ISC2 CAP Exam Prep Questions with 100% Correct Answers 2024

ISC2 CAP Exam Prep Questions with 100% Correct Answers 2024 In FIPS 199, a loss of Confidentiality is defined as - answerThe unauthorized disclosure of information In FIPS 199, a loss of Integrity is defined as - answerThe unauthorized modification or destruction of information In FIPS 199, a loss of Availability is defined as - answerThe disruption of access to or use of information NIST Special Publication 800-53 r4 - answerFIPS 200 Mandated - A catalog of security controls. Defines three baselines (L, M, H). Initial version published in 2005. None - answerThis FIPS document can be waived Inherited - answerAn organizations information systems are a mix of Windows and UNIX systems located in a single computer room. Access to the computer room is restricted by the door locks that require proximity cards and personal identification numbers (PINS). Only a small percentage of the organizations employees have access to the computer room. The computer room access restriction is an example of what type of security control relative to the hardware in the computer room? Supplement the common controls with system-specific or hybrid controls to achieve the required protection for the system - answerAn information system is currently in the initiation phase of the SDLC and has been categorized high impact. The information system owner wants to inherit common controls provided by another organization information system that is categorized moderate impact.. How does the information system owner ensure that the common controls will provide adequate protection for the information system? Active involvement by authorizing officials in the ongoing management of information system- related security risks. - answerAn effective security control monitoring strategy for an information system includes... All Steps - answerIn which steps is the security plan updated (Categorize, Implement, or Monitor) An enterprise security authorization program is considered successful when - answerA) provides an effective means of meeting requirements B) permits efficient oversight of its activities C) provides assurance that controls are implemented at the system level Hybrid - answerA large organization has a documented information system policy that has been reviewed and approved by senior officials and is readily available to all organizational staff. This information security policy explicitly addresses each of the 17 control families in NIST SP 800-53, Revision.3. Some system owners also established procedures for the technical class of security controls on certain of their systems. In their respective system security plans, control AC-1 Access Control Policy and Procedures (a technical class security control) must be identified as what type of control? NIST Special Publication 800-37, Revision 1 - answerThis manual defines the RIsk Management Framework NIST Special Publication 800-30 - answerThis manual defines how to conduct a risk assessment FISMA - answerFederal Information Security Management Act Federal Information Security Management Act (FISMA) - answerThis raised visibility through government on certification, accreditation and system authorizations and follows NIST SP 800- 37 SDLC phases within the RMF in order - answer1) Initiation 2) Development/Acquisition 3) Implementation 4) Operation/Maintenance 5) Disposal Information System Owner (ISO) - answerThis organizational official is responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system. FIPS 200 - answerThis document specifies security requirements for federal information and information systems in 17 security-related areas that represent a broad-based, balanced information security program. Specifies that a minimum baseline of security controls, as defined in NIST SP 800-53, will be implemented. Specifies that the baselines are to be appropriately tailored. Leveraged - answerWhich authorization approach (leveraged, single, and joint or site specific) considers time elapsed since the authorization results were produced, the environment of operation, the criticality/sensitivity of the information, and the risk tolerance of other organizations? Authorizing Official (AO) - answerWhen an authorization to operation (ATO) is issued, this role authoritatively accepts residual risk on behalf of the organization. Information Technology Systems - answerThe objective of system authorization is to ensure the security of... Will NEVER have a primary role in any RMF step tasks - answerA) Information system security officer (ISSO) B) Information system security engineer (ISSE) Authorizing Official (AO) - answerWho does the Security Control Assessor (SCA) report directly to? Independence and Technical Confidence - answerThe two basic traits a Security Control Assessor (SCA) must have Successful information technology develops separate security perimeters covering individual critical resources according to the system boundaries rather than one perimeter to cover all critical resources. This works because... - answerA) Systems are distance B) Their limits can be defined in practical terms C) Security is comparatively easy to implement at system level Authorizing Official (AO) - answerThe Information System Owner (ISO) is appointed by this person Chief Information Officer (CIO) - answerThe Common Control Provider (CCP) is appointed by this person Certification - answerThe process to assess effectiveness of security controls NIST Special Publication 800-53, Revision 4 - answerThis publication introduces the new family Program Management as well as eight additional security and privacy control families to the FIPS 200 17 security control families. The three Risk Management core components - answerA) Risk Assessment (understand what can go wrong) B) Risk Mitigation (identify how risk is managed) C) Security Control (must be planned and budgeted) Accreditation - answerManagement decision (based on the assessment) to permit an information system to operate at its current security posture. The documents required for the accreditation package are... - answerA) Security plan B) Security assessment report C) Plan of action and milestones CPIC - answerCapital Planning and Investment Controls Capital Planning and Investments Controls includes the following... - answerA) How systems are funded B) Supplemental funding for new or improved security control implementation NIST classifications of security controls - answerA) System specific B) Hybrid C) Common After an information system has been certified, the Senior Information Security Officer (SISO) needs to: - answerA) Monitor system's compliance with requirements B) Measure progress of corrective actions addressing weaknesses C) Track accepted risks The steps in the Authorization Process - answer1) Risk management 2) Near real-time awareness 3) Automation 4) Program management 5) Continuous monitoring NIST SP 800-39 - answerThis publication addresses risk management from an Enterprise perspective NIST SP 800-30 - answerThis publication provides the approach for performing system-level risk assessments and risk prioritization NIST SP 800-60 - answerThis publication defines the types of information needed by the organization to successfully carry out identified mission and business processes and define organization's internal/external information flows.