CAP exam study questions
Which of the following is an example of the test assessment method? A. Conducting a vulnerability scan on web applications B. Reading vulnerability scan policies and procedures C. Asking administrators about the scanning process D. Reviewing the most recent scan reports
Conducting avulnerability scan on web applications
Which of the following is a key step in the overall Contingency planning process? A. Completing the Security Plan (SP) B. Conducting the Business Impact Analysis (BIA) C. Developing the Plan of Action and Milestones (POA&M) D. Completing the security Requirement Traceability Matrix (RTM)
Conducting the Business Impact Analysis(BIA)
James works as an IT systems personnel in SoftTech Inc. He performs the following tasks: Runs regular backups and routine tests of the validity of the backup data. Performs data restoration from the backups whenever required. Maintains the retained records in accordance with the established information classification policy. What is the role played by James in the organization? A. Manager B. Owner C. Custodian D. User
Custodian
The Information Technology (IT) manager is responsible to the Information Officer for the implementation of Role Based Access Control (RBAC) assigned divisional resource. Specifically, the IT manager must facilitate the Identity and Access Management (IAM) for configured assets. Which System Development Life Cycle (SDLC) phase will enable the system security officer to verify accountability and authentication of these implemented safeguards? A. Development/Acquisition B. Planning C. Designing D. Initiation
Development/Acquisition
114. What is the PRIMARY goal for establishing Information System (IS) boundaries? A. Identify common security controls B. Be cost effective C. Include mitigation for connection to legacy IS D. Be flexible enough to accommodate major changes without re-authorizing the system
Identify common security controls
What activity MUST be completed before the System Owner (SO) considers the minimum security requirement of the system? A. Risk assessment B. Privacy Threshold Analysis (PTA) C. Impact level determination D. Vulnerability scanning
Impact level determination
The assessment effort for effective incident handling MUST include the determination that an organization A. Implements an incident handling capability for security incidents B. Employs automated mechanisms to test the incident handling response capability C. Incorporates simulated events into incident response training D. Tracks and documents system security incidents on a quarterly basis
Incorporates simulated events into incident response training
Security controls are designed to be technology and implementation A. Independent B. Isolated C. Influenced D. Reliant
Independent
When addressing Configuration Management (CM), why is it MOST important to document the proposed changes? A. It is mandated by the federal Information Security Management Act (FISMA) B. It can affect the overall security and privacy posture of the system C. It is required for authorization to operate D. It will be used across accreditation boundaries
It can affect the overall security and privacy posture of the system
The determination of risk for a particular threat/vulnerability pair include assessment of the A. Probability assigned for each threat likelihood examined during initiation B. Cost of remediating the vulnerability and the value of the data C. Value of confidentiality, availability, or integrity of the system concerned D. Likelihood of a given threat source's attempt to exercise the vulnerability
Likelihood of a given threat source's attempt to exercise the vulnerability
An Information System (IS) has the following Security Categories (SC) for each information type: SC public information = (confidentiality, NA), (integrity, HIGH), (availability, LOW) SC investigation information = (confidentiality, MODERATE), (integrity, HIGH), (availability, MODERATE)SC administrative = (confidentiality, NA), (integrity, LOW), (availability, LOW What is the overall IS security category for confidentiality A. LOW B. MODERATE C. HIGH D. N/A
MODERATE
The results of the completed control assessments, including recommendations for correcting any weaknesses or deficiencies in the control, are documented in which document? A. Plan of Action and Milestones (POA&M) B. Security and privacy assessment plans C. Risk Assessment Report (RAR) D. Security and privacy assessment reports
Risk Assessment Report(RAR)
What is essential when documenting the implementation of security controls? A. Security requirement and specification traceability B. Inclusion of threat and vulnerability pairs C. Organizational risk tolerance D. Control threat assessment
Security requirement and specification traceability
The new Authorizing Official (AO) is reviewing all moderate and high systems to determine formal authorization action is needed for any of the systems. Which of the following documents BEST facilities this process? A. The recent Risk Assessment Report (RAR) for each system B. The recent assessment reports for each system C. The recent vulnerability scan for each system D. The recent security status report for each system
The recent Risk Assessment Report(RAR) for each system
Which of the following considerations MUST be taken into account regarding data or media on an Information System (IS) prior to it being decommissioned and removed? A. The records retention requirements for the data B. The type of data compression used on the system or media C. The cost of sanitizing and reuse D. The cost of destroying the system or media
The records retention requirements for the data
What is the MOST appropriate action to take after weaknesses or deficiencies in controls are corrected? A. The remediated controls are reassessed B. The system is given an Authority to Operate (ATO) C. An assessment report is generated D. The original assessment results are changed
The remediated controls are reassessed
What is a consequence of an authorization boundary that is too expensive? A. Increase the number of systems to be managed B. The risk management is complex C. Inflates the total security costs for the organization D. The Configuration Management is uncontrollable
