CAP exam study questions

Ace your homework & exams now with Quizwiz!

Which of the following is an example of the test assessment method? A. Conducting a vulnerability scan on web applications B. Reading vulnerability scan policies and procedures C. Asking administrators about the scanning process D. Reviewing the most recent scan reports

Conducting avulnerability scan on web applications

Which of the following is a key step in the overall Contingency planning process? A. Completing the Security Plan (SP) B. Conducting the Business Impact Analysis (BIA) C. Developing the Plan of Action and Milestones (POA&M) D. Completing the security Requirement Traceability Matrix (RTM)

Conducting the Business Impact Analysis(BIA)

James works as an IT systems personnel in SoftTech Inc. He performs the following tasks: Runs regular backups and routine tests of the validity of the backup data. Performs data restoration from the backups whenever required. Maintains the retained records in accordance with the established information classification policy. What is the role played by James in the organization? A. Manager B. Owner C. Custodian D. User

Custodian

The Information Technology (IT) manager is responsible to the Information Officer for the implementation of Role Based Access Control (RBAC) assigned divisional resource. Specifically, the IT manager must facilitate the Identity and Access Management (IAM) for configured assets. Which System Development Life Cycle (SDLC) phase will enable the system security officer to verify accountability and authentication of these implemented safeguards? A. Development/Acquisition B. Planning C. Designing D. Initiation

Development/Acquisition

114. What is the PRIMARY goal for establishing Information System (IS) boundaries? A. Identify common security controls B. Be cost effective C. Include mitigation for connection to legacy IS D. Be flexible enough to accommodate major changes without re-authorizing the system

Identify common security controls

What activity MUST be completed before the System Owner (SO) considers the minimum security requirement of the system? A. Risk assessment B. Privacy Threshold Analysis (PTA) C. Impact level determination D. Vulnerability scanning

Impact level determination

The assessment effort for effective incident handling MUST include the determination that an organization A. Implements an incident handling capability for security incidents B. Employs automated mechanisms to test the incident handling response capability C. Incorporates simulated events into incident response training D. Tracks and documents system security incidents on a quarterly basis

Incorporates simulated events into incident response training

Security controls are designed to be technology and implementation A. Independent B. Isolated C. Influenced D. Reliant

Independent

When addressing Configuration Management (CM), why is it MOST important to document the proposed changes? A. It is mandated by the federal Information Security Management Act (FISMA) B. It can affect the overall security and privacy posture of the system C. It is required for authorization to operate D. It will be used across accreditation boundaries

It can affect the overall security and privacy posture of the system

The determination of risk for a particular threat/vulnerability pair include assessment of the A. Probability assigned for each threat likelihood examined during initiation B. Cost of remediating the vulnerability and the value of the data C. Value of confidentiality, availability, or integrity of the system concerned D. Likelihood of a given threat source's attempt to exercise the vulnerability

Likelihood of a given threat source's attempt to exercise the vulnerability

An Information System (IS) has the following Security Categories (SC) for each information type: SC public information = (confidentiality, NA), (integrity, HIGH), (availability, LOW) SC investigation information = (confidentiality, MODERATE), (integrity, HIGH), (availability, MODERATE)SC administrative = (confidentiality, NA), (integrity, LOW), (availability, LOW What is the overall IS security category for confidentiality A. LOW B. MODERATE C. HIGH D. N/A

MODERATE

The results of the completed control assessments, including recommendations for correcting any weaknesses or deficiencies in the control, are documented in which document? A. Plan of Action and Milestones (POA&M) B. Security and privacy assessment plans C. Risk Assessment Report (RAR) D. Security and privacy assessment reports

Risk Assessment Report(RAR)

What is essential when documenting the implementation of security controls? A. Security requirement and specification traceability B. Inclusion of threat and vulnerability pairs C. Organizational risk tolerance D. Control threat assessment

Security requirement and specification traceability

The new Authorizing Official (AO) is reviewing all moderate and high systems to determine formal authorization action is needed for any of the systems. Which of the following documents BEST facilities this process? A. The recent Risk Assessment Report (RAR) for each system B. The recent assessment reports for each system C. The recent vulnerability scan for each system D. The recent security status report for each system

The recent Risk Assessment Report(RAR) for each system

Which of the following considerations MUST be taken into account regarding data or media on an Information System (IS) prior to it being decommissioned and removed? A. The records retention requirements for the data B. The type of data compression used on the system or media C. The cost of sanitizing and reuse D. The cost of destroying the system or media

The records retention requirements for the data

What is the MOST appropriate action to take after weaknesses or deficiencies in controls are corrected? A. The remediated controls are reassessed B. The system is given an Authority to Operate (ATO) C. An assessment report is generated D. The original assessment results are changed

The remediated controls are reassessed

What is a consequence of an authorization boundary that is too expensive? A. Increase the number of systems to be managed B. The risk management is complex C. Inflates the total security costs for the organization D. The Configuration Management is uncontrollable

