CAP TEST B QUESTIONS AND ANSWERS
Which of the following documents is mostly used in RMF step 5? - CORRECT ANSWER✅✅NIST SP 800-
37
SDLC stands for Systems Development Life Cycle (SDLC). Which of the following are documented to
provide utility in the SDLC guideline? - CORRECT ANSWER✅✅•Insight into the major activities and
milestones
•Decision points or control gates
•Specified outputs that provide vital information into the system design
•Project accomplishments
•System maintenance, security, and operational considerations
Which of the following tasks are performed by the information custodian? - CORRECT ANSWER✅✅•He
performs data restoration from the backups whenever required.
•He runs regular backups and routinely tests the validity of the backup data.
•He maintains the retained records in accordance with the established information classification policy.
•He administers the classification scheme occasionally.
Which of the following are responsibilities of an information system owner (ISO)? - CORRECT
ANSWER✅✅•Maintains the system security plan and ensures that the system is deployed
•Assists in the identification, implementation, and assessment of the common security controls
•Updates the system security plan whenever a significant change occurs
Which of the following statements about the availability concept of information security management is
true? - CORRECT ANSWER✅✅It ensures reliable and timely access to resources.
Vulnerability discovery is used to deal with the identification of vulnerabilities, which include the
following methods: - CORRECT ANSWER✅✅Dynamic code analysis is used to assess applications for
vulnerabilities that might be exploited from an application user's perspective.
•Network vulnerability scanning is used to probe operating systems, databases, and firewalls, which
prevent all deployed information technology services from vulnerabilities that are accessible from the
Internet.
,•Security health checking is used to check systems with scripts and assess the configurations of local and
network services of operating systems, databases, middleware packages, and applications for bugs that
could lead to potentially exploitable vulnerabilities.
Which of the following DoD directives refers to the Defense Information Management (IM) Program? -
CORRECT ANSWER✅✅DoDD 8000.1: This DoD directive refers to the 'Defense Information
Management (IM) Program'.
Which of the following is an authorization of a DoD information system to process, store, or transmit
information? - CORRECT ANSWER✅✅Approval to Operate (ATO) is an authorization of a DoD
information system to process, store, or transmit information.
Which of the following governance bodies directs and coordinates implementations of the information
security program? - CORRECT ANSWER✅✅The chief information security officer (CISO) directs and
coordinates implementations of the information security program.
Describe Passive and Active acceptance responses - CORRECT ANSWER✅✅•Passive acceptance: It is a
strategy in which no plans are made to avoid or mitigate the risk.
•Active acceptance: Such responses include developing contingency reserves to deal with risks in case
they occur.
Jason works as a senior organizational official in uCertify Inc. He wants to create new corporate policies.
Which of the following key points should he keep in mind while accomplishing his task? - CORRECT
ANSWER✅✅•Be clear and unambiguous
◦Legal and Regulatory obligations
◦Responsibilities (Ownership)
•Strategic approach
◦Adherence to standards
◦Use of common methods
•Approach to Risk Management
•Scope
◦Business Processes
◦Technology
, ◦Physical Security
•Action in the event of Policy Breach
Which of the following recovery plans includes specific strategies and actions to deal with specific
variances to assumptions resulting in a particular security problem, emergency, or state of affairs? -
CORRECT ANSWER✅✅A contingency plan is a plan devised for a specific situation when things could go
wrong. Contingency plans include specific strategies and actions to deal with specific variances to
assumptions resulting in a particular problem, emergency, or state of affairs. They also include a
monitoring process and triggers for initiating planned actions.
Choose and reorder the required levels of FITSAF based on SEI's Capability Maturity Model (CMM). -
CORRECT ANSWER✅✅•Level 1: The first level reflects that an asset has documented a security policy.
•Level 2: The second level shows that the asset has documented procedures and controls to implement
the policy.
• Level 3: The third level indicates that these procedures and controls have been implemented.
•Level 4: The fourth level shows that the procedures and controls are tested and reviewed.
•Level 5: The fifth level is the final level and shows that the asset has procedures and controls fully
integrated into a comprehensive program.
An Authorizing Official plays the role of an approver. What are the responsibilities of an Authorizing
Official? - CORRECT ANSWER✅✅•Ascertains the security posture of the organization's information
system.
•Reviews security status reports and critical security documents.
•Determines the requirement of reauthorization and reauthorizes information systems when required.