The risk management is complex
An organization's Information System (IS) is categorized as a high-impact system. The organization's architecture does NOT support wireless connectivity. The initial security control baseline requires the organization to implement AC-18: wireless access. What process can the organization implement to eliminate this unnecessary control? A. Baseline and tailoring B. Tailoring and scoping C. Compensating controls D. Baseline and scoping
Baseline and tailoring
When documenting how system-specific and hybrid security controls are implemented, an organization takes into account A. Industry best practices B. Accepted management and technical controls C. Future hardware and software requirements D. Specific technologies and platform dependencies
Accepted management and technical controls
The Least Privilege security control is a member of which control family? A. Access Control B. System and Information Integrity C. Audit and Accountability D. Identification and Authentication
Access Control
In order to receive an Authorization to Operate (ATO), the Plan of Action and Milestones (POA&M) MUST A. Be implemented within 90 days B. Have all vulnerabilities mitigated C. Be implemented after the ATO is granted D. Address the remaining vulnerabilities
Address the remaining vulnerabilities
In determining residual risk, an organization considers impact on which of the following? A. System budget and personnel B. Operations, assets, and individual C. System maintenance and Disaster Recovery (DR) D. Administrative, technical, and operational functions
Administrative, technical ,and operational functions
A Security Control Assessment (SCA) was completed over two years ago, but the surrounding environment has changed. What, if anything, should the assessment team do with the previous results? A. Assessment only those controls that have changed B. Designed since the results are too old C. Assess all controls for the system D. Determine changes and impacts
Assess all controls for the system
When monitoring controls, changes to the system should be A. Documented in the Security Plan (SP) B. Assessed for the information security and privacy impact C. Documented in the Plan of Action and Milestones (POA&M) D. Implemented once approved by the System Owner (SO)
Assessed for the information security and privacy impact
***Which of the following cannot be delegated by the Authorizing Official (AO)? A. Certificate resources** B. Authorization decision C. Acceptance of Security Plan (SP) D. Determination of risk to agency operations
Authorization Decision
The process of uniquely assigning information resources to an Information System (IS) defines the A. Overall security management program B. Authorization boundary C. Rules of engagement D. Acceptable risk
Authorization boundary
Who is responsible for accepting the risk when a system undergoes a significant change? A. Information System Security Officer (ISSO) B. System Owner C. Risk executive (function) D. Authorizing Official (AO)
Authorizing Official (AO)
Who has the authority to divide a complex system in order to establish realistic security authorization boundaries? A. Authorizing Official (AO) and Information System Security Officer (ISSO) B. Authorizing Official (AO) and Senior Information Security Officer (SISO) C. Security Control Assessor (SCA) and risk executive D. Security Control Assessor (SCA) and Information System Security Officer (ISSO)
Authorizing Official (AO) and Information System Security Officer(ISSO)
Security Content Automation Protocol (SCAP) is a method for which of the following? A. Automating the documentation of security controls B. Facilitating interconnected system to communicate regarding security control operational effectiveness C. Using specific standards to enable automated policy compliance evaluation D. Automating the review of the SecurityPlan(SP)
Automating the documentation of security controls
Which of the following professionals plays the role of a monitor and takes part in the organization's configuration management process? A. Senior Agency Information Security Officer B. Authorizing Official C. Common Control Provider D. Chief Information Officer
Common Control Provider
Which role does an System Owner (SO) coordinate inherited controls implemented with? CommonControlProvider(CCP) Systemsecurityofficer AuthorizingOfficial(AO) AuthorizingOfficialDesignatedRepresentative(AODR)
Common Control Provider(CCP)
If an assessment of a common control determines that it is not effective, what documentation is required? A. Letter describing findings sent to system owners using the common control B. Security Plan (SP) addendum for each system using the common control C. Plan of Action and Milestones (POA&M) D. Continuous monitoring plan
Plan of Action and Milestones (POA&M)
Which of the following documents tracks an Information System's (IS) remediation actions? A. Security Plan (SP) B. Plan of Action and Milestones (POA&M) C. Assessment report D. Continuity of Operations Plan (COOP)
Plan of Action and Milestones (POA&M)
What document is based on the findings and recommendations of the assessment report? A. Security Test Plan (STP) B. Plan of Action and Milestones (POA&M) C. Security and Privacy Plans D. Configuration Management Plan (CMP)
Plan of Action and Milestones(POA&M)
Which of the following includes the resource required for mitigation? A. Corrective Action Plan B. Mitigation plan C. Monitoring strategy D. Plan of Action and Milestones (POA&M)
Plan of Action and Milestones(POA&M)
Which organizational reference can an Information Systems Security Officer (ISSO) use to help prioritize the remediation of a vulnerability found during a weekly vulnerability scan? A. Risk Assessment (RA) B. Risk Management Strategy C. Assessment report D. Plan of Action and Milestones (POA&M)
Plan of Action and Milestones(POA&M)
What should be included in a functional description of security control implementation? A. Planned inputs, expected behavior, and expected outputs B. Owner, process, and procedure C. Controls metrics and monitoring plan D. Planned metrics, expected behavior, and monitoring description
Planned inputs ,expected behavior ,and expected outputs