The risk management is complex

An organization's Information System (IS) is categorized as a high-impact system. The organization's architecture does NOT support wireless connectivity. The initial security control baseline requires the organization to implement AC-18: wireless access. What process can the organization implement to eliminate this unnecessary control? A. Baseline and tailoring B. Tailoring and scoping C. Compensating controls D. Baseline and scoping

Baseline and tailoring

When documenting how system-specific and hybrid security controls are implemented, an organization takes into account A. Industry best practices B. Accepted management and technical controls C. Future hardware and software requirements D. Specific technologies and platform dependencies

Accepted management and technical controls

The Least Privilege security control is a member of which control family? A. Access Control B. System and Information Integrity C. Audit and Accountability D. Identification and Authentication

Access Control

In order to receive an Authorization to Operate (ATO), the Plan of Action and Milestones (POA&M) MUST A. Be implemented within 90 days B. Have all vulnerabilities mitigated C. Be implemented after the ATO is granted D. Address the remaining vulnerabilities

Address the remaining vulnerabilities

In determining residual risk, an organization considers impact on which of the following? A. System budget and personnel B. Operations, assets, and individual C. System maintenance and Disaster Recovery (DR) D. Administrative, technical, and operational functions

Administrative, technical ,and operational functions

A Security Control Assessment (SCA) was completed over two years ago, but the surrounding environment has changed. What, if anything, should the assessment team do with the previous results? A. Assessment only those controls that have changed B. Designed since the results are too old C. Assess all controls for the system D. Determine changes and impacts

Assess all controls for the system

When monitoring controls, changes to the system should be A. Documented in the Security Plan (SP) B. Assessed for the information security and privacy impact C. Documented in the Plan of Action and Milestones (POA&M) D. Implemented once approved by the System Owner (SO)

Assessed for the information security and privacy impact

***Which of the following ​cannot​ be delegated by the Authorizing Official (AO)? A. Certificate resources** B. Authorization decision C. Acceptance of Security Plan (SP) D. Determination of risk to agency operations

Authorization Decision

The process of uniquely assigning information resources to an Information System (IS) defines the A. Overall security management program B. Authorization boundary C. Rules of engagement D. Acceptable risk

Authorization boundary

Who is responsible for accepting the risk when a system undergoes a significant change? A. Information System Security Officer (ISSO) B. System Owner C. Risk executive (function) D. Authorizing Official (AO)

Authorizing Official (AO)

Who has the authority to divide a complex system in order to establish realistic security authorization boundaries? A. Authorizing Official (AO) and Information System Security Officer (ISSO) B. Authorizing Official (AO) and Senior Information Security Officer (SISO) C. Security Control Assessor (SCA) and risk executive D. Security Control Assessor (SCA) and Information System Security Officer (ISSO)

Authorizing Official (AO) and Information System Security Officer(ISSO)

Security Content Automation Protocol (SCAP) is a method for which of the following? A. Automating the documentation of security controls B. Facilitating interconnected system to communicate regarding security control operational effectiveness C. Using specific standards to enable automated policy compliance evaluation D. Automating the review of the SecurityPlan(SP)

Automating the documentation of security controls

Which of the following professionals plays the role of a monitor and takes part in the organization's configuration management process? A. Senior Agency Information Security Officer B. Authorizing Official C. Common Control Provider D. Chief Information Officer

Common Control Provider

Which role does an System Owner (SO) coordinate inherited controls implemented with? CommonControlProvider(CCP) Systemsecurityofficer AuthorizingOfficial(AO) AuthorizingOfficialDesignatedRepresentative(AODR)

Common Control Provider(CCP)

If an assessment of a common control determines that it is not effective, what documentation is required? A. Letter describing findings sent to system owners using the common control B. Security Plan (SP) addendum for each system using the common control C. Plan of Action and Milestones (POA&M) D. Continuous monitoring plan

Plan of Action and Milestones (POA&M)

Which of the following documents tracks an Information System's (IS) remediation actions? A. Security Plan (SP) B. Plan of Action and Milestones (POA&M) C. Assessment report D. Continuity of Operations Plan (COOP)

Plan of Action and Milestones (POA&M)

What document is based on the findings and recommendations of the assessment report? A. Security Test Plan (STP) B. Plan of Action and Milestones (POA&M) C. Security and Privacy Plans D. Configuration Management Plan (CMP)

Plan of Action and Milestones(POA&M)

Which of the following includes the resource required for mitigation? A. Corrective Action Plan B. Mitigation plan C. Monitoring strategy D. Plan of Action and Milestones (POA&M)

Plan of Action and Milestones(POA&M)

Which organizational reference can an Information Systems Security Officer (ISSO) use to help prioritize the remediation of a vulnerability found during a weekly vulnerability scan? A. Risk Assessment (RA) B. Risk Management Strategy C. Assessment report D. Plan of Action and Milestones (POA&M)

Plan of Action and Milestones(POA&M)

