comprehensive, organization-wide, holistic approach for addressing risk.
How does the Authorizing Official (AO) determines the proper length of an information system’s security authorization?
Federal policies and Continuous Monitoring Program
What family of security controls below is in the operational class of security controls?
System and Information Integrity
During a weekly CIO status update a CAP working for the CIO is informed a contract for processing medical records is about to end. Which of the following options BEST represents the immediate concerns the CAP should bring to the federal contract manager?
The manager of the contract needs to ensure that the contractor has disposed of all the information in accordance with NIST SP 800-88. Independent verification of remnant destruction may be required.