Which of the following phases is identified as one of the four Incident Response (IR) phases? A. Initiation Phase B. Reconstitution Phase C. Preparation Phase D. Activation Phase
Preparation Phase
The potential impact value "not applicable" applies to which of the following security objectives A. Confidentiality B. Availability C. Integrity D. Non-repudiation
Confidentiality
What is a KEY consideration when selecting a media sanitization method of destruction tool when decommissioning an Information System (IS)? A. Accountability B. Confidentiality C. Availability D. Integrity
Confidentiality
What are the steps of a risk assessment? A. Prepare, Conduct, Communicate, Maintain B. Prepare, Conduct, Communicate C. Prepare, Communicate, Conduct D. Prepare, Communicate, Maintain, Conduct
Prepare,Conduct,Communicate,Maintain
Which of the following BEST determines the level of details required when describing the Information System (IS)? A. Proportionate to the system categorization level B. Dependent on the complexity of the system C. Commensurate with the size of the user community D. Based on the Cost-Benefit Analysis (CBA)
Proportionate to the system categorization level
***The Authorizing Official may accept authorization recommendations based on A. Residual risks of similar system B. Impact to mission personnel C. Impact of environmental factors D. Residual risk of the specific systems**
Residual risks of similar system
Which of the following documents provides a function description of the Information System (IS) control implementation? A. Security and Privacy assessment reports B. Security and Privacy Plans C. Plans of Action and Milestones (POA&M) D. Risk Assessment Report
Risk Assessment Report
***Which will an Authorizing Official (AO) find implementation details for a control? A. Plan of Action and Milestones (POA&M) B. Security and Privacy Plans** C. Continuous monitoring strategy D. Risk Assessment Report (RAR)
Risk Assessment Report(RAR)
***Which process guides the selection of security controls to ensure adequate security commensurate with the risk of the organization? A. Risk assessment B. Security categorization** C. Vulnerability assessment D. Privacy Impact Assessment (PIA)
Risk assessment
A key part of the risk decision process is the recognition that, regardless of the risk response there typically remains a degree of residual risk. On what basis does an organization determine the acceptable degrees of residual risk? A. Risk avoidance B. Risk mitigation C. Risk tolerance D. Risk transfer
Risk tolerance
***Which of the following documents is updated when a vulnerability is discovered during continuous monitoring? A. Plan of Action and Milestones (POA&M)** B. Business Impact Analysis (BIA) C. Security Assessment Report (SAR) D. Incident Response Plan (IRP)
Security Assessment Report(SAR)
Overlays can be implemented as part of control tailoring after the completion of what process? A. Privacy Impact Assessment (PIA) B. Security Categorization C. Risk Assessment D. Contingency Plan (CP)
Security Categorization
The security category of information 1 is determined to be:Security Category Information type = (Confidentiality, NOT APPLICABLE), (integrity, MODERATE), (availability, LOW) And the security category of information 2 is determined to be:Security Category Information type = (Confidentiality, LOW), (integrity, LOW), (availability, HIGH) What is the security category for the Information System (IS) A. Security Category Information type = (Confidentiality, LOW), (integrity, LOW), (availability, MODERATE) B. Security Category Information type = (Confidentiality, LOW), (integrity, MODERATE), (availability, HIGH) C. Security Category Information type = (Confidentiality, NOT APPLICABLE), (integrity, LOW), (availability, MODERATE) D. Security Category Information type = (Confidentiality, NOT APPLICABLE), (integrity, MODERATE), (availability, HIGH)
Security Category Information type =(Confidentiality,LOW), (integrity,MODERATE), (availability, HIGH)
Which of the following is the principal vehicle used to verify that Information Systems (IS) are meeting their stated security goals and objectives? A. Security Plan (SP) B. Risk assessment C. Security Control Assessment (SCA) D. Requirements traceability Matrix (RMT)
Security Control Assessment(SCA)
What is used by System Owners (SO) to establish a disciplined and structured process to monitor the residual risk in the Information System (IS)? A. Security and privacy assessment reports B. Security and privacy assessment plans C. Plan of Action and Milestones (POA&M) D. Security Plan (SP)
Security Plan(SP)
Which document in support of the authorization package defines the well-defined set of security and privacy controls? A. Security Plan (SP) B. Initial risk assessment C. Security and privacy assessment reports D. Plan of Action and Milestones (POA&M)
Security Plan(SP)
What is the PRIMARY goal of an Information Security Continuous Monitoring (ISCM) strategy? A. Create expedited assessment process for cost savings B. Maintain visibility of an organization's high-cost controls C. Support organization risk management decisions D. Assess the organizational tiers
Support organization risk management decisions
In the security and privacy assessment reports, the control assessor identified some weaknesses and proposed initial remediation actions. Based on the identified weaknesses, it is determined that certain findings are inconsequential and present no threat to the organization. Who is PRIMARILY responsible for determining the initial risk response? A. System Owner (SO) B. System Security Officer C. Authorizing Official (AO) D. Risk executive (function)
System Owner(SO)
Besides the System Owner (SO), what role has the PRIMARY responsibility for implementing the security controls into the security and privacy plans for the Information Systems (IS?) A. System Security Officer B. System administrator C. Common Control Provider (CCP) D. Information Owner
System Security Officer
Organization A has merged with another similar organization, organization B, and has expanded the data center operations to include Information Technology (IT) assets from both locations. What is the BEST reason for requiring an updated risk assessments? A. System Owner has changed B. System authorization boundary has changed C. System technical requirements has changed D. System regulatory and legal requirements has changed