Which of the following steps come under the IT contingency planning process? - CORRECT
ANSWER✅✅Step 1: Develop contingency planning policy statements
Step 2: Conduct business impact analysis
Step 3: Identify preventative controls
Step 4: Develop recovery strategies
Step 5: Develop contingency plans
Step 6: Planning, testing, training, and exercises
Which of the following documents is mostly used in RMF step 5? - CORRECT ANSWER✅✅NIST SP 800-
37
SDLC stands for Systems Development Life Cycle (SDLC). Which of the following are documented to
provide utility in the SDLC guideline? - CORRECT ANSWER✅✅•Insight into the major activities and
milestones
•Decision points or control gates
•Specified outputs that provide vital information into the system design
•Project accomplishments
•System maintenance, security, and operational considerations
Which of the following tasks are performed by the information custodian? - CORRECT ANSWER✅✅•He
performs data restoration from the backups whenever required.
•He runs regular backups and routinely tests the validity of the backup data.
•He maintains the retained records in accordance with the established information classification policy.
•He administers the classification scheme occasionally.
Which of the following are responsibilities of an information system owner (ISO)? - CORRECT
ANSWER✅✅•Maintains the system security plan and ensures that the system is deployed
•Assists in the identification, implementation, and assessment of the common security controls
•Updates the system security plan whenever a significant change occurs
Which of the following statements about the availability concept of information security management is
true? - CORRECT ANSWER✅✅It ensures reliable and timely access to resources.
Vulnerability discovery is used to deal with the identification of vulnerabilities, which include the
following methods: - CORRECT ANSWER✅✅Dynamic code analysis is used to assess applications for
vulnerabilities that might be exploited from an application user's perspective.
•Network vulnerability scanning is used to probe operating systems, databases, and firewalls, which
prevent all deployed information technology services from vulnerabilities that are accessible from the
Internet.
,•Security health checking is used to check systems with scripts and assess the configurations of local and
network services of operating systems, databases, middleware packages, and applications for bugs that
could lead to potentially exploitable vulnerabilities.
Which of the following DoD directives refers to the Defense Information Management (IM) Program? -
CORRECT ANSWER✅✅DoDD 8000.1: This DoD directive refers to the 'Defense Information
Management (IM) Program'.
Which of the following is an authorization of a DoD information system to process, store, or transmit
information? - CORRECT ANSWER✅✅Approval to Operate (ATO) is an authorization of a DoD
information system to process, store, or transmit information.
Which of the following governance bodies directs and coordinates implementations of the information
security program? - CORRECT ANSWER✅✅The chief information security officer (CISO) directs and
coordinates implementations of the information security program.
Describe Passive and Active acceptance responses - CORRECT ANSWER✅✅•Passive acceptance: It is a
strategy in which no plans are made to avoid or mitigate the risk.
•Active acceptance: Such responses include developing contingency reserves to deal with risks in case
they occur.
Jason works as a senior organizational official in uCertify Inc. He wants to create new corporate policies.
Which of the following key points should he keep in mind while accomplishing his task? - CORRECT
ANSWER✅✅•Be clear and unambiguous
◦Legal and Regulatory obligations
◦Responsibilities (Ownership)
•Strategic approach
◦Adherence to standards
◦Use of common methods
•Approach to Risk Management
•Scope
◦Business Processes
◦Technology
, ◦Physical Security
•Action in the event of Policy Breach
Which of the following recovery plans includes specific strategies and actions to deal with specific
variances to assumptions resulting in a particular security problem, emergency, or state of affairs? -
CORRECT ANSWER✅✅A contingency plan is a plan devised for a specific situation when things could go
wrong. Contingency plans include specific strategies and actions to deal with specific variances to
assumptions resulting in a particular problem, emergency, or state of affairs. They also include a
monitoring process and triggers for initiating planned actions.
Choose and reorder the required levels of FITSAF based on SEI's Capability Maturity Model (CMM). -
CORRECT ANSWER✅✅•Level 1: The first level reflects that an asset has documented a security policy.
•Level 2: The second level shows that the asset has documented procedures and controls to implement
the policy.
• Level 3: The third level indicates that these procedures and controls have been implemented.
•Level 4: The fourth level shows that the procedures and controls are tested and reviewed.
•Level 5: The fifth level is the final level and shows that the asset has procedures and controls fully
integrated into a comprehensive program.
An Authorizing Official plays the role of an approver. What are the responsibilities of an Authorizing
Official? - CORRECT ANSWER✅✅•Ascertains the security posture of the organization's information
system.
•Reviews security status reports and critical security documents.
•Determines the requirement of reauthorization and reauthorizes information systems when required.
Which of the following steps come under the IT contingency planning process? - CORRECT
ANSWER✅✅Step 1: Develop contingency planning policy statements
Step 2: Conduct business impact analysis
Step 3: Identify preventative controls
Step 4: Develop recovery strategies
Step 5: Develop contingency plans
Step 6: Planning, testing, training, and exercises