What should be included in a functional description of security control implementation? A. Planned inputs, expected behavior, and expected outputs B. Owner, process, and procedure C. Controls metrics and monitoring plan D. Planned metrics, expected behavior, and monitoring description

Planned inputs ,expected behavior ,and expected outputs

Which of the following phases is identified as one of the four Incident Response (IR) phases? A. Initiation Phase B. Reconstitution Phase C. Preparation Phase D. Activation Phase

Preparation Phase

The potential impact value "not applicable" applies to which of the following security objectives A. Confidentiality B. Availability C. Integrity D. Non-repudiation

Confidentiality

What is a KEY consideration when selecting a media sanitization method of destruction tool when decommissioning an Information System (IS)? A. Accountability B. Confidentiality C. Availability D. Integrity

Confidentiality

What are the steps of a risk assessment? A. Prepare, Conduct, Communicate, Maintain B. Prepare, Conduct, Communicate C. Prepare, Communicate, Conduct D. Prepare, Communicate, Maintain, Conduct

Prepare,Conduct,Communicate,Maintain

Which of the following BEST determines the level of details required when describing the Information System (IS)? A. Proportionate to the system categorization level B. Dependent on the complexity of the system C. Commensurate with the size of the user community D. Based on the Cost-Benefit Analysis (CBA)

Proportionate to the system categorization level

***The Authorizing Official may accept authorization recommendations based on A. Residual risks of similar system B. Impact to mission personnel C. Impact of environmental factors D. Residual risk of the specific systems**

Residual risks of similar system

Which of the following documents provides a function description of the Information System (IS) control implementation? A. Security and Privacy assessment reports B. Security and Privacy Plans C. Plans of Action and Milestones (POA&M) D. Risk Assessment Report

Risk Assessment Report

***Which will an Authorizing Official (AO) find implementation details for a control? A. Plan of Action and Milestones (POA&M) B. Security and Privacy Plans** C. Continuous monitoring strategy D. Risk Assessment Report (RAR)

Risk Assessment Report(RAR)

***Which process guides the selection of security controls to ensure adequate security commensurate with the risk of the organization? A. Risk assessment B. Security categorization** C. Vulnerability assessment D. Privacy Impact Assessment (PIA)

Risk assessment

A key part of the risk decision process is the recognition that, regardless of the risk response there typically remains a degree of residual risk. On what basis does an organization determine the acceptable degrees of residual risk? A. Risk avoidance B. Risk mitigation C. Risk tolerance D. Risk transfer

Risk tolerance

***Which of the following documents is updated when a vulnerability is discovered during continuous monitoring? A. Plan of Action and Milestones (POA&M)** B. Business Impact Analysis (BIA) C. Security Assessment Report (SAR) D. Incident Response Plan (IRP)

Security Assessment Report(SAR)

Overlays can be implemented as part of control tailoring after the completion of what process? A. Privacy Impact Assessment (PIA) B. Security Categorization C. Risk Assessment D. Contingency Plan (CP)

Security Categorization

The security category of information 1 is determined to be:Security Category Information type = (Confidentiality, NOT APPLICABLE), (integrity, MODERATE), (availability, LOW) And the security category of information 2 is determined to be:Security Category Information type = (Confidentiality, LOW), (integrity, LOW), (availability, HIGH) What is the security category for the Information System (IS) A. Security Category Information type = (Confidentiality, LOW), (integrity, LOW), (availability, MODERATE) B. Security Category Information type = (Confidentiality, LOW), (integrity, MODERATE), (availability, HIGH) C. Security Category Information type = (Confidentiality, NOT APPLICABLE), (integrity, LOW), (availability, MODERATE) D. Security Category Information type = (Confidentiality, NOT APPLICABLE), (integrity, MODERATE), (availability, HIGH)

Security Category Information type =(Confidentiality,LOW), (integrity,MODERATE), (availability, HIGH)

Which of the following is the principal vehicle used to verify that Information Systems (IS) are meeting their stated security goals and objectives? A. Security Plan (SP) B. Risk assessment C. Security Control Assessment (SCA) D. Requirements traceability Matrix (RMT)

Security Control Assessment(SCA)

What is used by System Owners (SO) to establish a disciplined and structured process to monitor the residual risk in the Information System (IS)? A. Security and privacy assessment reports B. Security and privacy assessment plans C. Plan of Action and Milestones (POA&M) D. Security Plan (SP)

Security Plan(SP)

Which document in support of the authorization package defines the well-defined set of security and privacy controls? A. Security Plan (SP) B. Initial risk assessment C. Security and privacy assessment reports D. Plan of Action and Milestones (POA&M)

Security Plan(SP)

What is the PRIMARY goal of an Information Security Continuous Monitoring (ISCM) strategy? A. Create expedited assessment process for cost savings B. Maintain visibility of an organization's high-cost controls C. Support organization risk management decisions D. Assess the organizational tiers

