ISC2 CAP Exam Prep Questions With 100%
Correct Answers 2024, 315 Questions and
Correct Answers. Complete Solution.
In FIPS 199, a loss of Confidentiality is defined as
The unauthorized disclosure of information
In FIPS 199, a loss of Integrity is defined as
The unauthorized modification or destruction of information
In FIPS 199, a loss of Availability is defined as
The disruption of access to or use of information
NIST Special Publication 800-53 r4
FIPS 200 Mandated - A catalog of security controls. Defines three baselines (L, M, H). Initial version
published in 2005.
None
This FIPS document can be waived
Inherited
An organizations information systems are a mix of Windows and UNIX systems located in a single
computer room. Access to the computer room is restricted by the door locks that require proximity cards
and personal identification numbers (PINS). Only a small percentage of the organizations employees
have access to the computer room. The computer room access restriction is an example of what type of
security control relative to the hardware in the computer room?
Supplement the common controls with system-specific or hybrid controls to achieve the required
protection for the system
An information system is currently in the initiation phase of the SDLC and has been categorized high
impact. The information system owner wants to inherit common controls provided by another
organization information system that is categorized moderate impact.. How does the information system
owner ensure that the common controls will provide adequate protection for the information system?
Active involvement by authorizing officials in the ongoing management of information system-related
security risks.
An effective security control monitoring strategy for an information system includes...
All Steps
In which steps is the security plan updated (Categorize, Implement, or Monitor)
,An enterprise security authorization program is considered successful when
A) provides an effective means of meeting requirements
B) permits efficient oversight of its activities
C) provides assurance that controls are implemented at the system level
Hybrid
A large organization has a documented information system policy that has been reviewed and approved
by senior officials and is readily available to all organizational staff. This information security policy
explicitly addresses each of the 17 control families in NIST SP 800-53, Revision.3. Some system owners
also established procedures for the technical class of security controls on certain of their systems. In
their respective system security plans, control AC-1 Access Control Policy and Procedures (a technical
class security control) must be identified as what type of control?
NIST Special Publication 800-37, Revision 1
This manual defines the RIsk Management Framework
NIST Special Publication 800-30
This manual defines how to conduct a risk assessment
FISMA
Federal Information Security Management Act
Federal Information Security Management Act (FISMA)
This raised visibility through government on certification, accreditation and system authorizations and
follows NIST SP 800-37
SDLC phases within the RMF in order
1) Initiation
2) Development/Acquisition
3) Implementation
4) Operation/Maintenance
5) Disposal
Information System Owner (ISO)
This organizational official is responsible for the procurement, development, integration, modification,
operation, maintenance, and disposal of an information system.
FIPS 200
This document specifies security requirements for federal information and information systems in 17
security-related areas that represent a broad-based, balanced information security program. Specifies
that a minimum baseline of security controls, as defined in NIST SP 800-53, will be implemented.
Specifies that the baselines are to be appropriately tailored.
, Leveraged
Which authorization approach (leveraged, single, and joint or site specific) considers time elapsed since
the authorization results were produced, the environment of operation, the criticality/sensitivity of the
information, and the risk tolerance of other organizations?
Authorizing Official (AO)
When an authorization to operation (ATO) is issued, this role authoritatively accepts residual risk on
behalf of the organization.
Information Technology Systems
The objective of system authorization is to ensure the security of...
Will NEVER have a primary role in any RMF step tasks
A) Information system security officer (ISSO)
B) Information system security engineer (ISSE)
Authorizing Official (AO)
Who does the Security Control Assessor (SCA) report directly to?
Independence and Technical Confidence
The two basic traits a Security Control Assessor (SCA) must have
Successful information technology develops separate security perimeters covering individual critical
resources according to the system boundaries rather than one perimeter to cover all critical resources.
This works because...
A) Systems are distance
B) Their limits can be defined in practical terms
C) Security is comparatively easy to implement at system level
Authorizing Official (AO)
The Information System Owner (ISO) is appointed by this person
Chief Information Officer (CIO)
The Common Control Provider (CCP) is appointed by this person
Certification
The process to assess effectiveness of security controls
NIST Special Publication 800-53, Revision 4
This publication introduces the new family Program Management as well as eight additional security and
privacy control families to the FIPS 200 17 security control families.