System authorization boundary has changed
Which process follows the selection of the initial baseline security controls? A. Tailoring the baseline requirements B. Determining the overall impact to the baseline C. Performing an assessment of organization risk D. Reviewing the consistency of the baseline requirements
Tailoring the baseline requirements
What are the classifications of the system level security controls? A. Technical ,operational ,and mechanical B. Training, organizational, and mechanical C. Technical ,operational, and management D. Technical, organization, and management
Technical ,operational, and management
Organizations consider which of the following factors when selecting security or privacy control assessors? A. Technical expertise and level of independence B. System knowledge C. Technical expertise and relevant certifications D. Assessor certification
Technical expertise and level of independence
The Authorizing Official (AO) issues an Authorization decision for an information system after A. Deciding whether or not the risk is acceptable B. Completing the risk analysis C. Updating the Security Plan(SP) D. Documenting the control assessment results
Deciding whether or not the risk is acceptable
Which of the following is the BEST approach to authorizing operations of complex systems? A. Assuring the system works both in a secure and functional manner B. Decomposing and authorizing the system into multiple subsystems C. Documenting the decomposition of the information in the Security Plan (SP) D. Decomposing the system into smaller subsystems and authorizing them as a single system
Decomposing the system into smaller subsystems and authorizing them as a single system
Residual risk can be categorized as risk A. That exists before the implementation of security controls B. That exists after the implementation of security controls C. Introduced by the implementation of security controls D. Introduced by implementing security controls
That exists after the implementation of security controls
What is included in the Plan of Action and Milestones (POA&M) that is presented in the Authorizing Official (AO) as part of the initial authorization package? A. All items identified throughout the Risk Management Framework (RMF) process B. Only volatile findings that require prioritization in remediation C. Deficiencies that have not yet been remediate and verified throughout the Risk Management Framework (RMF) process D. Only findings that have evaluated as moderate or high
Deficiencies that have not yet been remediate and verified throughout the Risk Management Framework (RMF) process
Which process must be conducted during security categorization? A. Define information types B. Define baseline security controls C. Determine risk level D. Determine likelihood of impact
Define information types
The Authorization boundary of a system undergoing assessment includes A. The Information System (IS) components to be authorized for operation B. The Information (IS) components to be authorized for operation and any outside system it connects to C. Any components or systems the Information Owner (IO) states should be included in the assessment D. Any components found within the given Internet Protocol (IP) range
The Information System(IS) components to be authorized for operation
Which of the following MUST be done when a federal Information System (IS) is removed from service? A. A comprehensive control assessment is conducted for the environment B. The Plan of Action and Milestones (POA&M) is updated to reflect the removal C. Organizational documentation is updated to reflect the system's removal D. An updated authorization memo is signed by the Authorizing Official (AO)
The Plan of Action and Milestones(POA&M is updated to reflect the removal
Certification & Accreditation (C&A or CnA) is a process for implementing information security. Which of the following is the correct order of C&A phases in a DITSCAP assessment? A. Definition, Validation, Verification, and Post Accreditation B. Verification, Definition, Validation, and Post Accreditation C. Verification, Validation, Definition, and Post Accreditation D. Definition, Verification, Validation, and Post Accreditation
Definition, Verification, Validation, and Post Accreditation
For a new system, the controls are selected and the security and privacy plans are written during which System Development Life Cycle (SDLC) phase? A. Development/Acquisition B. Initiation C. Operation/Maintenance D. Implementation/Assessment
Development/Acquisition
Common controls protecting multiple organizational Information Systems (IS) of different levels are implemented at the which impact level? A. The "HIGH" impact level B. The highest impact level C. The average impact level D. The most common impact level
The highest impact level
When a security control selected for a system cannot be applied, A. The security control list is deleted B. A compensating control is implemented C. A less restrictive security control is employed D. The security control is marked as non-applicable
The security control is marked as non-applicable
The organizational and system monitoring strategies identifies A. The security controls to be monitored, the frequency of monitoring, and the weakness mitigation strategy B. The volatility of specific security controls, the frequency of monitoring, and the vulnerability scanning approach C. The security controls to be monitored, the frequency of monitoring, and the control assessment approach D. The security documentation to be updated, the frequency of updates, and the approval Process
The security controls to be monitored, the frequency of monitoring, and the control assessment approach
Security controls that are shared throughout an organization's enterprise require A. Approval by the system owner. B. Shared security controls costs across agencies' system owners. C. Accept from the Information System Security Officer (ISSO). D. Documenting in a security plan by the Common Control Provider (CCP).