Support organization risk management decisions

In the security and privacy assessment reports, the control assessor identified some weaknesses and proposed initial remediation actions. Based on the identified weaknesses, it is determined that certain findings are inconsequential and present no threat to the organization. Who is PRIMARILY responsible for determining the initial risk response? A. System Owner (SO) B. System Security Officer C. Authorizing Official (AO) D. Risk executive (function)

System Owner(SO)

Besides the System Owner (SO), what role has the PRIMARY responsibility for implementing the security controls into the security and privacy plans for the Information Systems (IS?) A. System Security Officer B. System administrator C. Common Control Provider (CCP) D. Information Owner

System Security Officer

Organization A has merged with another similar organization, organization B, and has expanded the data center operations to include Information Technology (IT) assets from both locations. What is the BEST reason for requiring an updated risk assessments? A. System Owner has changed B. System authorization boundary has changed C. System technical requirements has changed D. System regulatory and legal requirements has changed

System authorization boundary has changed

Which process follows the selection of the initial baseline security controls? A. Tailoring the baseline requirements B. Determining the overall impact to the baseline C. Performing an assessment of organization risk D. Reviewing the consistency of the baseline requirements

Tailoring the baseline requirements

What are the classifications of the system level security controls? A. Technical ,operational ,and mechanical B. Training, organizational, and mechanical C. Technical ,operational, and managemen​t D. Technical, organization, and management

Technical ,operational, and managemen​t

Organizations consider which of the following factors when selecting security or privacy control assessors? A. Technical expertise and level of independence B. System knowledge C. Technical expertise and relevant certifications D. Assessor certification

Technical expertise and level of independence

The Authorizing Official (AO) issues an Authorization decision for an information system after A. Deciding whether or not the risk is acceptable B. Completing the risk analysis C. Updating the Security Plan(SP) D. Documenting the control assessment results

Deciding whether or not the risk is acceptable

Which of the following is the BEST approach to authorizing operations of complex systems? A. Assuring the system works both in a secure and functional manner B. Decomposing and authorizing the system into multiple subsystems C. Documenting the decomposition of the information in the Security Plan (SP) D. Decomposing the system into smaller subsystems and authorizing them as a single system

Decomposing the system into smaller subsystems and authorizing them as a single system

Residual risk can be categorized as risk A. That exists before the implementation of security controls B. That exists after the implementation of security controls C. Introduced by the implementation of security controls D. Introduced by implementing security controls

That exists after the implementation of security controls

What is included in the Plan of Action and Milestones (POA&M) that is presented in the Authorizing Official (AO) as part of the initial authorization package? A. All items identified throughout the Risk Management Framework (RMF) process B. Only volatile findings that require prioritization in remediation C. Deficiencies that have not yet been remediate and verified throughout the Risk Management Framework (RMF) process D. Only findings that have evaluated as moderate or high

Deficiencies that have not yet been remediate and verified throughout the Risk Management Framework (RMF) process

Which process must be conducted during security categorization? A. Define information types B. Define baseline security controls C. Determine risk level D. Determine likelihood of impact

Define information types

The Authorization boundary of a system undergoing assessment includes A. The Information System (IS) components to be authorized for operation B. The Information (IS) components to be authorized for operation and any outside system it connects to C. Any components or systems the Information Owner (IO) states should be included in the assessment D. Any components found within the given Internet Protocol (IP) range

The Information System(IS) components to be authorized for operation

Which of the following MUST be done when a federal Information System (IS) is removed from service? A. A comprehensive control assessment is conducted for the environment B. The Plan of Action and Milestones (POA&M) is updated to reflect the removal C. Organizational documentation is updated to reflect the system's removal D. An updated authorization memo is signed by the Authorizing Official (AO)

The Plan of Action and Milestones(POA&M is updated to reflect the removal

Certification & Accreditation (C&A or CnA) is a process for implementing information security. Which of the following is the correct order of C&A phases in a DITSCAP assessment? A. Definition, Validation, Verification, and Post Accreditation B. Verification, Definition, Validation, and Post Accreditation C. Verification, Validation, Definition, and Post Accreditation D. Definition, Verification, Validation, and Post Accreditation

Definition, Verification, Validation, and Post Accreditation

For a new system, the controls are selected and the security and privacy plans are written during which System Development Life Cycle (SDLC) phase? A. Development/Acquisition B. Initiation C. Operation/Maintenance D. Implementation/Assessment

Development/Acquisition

Common controls protecting multiple organizational Information Systems (IS) of different levels are implemented at the which impact level? A. The "HIGH" impact level B. The highest impact level C. The average impact level D. The most common impact level

The highest impact level

When a security control selected for a system cannot be applied, A. The security control list is deleted B. A compensating control is implemented C. A less restrictive security control is employed D. The security control is marked as non-applicable

The security control is marked as non-applicable

The organizational and system monitoring strategies identifies A. The security controls to be monitored, the frequency of monitoring, and the weakness mitigation strategy B. The volatility of specific security controls, the frequency of monitoring, and the vulnerability scanning approach C. The security controls to be monitored, the frequency of monitoring, and the control assessment approach D. The security documentation to be updated, the frequency of updates, and the approval Process

The security controls to be monitored, the frequency of monitoring, and the control assessment approach

Security controls that are shared throughout an organization's enterprise require A. Approval by the system owner. B. Shared security controls costs across agencies' system owners. C. Accept from the Information System Security Officer (ISSO). D. Documenting in a security plan by the Common Control Provider (CCP).

