CASP 003 EXAM 2025 QUESTIONS
AND ANSWERS
Risk Management Process - ....ANSWER ...-1. identification 2. assessment 4.
analyzation 5. mitigation
NIST SP 800-39 RMF six unique stages - ....ANSWER ...-1. categorize the info
systems and data 2. select security controls 3. implement controls 4. assess the
effectiveness of the controls 5. authorize the info system 6. monitor the controls
(CSIAAM)
ISO/IEC 27000 - ....ANSWER ...-The ISO/IEC 27000-series (also known as the
'ISMS Family of Standards' or 'ISO27K' for short) comprises information security
standards published jointly by the International Organization for Standardization (ISO)
and the International Electrotechnical Commission (IEC).[1]
The series provides best practice recommendations on information security
management—the management of information risks through information security
controls—within the context of an overall Information security management system
(ISMS), similar in design to management systems for quality assurance (the ISO 9000
series), environmental protection (the ISO 14000 series) and other management systems
Gramm-Leach-Bliley Act - ....ANSWER ...-requires financial institutions to ensure
the security and confidentiality of customer data (PII)
...©️ 2025, ALL RIGHTS RESERVED 1
,Sarbanes-Oxley Act of 2002 - ....ANSWER ...-established requirements for proper
financial record keeping for public companies and penalties of as much as 25 years in
prison for noncompliance
FISMA - ....ANSWER ...-federal info security management act - US law requires
federal agencies to create, document and implement security program
PCI DSS - ....ANSWER ...-payment card industry data security standard - security
standards for credit card companies to protect transactions and data. It is a contractual
requirement although some states treat it as law.
EU Directive 2002/58/EC and 2009/136/EC - ....ANSWER ...-2002 directive -
aimed at privacy and electronic communications service providers to provide security
with services. 2009 directive - amended to require user consent before cookies are
installed (the cookie law)
GDPR (General Data Protection Regulation) - ....ANSWER ...-New European
Union law on data protection and privacy for individuals for all EU citizens
Cloud Act - ....ANSWER ...-bill the U.S. created in 2018 that empowers the gov to
issue warrants that compel Americans businesses to pull data from their servers stored
locally and internationally
COBIT (Control Objectives for Information and related Technology) -
....ANSWER ...-Framework set of best practices for IT management created by
ISACA and the ITGI, assists orgs in maximizing the benefits from the use of information
technology
...©️ 2025, ALL RIGHTS RESERVED 2
,HITECH - ....ANSWER ...-Health Information Technology for Economic and
Clinical Health Act - widens the scope of privacy and security protections available
under HIPAA, imposes data breach notification requirements, increases legal liability for
noncompliance, and extends to software vendors of electronic medical records.
Deperimeterization - ....ANSWER ...-occurs when an organization moves
employees outside its firewall, a growing movement to change the way corporations
address technology security
BYOD - ....ANSWER ...-makes it possible for users to be free to use their personal
devices to access a corporate or a campus network
COPE (Corporate Owned, Personally Enabled) - ....ANSWER ...-Bridges the gap
by providing corporate owned resources that employees can use for personal tasks.
CYOD (Choose Your Own Device) - ....ANSWER ...-Enables employees to choose
from a list of company approved choices.
MDM (mobile device management) - ....ANSWER ...-An effort to add controls to a
enterprise environment
Can push security policies & applications while also monitoring devices
NIST 800-53 - ....ANSWER ...-Framework that recommends security controls for
federal info systems and organizations except those designed for national security.
FIPS 199 - ....ANSWER ...-Standards for Security Categorization of Federal
Information and Information Systems. Categorizes info systems based on low, moderate,
or high relative to CIA. the highest score for each category is the overall category for that
system.
...©️ 2025, ALL RIGHTS RESERVED 3
, Risk Analysis Goals - ....ANSWER ...-1. identify assets and their value 2. identify
vulnerabilities and threats 3. calculate threat probability and impact 4. balance threat
impact with cost of control
SLE (Single Loss Expectancy) - ....ANSWER ...-SLE is the total of hardware, labor
costs and downtime costs for one incident. SLE is equal to asset value times exposure
factor. SLE = AVxEF
ALE (Annual Loss Expectancy) - ....ANSWER ...-a monetary measure of how
much loss you could expect in a year, equal to SLE times the rate of occurance.
ALE=SLE x ARO
NIST 800-30 Guide for conducting risk assessments (6 steps) - ....ANSWER ...-1.
identify assets and their value 2. identify threats. 3. identify vulnerabilities. 4. determine
likelihood 5. identify impact 6. determine risk of likelihood and impact
NIST 800-34 contingency planning guide (7 steps) - ....ANSWER ...-1. develop a
policy for contingency planning 2. conduct a BIA 3. identify preventative controls 4.
create recovery strategies 5. develop the BCP 6. test, train and exercise the BCP 7.
maintain the BCP
Security Policy Categories - ....ANSWER ...-regulatory - mandated. advisory -
recommendations. information - gentle reminders.