The three Risk Management core components
Correct Answers 2024, 315 Questions and
Correct Answers. Complete Solution.
In FIPS 199, a loss of Confidentiality is defined as
The unauthorized disclosure of information
In FIPS 199, a loss of Integrity is defined as
The unauthorized modification or destruction of information
In FIPS 199, a loss of Availability is defined as
The disruption of access to or use of information
NIST Special Publication 800-53 r4
FIPS 200 Mandated - A catalog of security controls. Defines three baselines (L, M, H). Initial version
published in 2005.
None
This FIPS document can be waived
Inherited
An organizations information systems are a mix of Windows and UNIX systems located in a single
computer room. Access to the computer room is restricted by the door locks that require proximity cards
and personal identification numbers (PINS). Only a small percentage of the organizations employees
have access to the computer room. The computer room access restriction is an example of what type of
security control relative to the hardware in the computer room?
Supplement the common controls with system-specific or hybrid controls to achieve the required
protection for the system
An information system is currently in the initiation phase of the SDLC and has been categorized high
impact. The information system owner wants to inherit common controls provided by another
organization information system that is categorized moderate impact.. How does the information system
owner ensure that the common controls will provide adequate protection for the information system?
Active involvement by authorizing officials in the ongoing management of information system-related
security risks.
An effective security control monitoring strategy for an information system includes...
All Steps
In which steps is the security plan updated (Categorize, Implement, or Monitor)
,An enterprise security authorization program is considered successful when
A) provides an effective means of meeting requirements
B) permits efficient oversight of its activities
C) provides assurance that controls are implemented at the system level
Hybrid
A large organization has a documented information system policy that has been reviewed and approved
by senior officials and is readily available to all organizational staff. This information security policy
explicitly addresses each of the 17 control families in NIST SP 800-53, Revision.3. Some system owners
also established procedures for the technical class of security controls on certain of their systems. In
their respective system security plans, control AC-1 Access Control Policy and Procedures (a technical
class security control) must be identified as what type of control?
NIST Special Publication 800-37, Revision 1
This manual defines the RIsk Management Framework
NIST Special Publication 800-30
This manual defines how to conduct a risk assessment
FISMA
Federal Information Security Management Act
Federal Information Security Management Act (FISMA)
This raised visibility through government on certification, accreditation and system authorizations and
follows NIST SP 800-37
SDLC phases within the RMF in order
1) Initiation
2) Development/Acquisition
3) Implementation
4) Operation/Maintenance
5) Disposal
Information System Owner (ISO)
This organizational official is responsible for the procurement, development, integration, modification,
operation, maintenance, and disposal of an information system.
FIPS 200
This document specifies security requirements for federal information and information systems in 17
security-related areas that represent a broad-based, balanced information security program. Specifies
that a minimum baseline of security controls, as defined in NIST SP 800-53, will be implemented.
Specifies that the baselines are to be appropriately tailored.
, Leveraged
Which authorization approach (leveraged, single, and joint or site specific) considers time elapsed since
the authorization results were produced, the environment of operation, the criticality/sensitivity of the
information, and the risk tolerance of other organizations?
Authorizing Official (AO)
When an authorization to operation (ATO) is issued, this role authoritatively accepts residual risk on
behalf of the organization.
Information Technology Systems
The objective of system authorization is to ensure the security of...
Will NEVER have a primary role in any RMF step tasks
A) Information system security officer (ISSO)
B) Information system security engineer (ISSE)
Authorizing Official (AO)
Who does the Security Control Assessor (SCA) report directly to?
Independence and Technical Confidence
The two basic traits a Security Control Assessor (SCA) must have
Successful information technology develops separate security perimeters covering individual critical
resources according to the system boundaries rather than one perimeter to cover all critical resources.
This works because...
A) Systems are distance
B) Their limits can be defined in practical terms
C) Security is comparatively easy to implement at system level
Authorizing Official (AO)
The Information System Owner (ISO) is appointed by this person
Chief Information Officer (CIO)
The Common Control Provider (CCP) is appointed by this person
Certification
The process to assess effectiveness of security controls
NIST Special Publication 800-53, Revision 4
This publication introduces the new family Program Management as well as eight additional security and
privacy control families to the FIPS 200 17 security control families.
The three Risk Management core components