Documenting in a security plan by the Common Control Provider(CCP).

An organization is developing a risk assessment for a newly installed Information System (IS) to determine the best configuration or a supporting Information Technology (IT) product. Which of the following specific factors is often overlooked in this analysis? A. Exposure of interconnections to organizational core mission functions B. Effectiveness of inherited security controls C. Cost benefits that can be gained from a broad-based security implementation D. Implementation of stove-piped activities that enhance security solutions

Effectiveness of inherited security controls

In establishing the rules of behavior for a system, which of the following is necessary? A. For a user to have system access before reviewing the rules B. Ensuring that users submit a formal acknowledgement of the rules C. That testing is conducted in order to validate the rules D. Ensuring that all applicable controls are detailed within the rules

Ensuring that users submit a formal acknowledgement of the rules

Which of the following assessment methodologies defines a six-step technical security evaluation? A. FITSAF B. FIPS 102 C. OCTAVE D. DITSCAP

FIPS 102

An organization-wide approach to identifying common controls early in the Risk Management Framework (RMF) process does which of the following? A. Considers system-specific controls before assigning common controls B. Allows each Information System Owner (ISO) to accept only those common controls that are mission-critical C. Facilitates a more global strategy for assessing those controls and sharing essential assessment results D. Encourages Information System Owners and Authorizing Officials (AO) to complete their initial Security Plan (SP) prior to control assignment

Facilitates a more global strategy for assessing those controls and sharing essential assessment results

Which of the following is TRUE when applying the Risk Management Framework (RMF) steps and associated tasks to existing systems? A. This can be omitted in order to expedite the assessment B. This can be waived by the System owner (SO) C. This can be carried out only by internal sources D. This can viewed as a gap analysis

This can be viewed as a gap analysis

When determining the likelihood of a threat-source exploiting a system vulnerability, one MUST consider which of the following? A. Vulnerability's root-level access ,threat motivation, and system security control effectiveness B. Organization's mission impact, system security control effectiveness ,and threat's capability C. Threat's capability, system security control effectiveness, and threat motivation D. Organization's readiness, mission impact, and system security control effectiveness

Threat's capability, system security control effectiveness, and threat motivation

What factor MUST be analyzed during risk determination activities? A. Threats, impacts, vulnerabilities, likelihood of occurrence, and predisposing conditions B. Threats, impacts, vulnerabilities, risk assessment results, and predisposing conditions C. Threats, impacts, vulnerabilities, likelihood of occurrence, and compliance verification D. Threats, impacts, vulnerabilities, risk assessment results, and compliance verification

Threats, impacts ,vulnerabilities, likelihood of occurrence, and predisposing conditions

Which of the following BEST describes a government-wide standard for security Assessment and Authorization (A&A) and continuous monitoring for cloud products, which is mandatory for federal agencies and Cloud Service Providers (CSP)? A. Federal Risk and Authorization Management Program (FedRAMP) B. National Institute of Standards and Technology (NIST) C. Federal Information Technology Acquisition Reform Act (FITARA) D. National Cyber Security Program (NCSP)

Federal Risk and Authorization Management Program(FedRAMP)

Configuring an Information System (IS) to prohibit the use of unused ports and protocols A. Helps provide least privilege B. Helps provide least functionality C. Streamlines the functionality of the system D. Violates configuration management best practice

Helps provide least functionality

At which point in the Risk Management Framework (RMF) process is a system analyzed for changes that impact the security and privacy posture of the system? A. Implement B. Assess C. Select D. Monitor

Implement

If the protection offered by a common control proves to be unacceptable or insufficient, how would the problem be corrected? A. Revise the control to make it system specific B. Perform a second vulnerability scan C. Implement supplementary controls D. Inform the Common Control Provider (CCP)

Implement supplementary controls

Which of the following roles within the organization is responsible for clearly defining the impact level of the information the system processes? A. Risk executive (function) B. Information Owner (IO) C. Authorizing Official (AO) D. System security officer

Information Owner(IO)

Which role has the PRIMARY responsibility for the documentation of control implementation? A. Systems security engineer B. Control assessor C. Information System Owner (ISO) D. Information Owner/Steward

Information Owner/Steward

Which of the following professionals is responsible for starting the Certification & Accreditation (C&A) process? A. Information System Owner B. Authorizing Official C. Chief Risk Officer D. Chief Information Officer (CIO)

Information System Owner

Common security controls are those that apply to one or more of which of the following? A. Organizational security families B. Organizational Information system (IS) C. Information security classes D. Information data categories