Documenting in a security plan by the Common Control Provider(CCP).
An organization is developing a risk assessment for a newly installed Information System (IS) to determine the best configuration or a supporting Information Technology (IT) product. Which of the following specific factors is often overlooked in this analysis? A. Exposure of interconnections to organizational core mission functions B. Effectiveness of inherited security controls C. Cost benefits that can be gained from a broad-based security implementation D. Implementation of stove-piped activities that enhance security solutions
Effectiveness of inherited security controls
In establishing the rules of behavior for a system, which of the following is necessary? A. For a user to have system access before reviewing the rules B. Ensuring that users submit a formal acknowledgement of the rules C. That testing is conducted in order to validate the rules D. Ensuring that all applicable controls are detailed within the rules
Ensuring that users submit a formal acknowledgement of the rules
Which of the following assessment methodologies defines a six-step technical security evaluation? A. FITSAF B. FIPS 102 C. OCTAVE D. DITSCAP
FIPS 102
An organization-wide approach to identifying common controls early in the Risk Management Framework (RMF) process does which of the following? A. Considers system-specific controls before assigning common controls B. Allows each Information System Owner (ISO) to accept only those common controls that are mission-critical C. Facilitates a more global strategy for assessing those controls and sharing essential assessment results D. Encourages Information System Owners and Authorizing Officials (AO) to complete their initial Security Plan (SP) prior to control assignment
Facilitates a more global strategy for assessing those controls and sharing essential assessment results
Which of the following is TRUE when applying the Risk Management Framework (RMF) steps and associated tasks to existing systems? A. This can be omitted in order to expedite the assessment B. This can be waived by the System owner (SO) C. This can be carried out only by internal sources D. This can viewed as a gap analysis
This can be viewed as a gap analysis
When determining the likelihood of a threat-source exploiting a system vulnerability, one MUST consider which of the following? A. Vulnerability's root-level access ,threat motivation, and system security control effectiveness B. Organization's mission impact, system security control effectiveness ,and threat's capability C. Threat's capability, system security control effectiveness, and threat motivation D. Organization's readiness, mission impact, and system security control effectiveness
Threat's capability, system security control effectiveness, and threat motivation
What factor MUST be analyzed during risk determination activities? A. Threats, impacts, vulnerabilities, likelihood of occurrence, and predisposing conditions B. Threats, impacts, vulnerabilities, risk assessment results, and predisposing conditions C. Threats, impacts, vulnerabilities, likelihood of occurrence, and compliance verification D. Threats, impacts, vulnerabilities, risk assessment results, and compliance verification
Threats, impacts ,vulnerabilities, likelihood of occurrence, and predisposing conditions
Which of the following BEST describes a government-wide standard for security Assessment and Authorization (A&A) and continuous monitoring for cloud products, which is mandatory for federal agencies and Cloud Service Providers (CSP)? A. Federal Risk and Authorization Management Program (FedRAMP) B. National Institute of Standards and Technology (NIST) C. Federal Information Technology Acquisition Reform Act (FITARA) D. National Cyber Security Program (NCSP)
Federal Risk and Authorization Management Program(FedRAMP)
Configuring an Information System (IS) to prohibit the use of unused ports and protocols A. Helps provide least privilege B. Helps provide least functionality C. Streamlines the functionality of the system D. Violates configuration management best practice
Helps provide least functionality
At which point in the Risk Management Framework (RMF) process is a system analyzed for changes that impact the security and privacy posture of the system? A. Implement B. Assess C. Select D. Monitor
Implement
If the protection offered by a common control proves to be unacceptable or insufficient, how would the problem be corrected? A. Revise the control to make it system specific B. Perform a second vulnerability scan C. Implement supplementary controls D. Inform the Common Control Provider (CCP)
Implement supplementary controls
Which of the following roles within the organization is responsible for clearly defining the impact level of the information the system processes? A. Risk executive (function) B. Information Owner (IO) C. Authorizing Official (AO) D. System security officer
Information Owner(IO)
Which role has the PRIMARY responsibility for the documentation of control implementation? A. Systems security engineer B. Control assessor C. Information System Owner (ISO) D. Information Owner/Steward
Information Owner/Steward
Which of the following professionals is responsible for starting the Certification & Accreditation (C&A) process? A. Information System Owner B. Authorizing Official C. Chief Risk Officer D. Chief Information Officer (CIO)
Information System Owner
Common security controls are those that apply to one or more of which of the following? A. Organizational security families B. Organizational Information system (IS) C. Information security classes D. Information data categories
Information data categories
Which of the following triggers a Security Plan (SP) update? A. A vulnerability scan run against a system B. Inspector general's Security Assessment Report (SAR) C. Change in Information System Owner (ISO) D. Leave of absence of Authorizing Official (AO)
Inspector general's Security Assessment Report(SAR)
A System Owner (SO) is implementing a new system with their existing organization Information Technology (IT) environment. What objectives are considered when determining possible impact to risk? A. Low, Moderate, and High B. Authentication, Authorization, and Accountability C. Common, Hybrid, and System-Specific D. Integrity, Confidentiality, and Availability
Integrity ,Confidentiality ,and Availability