SABSA (Sherwood Applied Business Security Architecture) Framework -
....ANSWER ...-framework and methodology for enterprise security architecture
and service management
...©️ 2025, ALL RIGHTS RESERVED 4
AND ANSWERS
Risk Management Process - ....ANSWER ...-1. identification 2. assessment 4.
analyzation 5. mitigation
NIST SP 800-39 RMF six unique stages - ....ANSWER ...-1. categorize the info
systems and data 2. select security controls 3. implement controls 4. assess the
effectiveness of the controls 5. authorize the info system 6. monitor the controls
(CSIAAM)
ISO/IEC 27000 - ....ANSWER ...-The ISO/IEC 27000-series (also known as the
'ISMS Family of Standards' or 'ISO27K' for short) comprises information security
standards published jointly by the International Organization for Standardization (ISO)
and the International Electrotechnical Commission (IEC).[1]
The series provides best practice recommendations on information security
management—the management of information risks through information security
controls—within the context of an overall Information security management system
(ISMS), similar in design to management systems for quality assurance (the ISO 9000
series), environmental protection (the ISO 14000 series) and other management systems
Gramm-Leach-Bliley Act - ....ANSWER ...-requires financial institutions to ensure
the security and confidentiality of customer data (PII)
...©️ 2025, ALL RIGHTS RESERVED 1
,Sarbanes-Oxley Act of 2002 - ....ANSWER ...-established requirements for proper
financial record keeping for public companies and penalties of as much as 25 years in
prison for noncompliance
FISMA - ....ANSWER ...-federal info security management act - US law requires
federal agencies to create, document and implement security program
PCI DSS - ....ANSWER ...-payment card industry data security standard - security
standards for credit card companies to protect transactions and data. It is a contractual
requirement although some states treat it as law.
EU Directive 2002/58/EC and 2009/136/EC - ....ANSWER ...-2002 directive -
aimed at privacy and electronic communications service providers to provide security
with services. 2009 directive - amended to require user consent before cookies are
installed (the cookie law)
GDPR (General Data Protection Regulation) - ....ANSWER ...-New European
Union law on data protection and privacy for individuals for all EU citizens
Cloud Act - ....ANSWER ...-bill the U.S. created in 2018 that empowers the gov to
issue warrants that compel Americans businesses to pull data from their servers stored
locally and internationally
COBIT (Control Objectives for Information and related Technology) -
....ANSWER ...-Framework set of best practices for IT management created by
ISACA and the ITGI, assists orgs in maximizing the benefits from the use of information
technology
...©️ 2025, ALL RIGHTS RESERVED 2
,HITECH - ....ANSWER ...-Health Information Technology for Economic and
Clinical Health Act - widens the scope of privacy and security protections available
under HIPAA, imposes data breach notification requirements, increases legal liability for
noncompliance, and extends to software vendors of electronic medical records.
Deperimeterization - ....ANSWER ...-occurs when an organization moves
employees outside its firewall, a growing movement to change the way corporations
address technology security
BYOD - ....ANSWER ...-makes it possible for users to be free to use their personal
devices to access a corporate or a campus network
COPE (Corporate Owned, Personally Enabled) - ....ANSWER ...-Bridges the gap
by providing corporate owned resources that employees can use for personal tasks.
CYOD (Choose Your Own Device) - ....ANSWER ...-Enables employees to choose
from a list of company approved choices.
MDM (mobile device management) - ....ANSWER ...-An effort to add controls to a
enterprise environment
Can push security policies & applications while also monitoring devices
NIST 800-53 - ....ANSWER ...-Framework that recommends security controls for
federal info systems and organizations except those designed for national security.
FIPS 199 - ....ANSWER ...-Standards for Security Categorization of Federal
Information and Information Systems. Categorizes info systems based on low, moderate,
or high relative to CIA. the highest score for each category is the overall category for that
system.
...©️ 2025, ALL RIGHTS RESERVED 3
, Risk Analysis Goals - ....ANSWER ...-1. identify assets and their value 2. identify
vulnerabilities and threats 3. calculate threat probability and impact 4. balance threat
impact with cost of control
SLE (Single Loss Expectancy) - ....ANSWER ...-SLE is the total of hardware, labor
costs and downtime costs for one incident. SLE is equal to asset value times exposure
factor. SLE = AVxEF
ALE (Annual Loss Expectancy) - ....ANSWER ...-a monetary measure of how
much loss you could expect in a year, equal to SLE times the rate of occurance.
ALE=SLE x ARO
NIST 800-30 Guide for conducting risk assessments (6 steps) - ....ANSWER ...-1.
identify assets and their value 2. identify threats. 3. identify vulnerabilities. 4. determine
likelihood 5. identify impact 6. determine risk of likelihood and impact
NIST 800-34 contingency planning guide (7 steps) - ....ANSWER ...-1. develop a
policy for contingency planning 2. conduct a BIA 3. identify preventative controls 4.
create recovery strategies 5. develop the BCP 6. test, train and exercise the BCP 7.
maintain the BCP
Security Policy Categories - ....ANSWER ...-regulatory - mandated. advisory -
recommendations. information - gentle reminders.
SABSA (Sherwood Applied Business Security Architecture) Framework -
....ANSWER ...-framework and methodology for enterprise security architecture
and service management
...©️ 2025, ALL RIGHTS RESERVED 4