Information data categories

Which of the following triggers a Security Plan (SP) update? A. A vulnerability scan run against a system B. Inspector general's Security Assessment Report (SAR) C. Change in Information System Owner (ISO) D. Leave of absence of Authorizing Official (AO)

Inspector general's Security Assessment Report(SAR)

A System Owner (SO) is implementing a new system with their existing organization Information Technology (IT) environment. What objectives are considered when determining possible impact to risk? A. Low, Moderate, and High B. Authentication, Authorization, and Accountability C. Common, Hybrid, and System-Specific D. Integrity, Confidentiality, and Availability

Integrity ,Confidentiality ,and Availability

What is the MOST important reason for developing a continuous monitoring strategy? A. To maintain an up-to-date Configuration Management Plan B. To conduct a point-in-time assessment to demonstrate due diligence and compliance C. To determine if the deployed security controls continue to be effective over time D. To validate an Interconnection Service Agreement (ISA)

To determine if the deployed security controls continue to be effective overtime

***Which of the following BEST defines the purpose of the security assessment? A. To determine if the remaining known vulnerability pose an acceptable level of risk B. To determined the extent to which the security controls are implemented correctly and operating as intended** C. To perform oversight and monitor the security controls in the Information System (IS) D. To perform initial risk estimate and security categorization of the Information System (IS)

To determine if the remaining known vulnerability pose an acceptable level of risk

Subsystems are considered part of a larger system provided that they are A. Within the same physical network segment B. Certified by the same Security Control Assessor (SCA) C. Certified within six months of one another D. Under the same higher management authority

Under the same higher management authority

Which is the likelihood that security controls with a low level of volatility will change? A. Likely to change from year to year B. Unlikely to change from year to year C. Likely to change during system upgrades D. Unlikely to change during system upgrades

Unlikely to change from year to year

As part of an annual Federal Information Security Management Act (FISMA) compliance audit the inspector general security program review has identified vulnerabilities to an Information System (IS) in an operational division, which of the following activities is the MOST likely to occur? A. Update the Plan of Action and Milestones (POA&M) B. Perform additional security scans of systems C. Update the Security Plan (SP) immediately D. Revoke the Authorization to Operate (ATO)

Update the Plan of Action and Milestones(POA&M)

Which security control baseline does not require an independent assessment of security controls, as part of continuous monitoring? A. High B. Low C. Moderate D. Critical

Low

An Information System (IS) is registered with appropriate program/management offices in order to A. Manage and track the system B. Determine security categorization C. Set security authorization boundaries D. Initiate the risk management process

Manage and track the system

***Which of the following is the mutual agreement among participating organizations to accept one another's security assessments in order to reuse system resources or to accept each other's assessed security posture in order to share information? A. Memorandum of Understanding (MOU) B. Memorandum of Agreement (MOA) C. Reciprocity** D. Reuse

Memorandum of Agreement(MOA)

When implementing a control on wireless access, the organization MUST do which of the following? A. Monitor for unauthorized access B. Prevent Denial of Service (DoS) conditions. C. Not broadcast the Service Set Identifier (SSID) D. Increase monitoring for non-wireless networks

Monitor for unauthorized access

What is considered when establishing a system authorization boundary? A. Direct management control B. Cost of security authorization C. Network topography and complexity D. Interconnection Security Agreement (ISA)

Network topography and complexity

The Chief Information Officer (CIO) is establishing a policy of monthly assessment for access controls. What is the BEST corresponding action the system security officer should complete? A. Update the Security Plan (SP) with the CIO's monitoring criteria B. Advise the System Owner (SO) of the CIO's recommendation C. Ignore the CIO's direction because they are inconsistent with Federal Information Processing Standard (FIPS) 199 standards D. Update the Plan of Action and Milestones (POA&M) with the CIO's direction

Update the SecurityPlan(SP) with the CIO's monitoring criteria

When a system contains Personally Identifiable Information (PII) what additional action MUST be performed related to the specific system? A. Perform a Privacy Impact Assessment (PIA) B. Develop design documents C. Perform vulnerability scan of the hardware D. Send out a Notice of Privacy Practices (NPP)

Perform a Privacy Impact Assessment(PIA)

One of the primary goals in conducting analysis of the test results from a scan during Security Control Assessment (SCA) is to A. Identify false negative findings B. Categorize vulnerabilities C. Determine threats to the system D. Validated the system boundaries

Categorize vulnerabilities

What does a finding of "other than satisfied" reflect in an assessment report? A. An Information Security incident has occurred B. Information types should be reevaluated C. A lack of specified protection D. The contingency plan must be revised

A lack of specified protection

While conducting an internal control review of a high impact system's technical controls, the information System Security Officer (ISSO) notes that system's audit logs are collecting only user login time. This is a violation of which of the following? A. Audit reduction and report generation B. Audit monitoring and reporting C. Processing of audit logs D. Content of audit records

Audit monitoring and reporting

What consideration leads to a less frequent assessment and monitoring activity? A. Volatile security controls B. High-impact level systems C. High organizational risk tolerance D. Risks in the control assessment

High organizational risk tolerance

An effective continuous monitoring strategy includes which of the following? A. Implementation of the United States Government Configuration Baseline (USGCB) B. Adherence to the organization's approved enterprise architecture C. Documenting the functional security baseline configuration D. Reporting of security and privacy posture to organizational officials

Reporting of security and privacy posture to organizational officials

The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statements are true about ISSO and ISSE? Each correct answer represents a complete solution. Choose all that apply. A. An ISSE provides advice on the impacts of system changes. B. An ISSE manages the security of the information system that is slated for Certification & Accreditation (C&A) C. An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A) D. An ISSO takes part in the development activities that are required to implement system changes. E. An ISSE provides advice on the countinuous monitoring of the information system.

