Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CAP > CAP Test Q's > Flashcards

CAP Test Q's Flashcards

These are the example test questions

1
Q

Best security practice requires that personnel implementing changes to production systems should…

  • be the same personnel who develop the change.
  • not be the same personnel who develop the change
  • not be the primary system administrators responsible for the system being changed.
  • implement the change at a random time to present attacks when a systems security controls are known to be turned off.
A

not be the same personnel who develop the change

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The monitoring of security controls applies to which System Development Life Cycle (SDLC) phases?

A

Initiation; development/acquisition; implementation; operations and maintenance; and disposal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

An organization utilizes a commercial service provider for pickup and offsite storage of backup media. The information system owner of one of the organization’s information systems has established backup data encryption and media marking procedures prior to backup media pickup by the commercial service provider. This is an example of:

A

compensating controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of he following defines National Security Systems?

A

Section 3541 Title 44 U.S.C. Federal Information Security Management Act of 2002 (FISMA).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The results of the security categorization process will MOST influence the

A

selection of appropriate security controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following must b documented and implemented according to the United States Office of Management and Budget (OMB)?

A

United States Government Configuration Baseline (USGCB)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which Risk Management Framework (RMF) step determines the extent to which security controls are implemented correctly, operating as intended and producing the desire result with respect to meeting security requirements?

A

Assess Security Controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

An organization-wide incident response plan is established which requires that all information system incidents are reported to the organization’s incident response team. The policy also establishes that the incident response team is responsible for all follow-up investigation and reporting. Incident response security controls have been developed, implemented, assessed, and authorized in an organization-wide information system security plan. An information system security plan for an information system in this organization will identify the incident response controls as

A

common

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

When the level of trust in the external provider of a subsystem is below expectations, the organization should do which of the following?

A

Employ Compensating control and accept a greater degree of risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The Risk Management Framework (RMF) and associated RMF tasks apply to

A

both information systems and common controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What individual within your organization can make an executive decisions in determining whether risk is acceptable?

A

Authorizing Official (AO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

An information system is currently in the initiation phase of the system Development Life Cycle (SDLC) and has been categorized high impact. The information system owner wants to inherit common controls provided by another organizational information system that is protected for the information system?

A

Supplement the common controls with system-specific or hybrid controls to achieve the required protection for the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following documents describes the relationship between the Risk Management Framework (RMF) steps and the security authorization process?

A

NIST SP 800-37

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Common control identification occurs in what phase of the Risk Management Framework (RMF) and System Development Life Cycle (SDLC)?

A

Select and Initiation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Results from a security control assessment require remediation actions. Who among the following is responsible to take the remedial actions?

A

Information System Owner (ISO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

When contracting for services to process or store a federal organization’s information, the information system used by the contractor to process or store federal information must…

A

be registered in the organization’s information system inventory and treated in an identical manner as a federal owned and operated system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

After residual risks identified during the security control assessment have been evaluated and prior to a security authorization decision, the Authorizing Official (AO) or designated representative makes a final risk determination based on input obtained DIRECTLY from the following individuals?

A

Risk executive, Information System Owner (ISO) and Common Control Provider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the last step before an information system is placed into operation?

A

Acceptance of risk by Authorizing Official (AO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

The purpose of the security assessment plan is to:

A

establish expectations for the security control assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

An effective continuous monitoring program can be used to

A

support the FISMA requirement for annual assessment of the security controls in information systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

The unauthorized modification or destruction of information is a loss of

A

integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

The level of effort required to ensure appropriate security for a particular information system depends upon the:

A

Security categorization of the information system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which of the following is an example of a common control being inherited?

  • Specialized training used for a firearms tracking system
  • A custom authentication system used for an accounting system
  • A webserver’s SSL certificate used exclusively for a major web application
  • Physical security at a datacenter hosting several applications and systems
A

Physical security at a datacenter hosting several applications and systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

When selecting security controls, which NIST Special Publication provides recommended security controls for federal information systems?

  • NIST SP 800-199
  • NIST SP 800-12
  • NIST SP 800-53
  • NIST SP 800-34
A

NIST SP 800-53

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

According to the Office of Management and Budget (OMB) a Plan of Action and Milestones (POAM) must contain

A

the type of weakness, the office or organization responsible for the weakness, estimated resources, scheduled completion date, key milestones, milestone changes, the source of discovery for the weakness and the present status.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

According to NIST SP 800-37A “Guide for applying the Risk Management Framework to Federal Information Systems”, “determine the risk to organizational operations (including missions, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation” is the description for…

A

Risk Determination

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is the last required step before an information system is placed into operation?

A

Explicit acceptance of risk by the authorizing official.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

The security authorization package contains which of the following documents?

