ISC2 CAP Exam Prep Questions & Answers 2023/2024
In FIPS 199, a loss of Confidentiality is defined as - ANSWER-The unauthorized disclosure of information
In FIPS 199, a loss of Integrity is defined as - ANSWER-The unauthorized modification or destruction of information
In FIPS 199, a loss ...
ISC2 CAP Exam Prep Questions &
Answers 2023/2024
In FIPS 199, a loss of Confidentiality is defined as - ANSWER-The unauthorized disclosure of information
In FIPS 199, a loss of Integrity is defined as - ANSWER-The unauthorized modification or destruction of
information
In FIPS 199, a loss of Availability is defined as - ANSWER-The disruption of access to or use of information
NIST Special Publication 800-53 r4 - ANSWER-FIPS 200 Mandated - A catalog of security controls. Defines
three baselines (L, M, H). Initial version published in 2005.
None - ANSWER-This FIPS document can be waived
Inherited - ANSWER-An organizations information systems are a mix of Windows and UNIX systems
located in a single computer room. Access to the computer room is restricted by the door locks that
require proximity cards and personal identification numbers (PINS). Only a small percentage of the
organizations employees have access to the computer room. The computer room access restriction is an
example of what type of security control relative to the hardware in the computer room?
Supplement the common controls with system-specific or hybrid controls to achieve the required
protection for the system - ANSWER-An information system is currently in the initiation phase of the
SDLC and has been categorized high impact. The information system owner wants to inherit common
controls provided by another organization information system that is categorized moderate impact.. How
does the information system owner ensure that the common controls will provide adequate protection
for the information system?
Active involvement by authorizing officials in the ongoing management of information system-related
security risks. - ANSWER-An effective security control monitoring strategy for an information system
includes...
,All Steps - ANSWER-In which steps is the security plan updated (Categorize, Implement, or Monitor)
An enterprise security authorization program is considered successful when - ANSWER-A) provides an
effective means of meeting requirements
B) permits efficient oversight of its activities
C) provides assurance that controls are implemented at the system level
Hybrid - ANSWER-A large organization has a documented information system policy that has been
reviewed and approved by senior officials and is readily available to all organizational staff. This
information security policy explicitly addresses each of the 17 control families in NIST SP 800-53,
Revision.3. Some system owners also established procedures for the technical class of security controls
on certain of their systems. In their respective system security plans, control AC-1 Access Control Policy
and Procedures (a technical class security control) must be identified as what type of control?
NIST Special Publication 800-37, Revision 1 - ANSWER-This manual defines the RIsk Management
Framework
NIST Special Publication 800-30 - ANSWER-This manual defines how to conduct a risk assessment
FISMA - ANSWER-Federal Information Security Management Act
Federal Information Security Management Act (FISMA) - ANSWER-This raised visibility through
government on certification, accreditation and system authorizations and follows NIST SP 800-37
SDLC phases within the RMF in order - ANSWER-1) Initiation
2) Development/Acquisition
3) Implementation
4) Operation/Maintenance
5) Disposal
,Information System Owner (ISO) - ANSWER-This organizational official is responsible for the
procurement, development, integration, modification, operation, maintenance, and disposal of an
information system.
FIPS 200 - ANSWER-This document specifies security requirements for federal information and
information systems in 17 security-related areas that represent a broad-based, balanced information
security program. Specifies that a minimum baseline of security controls, as defined in NIST SP 800-53,
will be implemented. Specifies that the baselines are to be appropriately tailored.
Leveraged - ANSWER-Which authorization approach (leveraged, single, and joint or site specific)
considers time elapsed since the authorization results were produced, the environment of operation, the
criticality/sensitivity of the information, and the risk tolerance of other organizations?
Authorizing Official (AO) - ANSWER-When an authorization to operation (ATO) is issued, this role
authoritatively accepts residual risk on behalf of the organization.
Information Technology Systems - ANSWER-The objective of system authorization is to ensure the
security of...
Will NEVER have a primary role in any RMF step tasks - ANSWER-A) Information system security officer
(ISSO)
B) Information system security engineer (ISSE)
Authorizing Official (AO) - ANSWER-Who does the Security Control Assessor (SCA) report directly to?
Independence and Technical Confidence - ANSWER-The two basic traits a Security Control Assessor (SCA)
must have
Successful information technology develops separate security perimeters covering individual critical
resources according to the system boundaries rather than one perimeter to cover all critical resources.
This works because... - ANSWER-A) Systems are distance
B) Their limits can be defined in practical terms
C) Security is comparatively easy to implement at system level
, Authorizing Official (AO) - ANSWER-The Information System Owner (ISO) is appointed by this person
Chief Information Officer (CIO) - ANSWER-The Common Control Provider (CCP) is appointed by this
person
Certification - ANSWER-The process to assess effectiveness of security controls
NIST Special Publication 800-53, Revision 4 - ANSWER-This publication introduces the new family
Program Management as well as eight additional security and privacy control families to the FIPS 200 17
security control families.
The three Risk Management core components - ANSWER-A) Risk Assessment (understand what can go
wrong)
B) Risk Mitigation (identify how risk is managed)
C) Security Control (must be planned and budgeted)
Accreditation - ANSWER-Management decision (based on the assessment) to permit an information
system to operate at its current security posture.
The documents required for the accreditation package are... - ANSWER-A) Security plan
B) Security assessment report
C) Plan of action and milestones
CPIC - ANSWER-Capital Planning and Investment Controls
Capital Planning and Investments Controls includes the following... - ANSWER-A) How systems are
funded
B) Supplemental funding for new or improved security control implementation
NIST classifications of security controls - ANSWER-A) System specific
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Bensuda. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $10.99. You're not tied to anything after your purchase.