A. An ISSE provides advice on the impacts of system changes. C. An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A) E. An ISSE provides advice on the countinuous monitoring of the information system.

System Authorization is the risk management process. System Authorization Plan (SAP) is a comprehensive and uniform approach to the System Authorization Process. What are the different phases of the System Authorization Plan? Each correct answer represents a part of the solution. Choose all that apply. A. Post-Authorization B. Pre-certification C. Post-certification D. Certification E. Authorization

A. Post-Authorization B. Pre-certification D. Certification E. Authorization

The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the most senior executive in an enterprise. What are the responsibilities of a Chief Information Officer? Each correct answer represents a complete solution. Choose all that apply. A. Preserving high-level communications and working group relationships in an organization B. Facilitating the sharing of security risk-related information about authorizing officials C. Establishing effective continuous monitoring program for the organization D. Proposing the information technology needed by an enterprise to achieve its goals and then working within a budget to implement the plan

A. Preserving high-level communications and working group relationships in an organization C. Establishing effective continuous monitoring program for the organization D. Proposing the information technology needed by an enterprise to achieve its goals and then working within a budget to implement the plan

The PRIMARY benefit of documenting the control implementation is that it A. Protects the Information Owner/Steward B. Allows traceability of deployment decisions taken C. Supports the Plan of Action and Milestones (POA&M) D. Demonstrates the use of sound information system methodologies

Allows traceability of deployment decisions taken

Determining the level of acceptable risk associated with the operation of an Information System (IS), organization shall give A. Appropriate weight to mission and security requirements B. Greater weight to mission requirements than security requirements C. Appropriate weight to system performance and security requirements D. Greater weight to security requirements than performance requirements

Appropriate weight to mission and security requirements

DIACAP applies to the acquisition, operation, and sustainment of an DoD system that collects, stores, transmits, or processes unclassified or classified information since December 1997. What phases are identified by DIACAP? Each answer represents a complete solution. Choose all that apply. A. Accreditation B. Identification C. System Definition D. Verification E. Validation F. Re-Accreditation

C. System Definition D. Verification E. Validation F. Re-Accreditation

From an organizational viewpoint, what effect does the designation of some security controls as common controls have? A. It is difficult for developers to build in security controls for individual applications B. Costs are increased in the Security Assessment and Authorization (A&A) activities C. Depth of analysis required is increased during the security Assessment and Authorization (A&A) D. Consistent application of security across the organization is enabled

Consistent application of security across the organization is enabled

When implementing the organizational disposal process, what factors are considered when making a final decision about sanitization of media? A. Cost versus benefit B. Function versus security C. Availability versus integrity D. Accountability versus authentication

Cost Versus Benefit

Which of the following are acceptable assessment methods for a control assessment? A. Examine, interview, and test B. Research, test, and interview C. Interview, examine, and measure D. Research, test, and validate

Examine, interview, and test

An organization should consider which elements when selecting an assessment team? A. Expertise and cost B. Schedule and independence C. Schedule and cost D. Expertise and independence

Expertise and independence

Which of the following BEST describes the objective of the Security Assessment Plan (SAP)? A. It provides a detailed roadmap for how to conduct the assessment. B. It provides an assessment process for the integration of software and hardware C. It describes how to verify the change control and Configuration Management (CM) practices. D. It ensures that changes made during system development are included in security assessments.

It provides a detailed roadmap for how to conduct the assessment.

FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls have been implemented? A. Level 4 B. Level 1 C. Level 3 D. Level 5 E. Level 2

Level 3

The compliance schedules for National Institutes of Standards and Technology (NIST) security standards and guidelines are established by the A. Agency implementing them, as they apply to new systems B. Secretary of Commerce when the documents are finalized C. Office of Management and Budget (OMB) in policies, directives, or memoranda D. Joint Task Force Transformation Initiative Interagency Working Group when the documents are issued

Office of Management and Budget(OMB) in policies, directives, or memoranda

When should a Plan of Action and Milestones (POA&M) be updated? A. When time permits B. On an ongoing basis C. When the budget allows it D. After the Security Plan (SP) is updated

On an ongoing basis

During which phase of the System Development Life Cycle (SDLC) of an existing system does the system owner conduct remediation action based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the Plan of Action and Milestones (POA&M)? A. Operational Maintenance B. Implementation C. Development/Acquisition D. Integration

