OFFICIAL (ISC)² CAP
OFFICIAL (ISC)² CAP - CHAPTER
1: PREPARE QUESTIONS AND
ANSWERS 2024/2025
Assessor - ANS >>The individual, group, or organization responsible for conducting a security or privacy
assessment.
Asset - ANS >>System and subsystem components that must be protected, including but not limited to:
all hardware, software, data, personnel, supporting physical environment and environmental systems,
administrative support and supplies.
Authorization Boundary - ANS >>All components of an information system to be authorized for operation
by an authorizing official. This excludes separately authorized systems to which the information system is
connected.
Authorizing Official - ANS >>A senior federal official or executive with the authority to authorize (i.e.,
assume responsibility for) the operation of an information system or the use of a designated set of
common controls at an acceptable level of risk to agency operations (including mission, functions, image,
or reputation), agency assets, individuals, other organizations, and the nation.
Authorizing Official Designated Representative - ANS >>An organizational official acting on behalf of an
authorizing official in carrying out and coordinating the required activities associated with the
authorization process.
Availability - ANS >>Ensuring timely and reliable access to and use of information.
Capability - ANS >>A combination of mutually reinforcing controls implemented by technical means,
physical means, and procedural means. Such controls are typically selected to achieve a common
information security or privacy purpose.
Adequate Security - ANS >>Security protections commensurate with the risk resulting from the
unauthorized access, use, disclosure, disruption, modification, or destruction of information. This
includes ensuring that information hosted on behalf of an agency and information systems and
1
, OFFICIAL (ISC)² CAP
applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and
availability protections through the application of cost-effective security controls.
Chief Information Officer - ANS >>The senior official that provides advice and other assistance to the
head of the agency and other senior management personnel of the agency to ensure that IT is acquired
and information resources are managed for the agency in a manner that achieves the agency's strategic
goals and information resources management goals; and is responsible for ensuring agency compliance
with, and prompt, efficient, and effective implementation of, the information policies and information
resources management responsibilities, including the reduction of information collection burdens on the
public.
Chief Information Security Officer - ANS >>See Senior Agency Information Security Officer.
Common Control - ANS >>A security or privacy control that is inherited by multiple information systems
or programs.
Common Control Provider - ANS >>An organizational official responsible for the development,
implementation, assessment, and monitoring of common controls (i.e., controls inheritable by
organizational systems).
Confidentiality - ANS >>Preserving authorized restrictions on information access and disclosure,
including means for protecting personal privacy and proprietary information.
Application - ANS >>A software program hosted by an information system.
Continuous Monitoring - ANS >>Maintaining ongoing awareness to support organizational risk decisions.
Continuous Monitoring Program - ANS >>A program established to collect information in accordance
with preestablished metrics, utilizing information readily available in part through implemented security
controls.
Note: Privacy and security continuous monitoring strategies and programs can be the same or different
strategies and programs.
Control - ANS >>See security control and privacy control.
2
OFFICIAL (ISC)² CAP - CHAPTER
1: PREPARE QUESTIONS AND
ANSWERS 2024/2025
Assessor - ANS >>The individual, group, or organization responsible for conducting a security or privacy
assessment.
Asset - ANS >>System and subsystem components that must be protected, including but not limited to:
all hardware, software, data, personnel, supporting physical environment and environmental systems,
administrative support and supplies.
Authorization Boundary - ANS >>All components of an information system to be authorized for operation
by an authorizing official. This excludes separately authorized systems to which the information system is
connected.
Authorizing Official - ANS >>A senior federal official or executive with the authority to authorize (i.e.,
assume responsibility for) the operation of an information system or the use of a designated set of
common controls at an acceptable level of risk to agency operations (including mission, functions, image,
or reputation), agency assets, individuals, other organizations, and the nation.
Authorizing Official Designated Representative - ANS >>An organizational official acting on behalf of an
authorizing official in carrying out and coordinating the required activities associated with the
authorization process.
Availability - ANS >>Ensuring timely and reliable access to and use of information.
Capability - ANS >>A combination of mutually reinforcing controls implemented by technical means,
physical means, and procedural means. Such controls are typically selected to achieve a common
information security or privacy purpose.
Adequate Security - ANS >>Security protections commensurate with the risk resulting from the
unauthorized access, use, disclosure, disruption, modification, or destruction of information. This
includes ensuring that information hosted on behalf of an agency and information systems and
1
, OFFICIAL (ISC)² CAP
applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and
availability protections through the application of cost-effective security controls.
Chief Information Officer - ANS >>The senior official that provides advice and other assistance to the
head of the agency and other senior management personnel of the agency to ensure that IT is acquired
and information resources are managed for the agency in a manner that achieves the agency's strategic
goals and information resources management goals; and is responsible for ensuring agency compliance
with, and prompt, efficient, and effective implementation of, the information policies and information
resources management responsibilities, including the reduction of information collection burdens on the
public.
Chief Information Security Officer - ANS >>See Senior Agency Information Security Officer.
Common Control - ANS >>A security or privacy control that is inherited by multiple information systems
or programs.
Common Control Provider - ANS >>An organizational official responsible for the development,
implementation, assessment, and monitoring of common controls (i.e., controls inheritable by
organizational systems).
Confidentiality - ANS >>Preserving authorized restrictions on information access and disclosure,
including means for protecting personal privacy and proprietary information.
Application - ANS >>A software program hosted by an information system.
Continuous Monitoring - ANS >>Maintaining ongoing awareness to support organizational risk decisions.
Continuous Monitoring Program - ANS >>A program established to collect information in accordance
with preestablished metrics, utilizing information readily available in part through implemented security
controls.
Note: Privacy and security continuous monitoring strategies and programs can be the same or different
strategies and programs.
Control - ANS >>See security control and privacy control.
2