What is the MOST important reason for developing a continuous monitoring strategy? A. To maintain an up-to-date Configuration Management Plan B. To conduct a point-in-time assessment to demonstrate due diligence and compliance C. To determine if the deployed security controls continue to be effective over time D. To validate an Interconnection Service Agreement (ISA)
To determine if the deployed security controls continue to be effective overtime
***Which of the following BEST defines the purpose of the security assessment? A. To determine if the remaining known vulnerability pose an acceptable level of risk B. To determined the extent to which the security controls are implemented correctly and operating as intended** C. To perform oversight and monitor the security controls in the Information System (IS) D. To perform initial risk estimate and security categorization of the Information System (IS)
To determine if the remaining known vulnerability pose an acceptable level of risk
Subsystems are considered part of a larger system provided that they are A. Within the same physical network segment B. Certified by the same Security Control Assessor (SCA) C. Certified within six months of one another D. Under the same higher management authority
Under the same higher management authority
Which is the likelihood that security controls with a low level of volatility will change? A. Likely to change from year to year B. Unlikely to change from year to year C. Likely to change during system upgrades D. Unlikely to change during system upgrades
Unlikely to change from year to year
As part of an annual Federal Information Security Management Act (FISMA) compliance audit the inspector general security program review has identified vulnerabilities to an Information System (IS) in an operational division, which of the following activities is the MOST likely to occur? A. Update the Plan of Action and Milestones (POA&M) B. Perform additional security scans of systems C. Update the Security Plan (SP) immediately D. Revoke the Authorization to Operate (ATO)
Update the Plan of Action and Milestones(POA&M)
Which security control baseline does not require an independent assessment of security controls, as part of continuous monitoring? A. High B. Low C. Moderate D. Critical
Low
An Information System (IS) is registered with appropriate program/management offices in order to A. Manage and track the system B. Determine security categorization C. Set security authorization boundaries D. Initiate the risk management process
Manage and track the system
***Which of the following is the mutual agreement among participating organizations to accept one another's security assessments in order to reuse system resources or to accept each other's assessed security posture in order to share information? A. Memorandum of Understanding (MOU) B. Memorandum of Agreement (MOA) C. Reciprocity** D. Reuse
Memorandum of Agreement(MOA)
When implementing a control on wireless access, the organization MUST do which of the following? A. Monitor for unauthorized access B. Prevent Denial of Service (DoS) conditions. C. Not broadcast the Service Set Identifier (SSID) D. Increase monitoring for non-wireless networks
Monitor for unauthorized access
What is considered when establishing a system authorization boundary? A. Direct management control B. Cost of security authorization C. Network topography and complexity D. Interconnection Security Agreement (ISA)
Network topography and complexity
The Chief Information Officer (CIO) is establishing a policy of monthly assessment for access controls. What is the BEST corresponding action the system security officer should complete? A. Update the Security Plan (SP) with the CIO's monitoring criteria B. Advise the System Owner (SO) of the CIO's recommendation C. Ignore the CIO's direction because they are inconsistent with Federal Information Processing Standard (FIPS) 199 standards D. Update the Plan of Action and Milestones (POA&M) with the CIO's direction
Update the SecurityPlan(SP) with the CIO's monitoring criteria
When a system contains Personally Identifiable Information (PII) what additional action MUST be performed related to the specific system? A. Perform a Privacy Impact Assessment (PIA) B. Develop design documents C. Perform vulnerability scan of the hardware D. Send out a Notice of Privacy Practices (NPP)
Perform a Privacy Impact Assessment(PIA)
One of the primary goals in conducting analysis of the test results from a scan during Security Control Assessment (SCA) is to A. Identify false negative findings B. Categorize vulnerabilities C. Determine threats to the system D. Validated the system boundaries
Categorize vulnerabilities
What does a finding of "other than satisfied" reflect in an assessment report? A. An Information Security incident has occurred B. Information types should be reevaluated C. A lack of specified protection D. The contingency plan must be revised
A lack of specified protection
While conducting an internal control review of a high impact system's technical controls, the information System Security Officer (ISSO) notes that system's audit logs are collecting only user login time. This is a violation of which of the following? A. Audit reduction and report generation B. Audit monitoring and reporting C. Processing of audit logs D. Content of audit records
Audit monitoring and reporting
What consideration leads to a less frequent assessment and monitoring activity? A. Volatile security controls B. High-impact level systems C. High organizational risk tolerance D. Risks in the control assessment
High organizational risk tolerance
An effective continuous monitoring strategy includes which of the following? A. Implementation of the United States Government Configuration Baseline (USGCB) B. Adherence to the organization's approved enterprise architecture C. Documenting the functional security baseline configuration D. Reporting of security and privacy posture to organizational officials
Reporting of security and privacy posture to organizational officials
The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statements are true about ISSO and ISSE? Each correct answer represents a complete solution. Choose all that apply. A. An ISSE provides advice on the impacts of system changes. B. An ISSE manages the security of the information system that is slated for Certification & Accreditation (C&A) C. An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A) D. An ISSO takes part in the development activities that are required to implement system changes. E. An ISSE provides advice on the countinuous monitoring of the information system.