  • Security Assessment Report (SAR), security audit logs and security plan
  • Security Assessment Report (SAR), security plan and Plan of Action and Milestones (POAM)
  • Security Assessment Report (SAR), security audit logs and Plan of Action Milestones (POAM)
  • security audit logs, security plan and Plan of Action Milestones (POAM)
A

Security Assessment Report (SAR), security plan and Plan of Action and Milestones (POAM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What role is responsible for implementing security controls in a general support system?

A

Chief Information Security Officer (CISO)

30
Q

Which individual is selected by the Authorizing Official (AO), empowered to make certain decisions, coordinates activities required by the Security Authorization process, and is responsible for preparing authorization decision letters?

A

Authorizing Official Designated Representative

31
Q

When should the information system owner document the information system and authorization boundary description in the Security Plan?

A

After Security Categorization

32
Q

What is the MAIN Purpose of the addendum to the final Security Assessment Report (SAR)?

A

Information provided in the addendum is considered by authorizing officials in their risk-based authorization decisions.

33
Q

The Security Control Assessor has finished their assessment of the National Library’s Computer Network and discovered that some controls were not implemented as described in the security plan. There were issues with identification and authentication implementation. Their system security policy states that all new account passwords will be given to the individual directly by the help desk personnel after identity verification. The assessor was given their new system account login and password by the Information System Owner (ISO). What control was NOT properly implemented?

  • AC-3 Access Enforcement
  • IA-5 Authenticator Management
  • PS-2 Position Categorization
  • SC-2 Applications Partitioning
A

IA-5 Authenticator Management

34
Q

A large organization has documented information security policy that is reviewed and approved by senior officials and is readily available to all organization staff. This information security policy explicitly addresses each of the control families in NIST SP 800-53, Revision 3. The policy also establishes procedures for the management class of security controls. The information system security plans for each of the organization’s information systems, AC-1 Access Control Policy and Procedures (a technical class security control) must be identified as what type of control.

A

Hybrid

NOTE: This is a poorly worded question… It is hybrid because this question refers to enterprise common controls and system-specific controls.

35
Q

The final, agreed-upon set of security controls is documented with appropriate rationale for the information system in which artifact?

A

The Security Plan

36
Q

Who determines the required level of independence for security control assessors?

A

Authorizing Official (AO)

37
Q

Using the Risk Management Framework (RMF), conducting initial remediation actions on security controls is part of

A

Step 4 - Assess Security Controls

38
Q

The Risk Management Framework (RMF) and the System Development Life Cycle (SDLC)

  • integrate information security into software/system development.
  • are competing methodologies for developing secure software.
  • serve different security requirements and have no relationship.
  • are waterfall methodologies with the RMF preceding the SDLC.
A

Integrate information security into software/system development.

39
Q

In determining risk, what position is responsible for supplying the Executive Risk Committee with assessment information related to a common control?

A

Common Control Provider

40
Q

The identification of common controls is MOST effectively accomplished…

  • as an organization-wide exercise.
  • by the common control provider.
  • by the information system owner.
  • during security control documentation.
A

as an organization-wide exercise.

41
Q

An information system categorized as HIGH has implemented significant technology upgrades. Conducting security impact analysis of the associated changes are BEST performed during this Risk Management Framework (RMF) step?

  • Step 3 - Implement Security Controls
  • Step 6 - Monitoring Security Controls
  • Step 2 - Select Security Controls
  • Step 1 - Categorize Information Systems
A

Step 6 - Monitoring Security Controls

42
Q

The Security Assessment Plan provides the objectives for the security control assessment, a detailed roadmap of how the conduct such an assessment, and

A

test procedures

43
Q

An information system processes information types that have a potential impact of MODERATE and LOW. One of the information system’s four subsystems processes an information type that has potential impact of HIGH but the subsystem is only accessed by a small group of users with security clearances. What is the appropriate Security Categorization for the entire information system?

A

HIGH

44
Q

The formula shown below is used to express security category. The formula is described in which of the following?

  • OMB Circular A-127 Financial Management System
  • NIST SP 800-55 Performance Measurement Guide for Information Security
  • NISTIR 7358 Program Review for Information Security Management Assistance (PRISMA)
  • FIPS 199 Standards for Security Categorization of Federal Information and Information Systems.
A

FIPS 199 Standards for Security Categorization of Federal Information and Information Systems.

45
Q

Who has primary responsibility for compliance with Risk Management Framework (RMF), Step 6 Monitor Security Controls, Task 6-1: Determine the security impact of proposed or actual changes to the information system and its environment of operation?

A

Information System Owner (ISO) or Common Control Provider.

46
Q

FIPS 199 Standards for Security Categorization of Federal Information and Information Systems defines the potential impact of a security breach based on…

A

data confidentiality, integrity, or availability.

47
Q

Which of the following BEST represents the drivers of determining security status reporting frequency?