Operational Maintenance

The organization has implemented a project to move the physical servers to virtual machines (VM) over the next year. Which risk perspective addresses this project? A. Mission and business B. Organization-wide C. Information system (IS) D. Enterprise-wide

Organization-wide

The baseline configuration of an information system should be consistent with the A. Enterprise architecture B. Original design specification C. Disaster Recovery (DR) procedures D. Security authorization Process

Original design specification

All Federal agencies are required by law to conduct which of the following activities? A. Protect Information Systems (IS) used or operated by a contractor of an agency or other organization on behalf of an agency B. Coordinate with the National Institutes of Standards and Technologies (NIST) to develop binding operational directives C. Report the effectiveness of information security policies and practices to the Office of Personnel Management (OPM) D. Monitor the implementation of information security policies and practices of other agencies to ensure compliance

Protect Information Systems(IS) used or operated by a contractor of an agency or other organization on behalf of an agency

What is a key component of the initial security and privacy assessment reports? A. Optional addendum B. Information System (IS) description C. Security and privacy assessment plans D. Recommendations

Recommendations

The final Security Assessment Report (SAR) should contain which of the following A. Determination of the residual risk B. Security Control Assessment (SCA) plan C. System Security Plan (SSP) and Concept of Operations (CONOPS) D. Recommendations for correct deficiencies

Recommendations for correct deficiencies

Mark works as a Network Administrator for NetTech Inc. He wants users to access only those resources that are required for them. Which of the following access control models will he use? A. Mandatory Access Control B. Role-Based Access Control C. Discretionary Access Control D. Policy Access Control

Role-Based Access Control

During the assessment of a new system, the System Owner (SO) mentioned that if unauthorized modification or destruction of medical information in the system occurred, it could result in potential loss of life because the system is the authoritative source of information about patient healthcare records including current and previous medications and ongoing medical procedures. Which of the following is the BEST Security categorization (SC) for the information type? A. SC medical information = (confidentiality, MODERATE), (integrity, LOW), (availability, LOW) B. SC medical information = (confidentiality, MODERATE), (integrity, MODERATE), (availability, MODERATE) C. SC medical information = (confidentiality, MODERATE), (integrity, HIGH), (availability, HIGH) D. SC medical information = (confidentiality, MODERATE), (integrity, MODERATE, ((availability, HIGH)

SC medical information= (confidentiality,MODERATE),(integrity,HIGH) ,(availability,HIGH)

Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and systems? A. FITSAF B. FIPS C. TCSEC D. SSAA

SSAA

What can an organization choose to eliminate the authorization termination data? A. The authorization termination date can never be eliminated B. A continuous monitoring plan is approved by the Risk executive (function) C. Risk acceptance activities are performed by the Information System Security Officer (ISSO) so that the effectiveness of common controls are inherited periodically D. The continuous monitoring program is sufficiently robust to provide the Authorizing Official (AO) with the needed information to conduct risk determination.

The continuous monitoring program is sufficiently robust to provide the Authorizing Official (AO) with the needed information to conduct risk determination.

Regardless of the task ordering, what is the last step before an Information System (IS) is placed into operation? A. Report the security status of the IS to the Authorizing Official (AO) B. Review the reported security status of the IS C. Update the Security Plan (SP) and the assessment report D. The explicit acceptance of risk by the Authorizing Official (AO)

The explicit acceptance of risk by the Authorizing Official(AO)

***The functional description of the control implementation includes A. The control description, effectiveness, and Plan of Action and Milestones (POA&M) B. Planned inputs, expected behavior, and expected outputs** C. A detailed description of the effectiveness of the control D. The operational parameters of the control

The operational parameters of the control

A minor application is being added to an existing accredited distributed system. This application does not require any additional security functionality other than that provided by the distributed system. Which of the following actions is taken? A. The owner of the distributed system is responsible for the new application, and adds it to the existing distributed system Security Plan (SP) B. The owner of the distributed system needs to create a separate Security Plan (SP) and reference the distributed system Security Plan (SP) C. The owner of the new application needs to create an addendum/ application to the distributed system Security Plan (SP) detailing the necessary additional security mechanisms for the new application D. The owner of the new application is responsible for updating the distributed system Security Plan (SP) with the new application information

The owner of the distributed system is responsible for the new application, and adds it to the existing distributed system Security Plan (SP)

Which of the following is an essential element when an organization updates its authorization package documents? A. Version control B. Technical control C. Administrative control D. Operational control

Version control

***When making determinations regarding the adequacy of common controls for their respective systems, Information System Owner (ISO) refer to the Common Control Providers' (CCP) A. Privacy Impact Assessment (PIA) B. Business Impact Analysis (BIA) C. Authorization Packages** D. Vulnerability Scans

Vulnerability Scans


Related study sets

Biochemistry Learning Curve Chapter 4.1,4.2,4.3

View Set

NIST Privacy Framework Core Functions

View Set