A. An ISSE provides advice on the impacts of system changes. C. An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A) E. An ISSE provides advice on the countinuous monitoring of the information system.
System Authorization is the risk management process. System Authorization Plan (SAP) is a comprehensive and uniform approach to the System Authorization Process. What are the different phases of the System Authorization Plan? Each correct answer represents a part of the solution. Choose all that apply. A. Post-Authorization B. Pre-certification C. Post-certification D. Certification E. Authorization
A. Post-Authorization B. Pre-certification D. Certification E. Authorization
The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the most senior executive in an enterprise. What are the responsibilities of a Chief Information Officer? Each correct answer represents a complete solution. Choose all that apply. A. Preserving high-level communications and working group relationships in an organization B. Facilitating the sharing of security risk-related information about authorizing officials C. Establishing effective continuous monitoring program for the organization D. Proposing the information technology needed by an enterprise to achieve its goals and then working within a budget to implement the plan
A. Preserving high-level communications and working group relationships in an organization C. Establishing effective continuous monitoring program for the organization D. Proposing the information technology needed by an enterprise to achieve its goals and then working within a budget to implement the plan
The PRIMARY benefit of documenting the control implementation is that it A. Protects the Information Owner/Steward B. Allows traceability of deployment decisions taken C. Supports the Plan of Action and Milestones (POA&M) D. Demonstrates the use of sound information system methodologies
Allows traceability of deployment decisions taken
Determining the level of acceptable risk associated with the operation of an Information System (IS), organization shall give A. Appropriate weight to mission and security requirements B. Greater weight to mission requirements than security requirements C. Appropriate weight to system performance and security requirements D. Greater weight to security requirements than performance requirements
Appropriate weight to mission and security requirements
DIACAP applies to the acquisition, operation, and sustainment of an DoD system that collects, stores, transmits, or processes unclassified or classified information since December 1997. What phases are identified by DIACAP? Each answer represents a complete solution. Choose all that apply. A. Accreditation B. Identification C. System Definition D. Verification E. Validation F. Re-Accreditation
C. System Definition D. Verification E. Validation F. Re-Accreditation
From an organizational viewpoint, what effect does the designation of some security controls as common controls have? A. It is difficult for developers to build in security controls for individual applications B. Costs are increased in the Security Assessment and Authorization (A&A) activities C. Depth of analysis required is increased during the security Assessment and Authorization (A&A) D. Consistent application of security across the organization is enabled
Consistent application of security across the organization is enabled
When implementing the organizational disposal process, what factors are considered when making a final decision about sanitization of media? A. Cost versus benefit B. Function versus security C. Availability versus integrity D. Accountability versus authentication
Cost Versus Benefit
Which of the following are acceptable assessment methods for a control assessment? A. Examine, interview, and test B. Research, test, and interview C. Interview, examine, and measure D. Research, test, and validate
Examine, interview, and test
An organization should consider which elements when selecting an assessment team? A. Expertise and cost B. Schedule and independence C. Schedule and cost D. Expertise and independence
Expertise and independence
Which of the following BEST describes the objective of the Security Assessment Plan (SAP)? A. It provides a detailed roadmap for how to conduct the assessment. B. It provides an assessment process for the integration of software and hardware C. It describes how to verify the change control and Configuration Management (CM) practices. D. It ensures that changes made during system development are included in security assessments.
It provides a detailed roadmap for how to conduct the assessment.
FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls have been implemented? A. Level 4 B. Level 1 C. Level 3 D. Level 5 E. Level 2
Level 3
The compliance schedules for National Institutes of Standards and Technology (NIST) security standards and guidelines are established by the A. Agency implementing them, as they apply to new systems B. Secretary of Commerce when the documents are finalized C. Office of Management and Budget (OMB) in policies, directives, or memoranda D. Joint Task Force Transformation Initiative Interagency Working Group when the documents are issued
Office of Management and Budget(OMB) in policies, directives, or memoranda
When should a Plan of Action and Milestones (POA&M) be updated? A. When time permits B. On an ongoing basis C. When the budget allows it D. After the Security Plan (SP) is updated
On an ongoing basis
During which phase of the System Development Life Cycle (SDLC) of an existing system does the system owner conduct remediation action based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the Plan of Action and Milestones (POA&M)? A. Operational Maintenance B. Implementation C. Development/Acquisition D. Integration
Operational Maintenance
The organization has implemented a project to move the physical servers to virtual machines (VM) over the next year. Which risk perspective addresses this project? A. Mission and business B. Organization-wide C. Information system (IS) D. Enterprise-wide
Organization-wide
The baseline configuration of an information system should be consistent with the A. Enterprise architecture B. Original design specification C. Disaster Recovery (DR) procedures D. Security authorization Process
Original design specification
All Federal agencies are required by law to conduct which of the following activities? A. Protect Information Systems (IS) used or operated by a contractor of an agency or other organization on behalf of an agency B. Coordinate with the National Institutes of Standards and Technologies (NIST) to develop binding operational directives C. Report the effectiveness of information security policies and practices to the Office of Personnel Management (OPM) D. Monitor the implementation of information security policies and practices of other agencies to ensure compliance
Protect Information Systems(IS) used or operated by a contractor of an agency or other organization on behalf of an agency
What is a key component of the initial security and privacy assessment reports? A. Optional addendum B. Information System (IS) description C. Security and privacy assessment plans D. Recommendations
Recommendations
The final Security Assessment Report (SAR) should contain which of the following A. Determination of the residual risk B. Security Control Assessment (SCA) plan C. System Security Plan (SSP) and Concept of Operations (CONOPS) D. Recommendations for correct deficiencies
Recommendations for correct deficiencies
Mark works as a Network Administrator for NetTech Inc. He wants users to access only those resources that are required for them. Which of the following access control models will he use? A. Mandatory Access Control B. Role-Based Access Control C. Discretionary Access Control D. Policy Access Control
Role-Based Access Control
During the assessment of a new system, the System Owner (SO) mentioned that if unauthorized modification or destruction of medical information in the system occurred, it could result in potential loss of life because the system is the authoritative source of information about patient healthcare records including current and previous medications and ongoing medical procedures. Which of the following is the BEST Security categorization (SC) for the information type? A. SC medical information = (confidentiality, MODERATE), (integrity, LOW), (availability, LOW) B. SC medical information = (confidentiality, MODERATE), (integrity, MODERATE), (availability, MODERATE) C. SC medical information = (confidentiality, MODERATE), (integrity, HIGH), (availability, HIGH) D. SC medical information = (confidentiality, MODERATE), (integrity, MODERATE, ((availability, HIGH)
SC medical information= (confidentiality,MODERATE),(integrity,HIGH) ,(availability,HIGH)
Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and systems? A. FITSAF B. FIPS C. TCSEC D. SSAA
SSAA
What can an organization choose to eliminate the authorization termination data? A. The authorization termination date can never be eliminated B. A continuous monitoring plan is approved by the Risk executive (function) C. Risk acceptance activities are performed by the Information System Security Officer (ISSO) so that the effectiveness of common controls are inherited periodically D. The continuous monitoring program is sufficiently robust to provide the Authorizing Official (AO) with the needed information to conduct risk determination.
The continuous monitoring program is sufficiently robust to provide the Authorizing Official (AO) with the needed information to conduct risk determination.
Regardless of the task ordering, what is the last step before an Information System (IS) is placed into operation? A. Report the security status of the IS to the Authorizing Official (AO) B. Review the reported security status of the IS C. Update the Security Plan (SP) and the assessment report D. The explicit acceptance of risk by the Authorizing Official (AO)
The explicit acceptance of risk by the Authorizing Official(AO)
***The functional description of the control implementation includes A. The control description, effectiveness, and Plan of Action and Milestones (POA&M) B. Planned inputs, expected behavior, and expected outputs** C. A detailed description of the effectiveness of the control D. The operational parameters of the control
The operational parameters of the control
A minor application is being added to an existing accredited distributed system. This application does not require any additional security functionality other than that provided by the distributed system. Which of the following actions is taken? A. The owner of the distributed system is responsible for the new application, and adds it to the existing distributed system Security Plan (SP) B. The owner of the distributed system needs to create a separate Security Plan (SP) and reference the distributed system Security Plan (SP) C. The owner of the new application needs to create an addendum/ application to the distributed system Security Plan (SP) detailing the necessary additional security mechanisms for the new application D. The owner of the new application is responsible for updating the distributed system Security Plan (SP) with the new application information
The owner of the distributed system is responsible for the new application, and adds it to the existing distributed system Security Plan (SP)
Which of the following is an essential element when an organization updates its authorization package documents? A. Version control B. Technical control C. Administrative control D. Operational control
Version control
***When making determinations regarding the adequacy of common controls for their respective systems, Information System Owner (ISO) refer to the Common Control Providers' (CCP) A. Privacy Impact Assessment (PIA) B. Business Impact Analysis (BIA) C. Authorization Packages** D. Vulnerability Scans
Vulnerability Scans
