100% satisfaction guarantee Immediately available after payment Both online and in PDF No strings attached
logo-home
CAP Review Questions Exam Questions With Verified Answers $12.49   Add to cart

Exam (elaborations)

CAP Review Questions Exam Questions With Verified Answers

 7 views  0 purchase
  • Course
  • CAP
  • Institution
  • CAP

CAP Review Questions Exam Questions With Verified Answers 1. During which Risk Management Framework (RMF) step is the system security plan initially approved? A. RMF Step 1 Categorize Information System B. RMF Step 2 Select Security Controls C. RMF Step 3 Implement Security Controls D. RMF S...

[Show more]

Preview 3 out of 20  pages

  • August 1, 2024
  • 20
  • 2024/2025
  • Exam (elaborations)
  • Questions & answers
  • CAP
  • CAP
avatar-seller
Thebright
EXAM STUDY MATERIALS July 23, 2024 4:26 PM CAP Review Questions Exam Questions With Verified Answers 1. During which Risk Management Framework (RMF) step is the system security plan initially approved? A. RMF Step 1 Categorize Information System B. RMF Step 2 Select Security Controls C. RMF Step 3 Implement Security Controls D. RMF Step 5 Authorize Information System - answer✔✔B. RMF Step 2 Select Security Controls The system security plan is first approved by the authorizing official or AO designated representative during execution of RMF Step 2, Task 2 -4. Security Plan Approval. See: CAP® CBK® Chapter 2, Task 2 -4: Approval Security Plan; NIST SP800 -37, Revision 1, RMF Step 2, Task 2 -4: Security Plan Approval. 2. Which organizational official is responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system? A. Information system security engine er (ISSE) B. Chief information officer (CIO) C. Information system owner (ISO) D. Information security architect - answer✔✔C. Information system owner (ISO) According to National Institute of Standards and Technology Special Publication (NIST SP) 800-37, Revision 1, Appendix D.9 Information System Owner, the information system owner is an organizational official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system. The inform ation system owner serves as the focal point for the information system. In that capacity, the EXAM STUDY MATERIALS July 23, 2024 4:26 PM information system owner (ISO) serves both as an owner and as the central point of contact between the authorization process and the owners of components of the system. See also CAP® CBK® Chapter 1, System Authorization Roles and Responsibilities, Primary Roles and Responsibilities. 3. Which authorization approach considers time elapsed since the authorization results were produced, the environment of operation, t he criticality/sensitivity of the information, and the risk tolerance of the other organization? A. Leveraged B. Single C. Joint D. Site specific - answer✔✔A. Leveraged With this approach, the leveraging organization considers risk factors such as the ti me elapsed since the authorization results were originally produced; the current environment of operation (if different from the environment of operation reflected in the authorization package); the criticality/sensitivity of the information to be processe d, stored, or transmitted (if different from the state of the original authorization); as well as the overall risk tolerance of the leveraging organization (in the event that the risk tolerance posture has changed over time). See NIST SP 800 -37, Revision 1, Appendix F.9 Authorization Approaches. 4. System authorization programs are marked by frequent failure due to, among other things, poor planning, poor systems inventory, failure to fix responsibility at the system level, and A. inability to work with r emote teams. B. lack of a program management office. C. insufficient system rights. D. lack of management support. - answer✔✔D. lack of management support. Lack of management support results from failure to connect system authorization to budgeting for resources, as well as excessive paperwork, lack of enforcement, and poor timing and, among others. See CAP® CBK® Chapter 1, Why System Authorization Programs Fail. EXAM STUDY MATERIALS July 23, 2024 4:26 PM 5. In what phases of the Risk Management Framework (RMF) and system development life cycle (SDLC), respectively, does documentation of control implementation start? A. Categorization and initiation B. Implement security controls and development/acqu isition C. Authorization and operations/maintenance D. Monitor and sunset - answer✔✔B. Implement security controls and development/acquisition Security control documentation that describes how system -specific, hybrid, and common controls are implemented a re part of the RMF Step 3 —implement security controls and the SDLC development/acquisition; implementation phases. The documentation formalizes plans and expectations regarding the overall functionality of the information system. The functional description of the security control implementation includes planned inputs, expected behavior, and expected outputs where appropriate, typically for those technical controls that are employed in the hardware, software, or firmware components of the information system . See CAP® CBK® Chapter 4, Application of Security Controls, Task 3 -1: Implement Security Controls; NIST SP 800 -37, Revision 1, Step 3, Task 3 -1: Security Control Implementation. 6. The tiers of the National Institute of Standards and Technology (NIST) ris k management framework are A. operational, management, system. B. confidentiality, integrity, availability. C. organization, mission/business process, information system. D. prevention, detection, recovery. - answer✔✔C. organization, mission/business proc ess, information system. According to NIST SP 800 -39, 2.2 Multitiered Risk Management, the three tiers of the RMF are organization, mission/business process, and information systems. Answer A ("operational, management, system") is a distracter. Answer B ( "confidentiality, integrity, availability") refers to security impacts of information and systems determined during categorization. Answer D relates to a common typology for security controls.

The benefits of buying summaries with Stuvia:

Guaranteed quality through customer reviews

Guaranteed quality through customer reviews

Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.

Quick and easy check-out

Quick and easy check-out

You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.

Focus on what matters

Focus on what matters

Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!

Frequently asked questions

What do I get when I buy this document?

You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.

Satisfaction guarantee: how does it work?

Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.

Who am I buying these notes from?

Stuvia is a marketplace, so you are not buying this document from us, but from seller Thebright. Stuvia facilitates payment to the seller.

Will I be stuck with a subscription?

No, you only buy these notes for $12.49. You're not tied to anything after your purchase.

Can Stuvia be trusted?

4.6 stars on Google & Trustpilot (+1000 reviews)

79373 documents were sold in the last 30 days

Founded in 2010, the go-to place to buy study notes for 14 years now

Start selling
$12.49
  • (0)
  Add to cart