CAP Practice Exam Questions with Correct Answers

CAP Practice Exam Questions with
Correct Answers
WhichMoneMtheMfollowingMrolesMisMresponsibleMforMtestingMtheMnon‐
technicalMcontrolsMinManMinformationMsystem?M-MAnswerMSecurityMControlMAssessor



WhichMreferenceMprovidesMdetailedMguidanceMonMriskMmitigationMforMtheMStateMDepart
ment?M-MAnswerMSPM800-
53MSecurityMandMPrivacyMControlsMforMFederalMInformationMSystemsMandMOrganizations



WhichMofMtheMfollowingMrolesMhasMtheMresponsibilityMtoMensureMthatMtheMenterpriseM
architectureMsupportsMtheMmissionMandMbusinessMprocesses?M-
MAnswerMa.MInformationMSecurityMArchitect



DuringMwhichMstepMofMtheMRiskMManagementMFrameworkM(RMF)MdoesMtheMInformation
MSystemMOwnerMregisterMtheMinformationMsystem?M-
MAnswerMCategorizeMInformationMSystem



WhoMsignsMtheMauthorizationMdecisionMletter?M-MAnswerMAuthorizingMOfficial



WhoMdevelopsMandMmaintainsMinformationMsecurityMpolicies,Mprocedures,MandMcontrolMt
echniquesMtoMaddressMallMapplicableMrequirements?M-
MAnswerMb.MChiefMInformationMOfficer



AMweaknessMinManMinformationMsystem,MsystemMsecurityMprocedures,MinternalMcontrols,
MorMimplementationMthatMcouldMbeMexploitedMbyMaMthreatMsourceMisMtheMdefinitionM
ofMwhichMkeyMterm?M-MAnswerMVulnerability



WhoMprocures,Mdevelops,Mintegrates,MorMmodifiesManMinformationMsystem?M-
MAnswerMInformationMSystemMOwner



WhoMhasMtheMresponsibilityMtoMprepareMtheMplanMofMactionMandMmilestonesMbasedMo
nMtheMfindingsMandMrecommendationsMofMtheMsecurityMassessmentMreport?M-
MAnswerMCommonMControlMProvider

, YouMhaveMjustMcompletedMtheMRiskMAssessmentMdefinedMbyMNISTMSPM800‐
30.MWhatMreferenceMidentifiesMtheMriskMmanagementMstrategyMalternativesMthatMcanMb
eMappliedMtoMtheMinformationMsystem?M-MAnswerMNISTMSPM800-53



InMwhichMphaseMofMtheMNISTMSPM800‐
30MprocessMdoesMoneMproduceMtheMfirstMfullMRiskMAssessmentMReportM(RAR)?M-
MAnswerMStepM2



WhichMstepMofMtheMNISTMSPM800‐
30MprocessMwouldMmostMlikelyMidentifyMtheMCVEMdatabaseMasMaMriskMassessmentMinfo
rmationMsource?M-MAnswerMStepM2



OrganizationsMshouldMviewMassessmentsMasManMinformationMgatheringMactivity,MnotMasM
aMsecurityMproducingMactivity.MInMaccordanceMwithMNISTMSPM800‐
53A,MsecurityMcontrolMassessmentsMcreateMtheMfollowingMbenefits:MidentifyMpotentialMpr
oblemsMorMshortfallsMinMtheMorganization'sMimplementationMofMtheMNISTMRiskMManage
mentMFramework;MsupportMbudgetaryMdecisionsMandMcapitalMinvestmentMprocesses,Mand:
M-MAnswerMSupportMinformationMsystemMauthorizationMdecisions.



TheMlastMstepMinMtheMRiskMAssessmentMprocessMmodelMisMcalled?M-MAnswerMMaintain



WhenMusingMNISTMSPM800‐
53A,MduringMwhichMSDLCMphaseMareMsecurityMassessmentsMusedMtoMincreaseMconfidence
MorMassuranceMthatMtheMsecurityMcontrolsMareMworkingMcorrectlyMforMaMsystem?M-
MAnswerMDevelopment,MImplementation,MandMOperationsMandMMaintenance



WhichMofMtheseMisMaMvalidMresponseMtoMaddressMrisk?M-
MAnswerMAcceptMtheMriskMtoMtheMsystem



OMBMCircularMA‐130MstatesMinformationMsecurityMmust:M-MAnswerMBeMrisk-
based,MandMcostMeffective



InMaccordanceMwithMPublicMLawM107‐347,MExecutiveMAgenciesMmust:M-
MAnswerMAuthorizeMsystemMprocessingMpriorMtoMoperation



AdequateMSecurityMis:M-MAnswerMCommensurateMwithMrisk