CAP PRACTICE EXAM QUESTIONS
AND DETAILED ANSWERS LATEST
EDITION (COMPLETELY VERIFIED)
Which one the following roles is responsible for testing the non-technical controls in an
information system? - ANS -Security Control Assessor
Which reference provides detailed guidance on risk mitigation for the State Department? - ANS -
SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations
Which of the following roles has the responsibility to ensure that the enterprise architecture
support the mission and business? - ANS -Information Security Architect
During which step of the Risk Managemernt Framework {RMF) does the Information System
Owner register the information System? - ANS -Categorize Information System
Who signs the authorization decision letter? - ANS -Authorizing Official
Who develops and maintains information security policies, proc;edures, and control techniques
to address all applicable requirements? - ANS -Chief Information Officer
A weakness in an information system, system security procedures, internal controls, or
implementation that could be exploited by a threat source is the definition of which key term? -
ANS -Vulnerability
,8. Who procures, develops, integrates, or modifies an information system? - ANS -Information
System Owner
Who has the responsibility to prepare the plan of action and milestones based on the findings
and recommendations of the security assessment report? - ANS -Common Control Provider
You have just completed the Risk Asse.ssment defined by NIST SP 800-30. What reference
identifies the risk management strategy alternatives that can be applied to the information
system? - ANS -NIST SP 800-53
In which phase of the NIST SP 800-30 process does one produce the first full Risk Assessment
Report (RAR)? - ANS -Step 2
Which step of the NIST SP 800-30 process would most likely identify the CVE dat abase as a risk
assessment information source? - ANS -Step 1
Organizations should view assessments as an information gathering activity, not as a security
producing activity. In accordance with NIST SP 800-53A, security control assessments create the
following benefits: identify potential problems or shortfalls in the organization's implementation
of the NIST Risk Management Framework; support budgetary decisions and capital investment
processes, and: - ANS -Support information system authorizat ion decisions.
The last step in the Risk Assessment process model is called? - ANS -Maintain
When using NIST SP 800-53A, during which SDLC phase are security assessments used to
increase confidence or assurance that the security controls are working correctly for a system? -
ANS -Development, Implementation, and Operations and Maintenance
Which of these is a valid response to address risk? - ANS -Accept the risk to the system
, 0MB Circular A-130 states informatiorn security must: - ANS -3 . Be risk~asedr and cost effective
lnaccordancewith Public Law 107-347, Executive Agencies must: - ANS -Authorize system
processing prior to operation
Adequate Security is: - ANS -Commensurate with risk
In the Risk Management Framework as described in NIST SP 800·37, what is the next task after
Nlnformation System RegistriJtionN called? - ANS -Common Control Identification
Whic.h role has PRIMARY responsibility for o ngoing remediation actions? - ANS -Information
System Owner
Security Control Assessments try to determine if the controls are - ANS -Producing the desired
results or outcomes
Which of the following terms are used in NIST SP 800-SO to describe information that would
have a serious impact on the operation of the organization if confidentiality were breached? -
ANS -Moderate because it concerns data sensitivity
What is the minimum frequency periodic testing and evaluation of the effectiveness of policies
should be done? - ANS -Annually
The primary reference for development of a System Security Plan is? - ANS -NIST SP 800-18
NIST SP 800·53A de.scribes assessment objects as specific items to be assessed and includes the
following: mechanisms; activities; individuals and? - ANS -Specifications
AND DETAILED ANSWERS LATEST
EDITION (COMPLETELY VERIFIED)
Which one the following roles is responsible for testing the non-technical controls in an
information system? - ANS -Security Control Assessor
Which reference provides detailed guidance on risk mitigation for the State Department? - ANS -
SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations
Which of the following roles has the responsibility to ensure that the enterprise architecture
support the mission and business? - ANS -Information Security Architect
During which step of the Risk Managemernt Framework {RMF) does the Information System
Owner register the information System? - ANS -Categorize Information System
Who signs the authorization decision letter? - ANS -Authorizing Official
Who develops and maintains information security policies, proc;edures, and control techniques
to address all applicable requirements? - ANS -Chief Information Officer
A weakness in an information system, system security procedures, internal controls, or
implementation that could be exploited by a threat source is the definition of which key term? -
ANS -Vulnerability
,8. Who procures, develops, integrates, or modifies an information system? - ANS -Information
System Owner
Who has the responsibility to prepare the plan of action and milestones based on the findings
and recommendations of the security assessment report? - ANS -Common Control Provider
You have just completed the Risk Asse.ssment defined by NIST SP 800-30. What reference
identifies the risk management strategy alternatives that can be applied to the information
system? - ANS -NIST SP 800-53
In which phase of the NIST SP 800-30 process does one produce the first full Risk Assessment
Report (RAR)? - ANS -Step 2
Which step of the NIST SP 800-30 process would most likely identify the CVE dat abase as a risk
assessment information source? - ANS -Step 1
Organizations should view assessments as an information gathering activity, not as a security
producing activity. In accordance with NIST SP 800-53A, security control assessments create the
following benefits: identify potential problems or shortfalls in the organization's implementation
of the NIST Risk Management Framework; support budgetary decisions and capital investment
processes, and: - ANS -Support information system authorizat ion decisions.
The last step in the Risk Assessment process model is called? - ANS -Maintain
When using NIST SP 800-53A, during which SDLC phase are security assessments used to
increase confidence or assurance that the security controls are working correctly for a system? -
ANS -Development, Implementation, and Operations and Maintenance
Which of these is a valid response to address risk? - ANS -Accept the risk to the system
, 0MB Circular A-130 states informatiorn security must: - ANS -3 . Be risk~asedr and cost effective
lnaccordancewith Public Law 107-347, Executive Agencies must: - ANS -Authorize system
processing prior to operation
Adequate Security is: - ANS -Commensurate with risk
In the Risk Management Framework as described in NIST SP 800·37, what is the next task after
Nlnformation System RegistriJtionN called? - ANS -Common Control Identification
Whic.h role has PRIMARY responsibility for o ngoing remediation actions? - ANS -Information
System Owner
Security Control Assessments try to determine if the controls are - ANS -Producing the desired
results or outcomes
Which of the following terms are used in NIST SP 800-SO to describe information that would
have a serious impact on the operation of the organization if confidentiality were breached? -
ANS -Moderate because it concerns data sensitivity
What is the minimum frequency periodic testing and evaluation of the effectiveness of policies
should be done? - ANS -Annually
The primary reference for development of a System Security Plan is? - ANS -NIST SP 800-18
NIST SP 800·53A de.scribes assessment objects as specific items to be assessed and includes the
following: mechanisms; activities; individuals and? - ANS -Specifications