  • Organizational financial reporting requirements and System of Record Notice (SORN)
  • Personnel schedules and privacy impact of the system
  • Legal requirements and organizational specific requirements based on risk
  • Federal Information Security Management Act (FISMA) and system maintenance.
A

Legal requirements and organizational specific requirements based on risk

48
Q

Who prepares the plan of action milestones?

A

Security Control Assessor

49
Q

When referring to the System Development Life Cycle Phase (SDLC), during what phase does the Information System Owner (ISO) assemble the Security Authorization Package?

A

Implementation

50
Q

When making a determination regarding the adequacy of the implementation of inherited controls for their respective systems, an information System Owner (ISO) can refer to the authorization package prepared by which of the following?

A

Common Control Provider

51
Q

Information system boundaries are established in coordination with the security categorization process and

A

before the development of security plans.

52
Q

Which role is primarily responsible for ongoing risk determination and acceptance?

A

Authorizing Official (AO)

53
Q

Continuous monitoring of security controls to include ongoing remediation actions is defined in the:

A

Risk Management Framework (RMF) Step 6.

54
Q

Who has the primary responsibility to comply with Risk Management Framework (RMF), Step 6-Monitor Security Controls, Task 6-3: Conduct remediation actions based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the plan of action and milestones?

A

Information System Owner (ISO) or Common Control Provider

55
Q

The creation of the Security Control Assessment Plan requires supporting materials to be identified to give the Information System Owner (ISO) and their staff time to gather all requested data. Supporting material includes various logs, reports, records showing evidence of security control implementation and…

A

procedures

56
Q

When implementing information system security controls, the Information System Owner (ISO) must ensure consistency with…

A

organizational enterprise architecture and information security architecture.

57
Q

A Chief Information Security Officer (CISO) must build a continuous monitoring program to ensure risk visibility and management. Which option provides the best approach? (Look at Q#57 for choices)

A

Divide the NIST SO 800-53 controls into four groups. One group is controls tested every year or more frequently with the remaining controls divided into three separate groups over three years. Testing will occur every year and all controls will be tested by the end of the third year. Report risk in accordance with laws and organizational policy to the Authorizing Official (AO) and the risk executive function.

58
Q

An initial remediation action was taken by the information system owner based on findings from the Security Assessment Report (SAR). What is the next appropriate step based on the Risk Management Framework (RMF)?

A

Remedial action taken is sent for review to the Information System Security Officer (ISSO)

59
Q

Several weakness or deficiencies in security controls were corrected based on the Security Assessment Report (SAR) and the remediated controls were reassessed for effectiveness. What is the next step?

A

Assessors update the SAR with the findings from the reassessment.

60
Q

An information system categorization has been completed for a federal information system. Which two documents ensure appropriate security requirements and security controls are applied?

A

FIPS 200 and NIST SP 800-53

61
Q

In a multi-tiered organization, Tier 1 deals with organization, Tier 2 with business processes in the organization and Tier 3 with day to day operations of processes. Information security should be incorporated at which of the following Tiers?

A

All Tiers

62
Q

The Security Control Assessor (SAR) has completed the assessment, what is the next step?

A

Analyze the test results

63
Q

What is the final step in the Risk Management Framework (RMF) Step 4 - Assess Security Controls?

A

Remediation Actions

64
Q

Tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions is performed during which Risk Management Framework (RMF) step?

A

Step 2 - Select Security Controls

65
Q

The Risk Management Framework (RMF) provides a structured process that integrates information security and risk management activities into the…

A

System Develop Life Cycle (SDLC)

66
Q

Which of the following control families belongs to the Management class of security controls?

  • Risk Assessment
  • Media Protection
  • Access Control
  • Configuration Management
A

Risk Assessment

67
Q

The criteria for selecting security controls to be monitored post deployment and for determining the frequency of such monitoring is established…

A

before development of the security control monitoring strategy.

68
Q

Which of the following BEST describes the risk executive (function)?

  • The authorization to operate decision based on acceptability of residual risk to an information system.
  • An individual or group within an organization that helps to provide a comprehensive, organization-wide, holistic approach for addressing risk.
  • The process for ensuring that the organization’s risk management approach is comprehensive.
  • The highest-level official or executive within an organization with the overall responsibility to provide information security protections.
A

An individual or group within an organization that helps to provide a comprehensive, organization-wide, holistic approach for addressing risk.

69
Q

How does the Authorizing Official (AO) determines the proper length of an information system’s security authorization?

A

Federal policies and Continuous Monitoring Program

70
Q

What family of security controls below is in the operational class of security controls?

A

System and Information Integrity

71
Q

During a weekly CIO status update a CAP working for the CIO is informed a contract for processing medical records is about to end. Which of the following options BEST represents the immediate concerns the CAP should bring to the federal contract manager?

A

The manager of the contract needs to ensure that the contractor has disposed of all the information in accordance with NIST SP 800-88. Independent verification of remnant destruction may be required.

CAP (3 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions