CAP TEST A QUESTIONS AND ANSWERS
Which of the following phases are defined in the system authorization plan (SAP)? - CORRECT
ANSWER✅✅•Phase 1 - Pre-certification
•Phase 2 - Certification
•Phase 3 - Authorization
•Phase 4 - Post-Authorization
Which of the following enables organizations to accomplish their missions by securing the IT systems
that store, process, or transmit organizational information? - CORRECT ANSWER✅✅Risk management
The Risk Management Framework (RMF) provides a disciplined and structured process that integrates
information security and risk management activities into the system development life cycle. What are
the characteristics of RMF? - CORRECT ANSWER✅✅• Promotes the concept of near real-time risk
management and ongoing information system authorization through the implementation of robust
continuous monitoring processes.
• Encourages the use of automation to provide senior leaders the necessary information to make cost-
effective, risk-based decisions with regard to the organizational information systems, supporting their
core missions and business functions.
•Integrates information security into the enterprise architecture and system development life cycle.
•Provides emphasis on the selection, implementation, assessment, and monitoring of security controls,
and authorization of information systems.
•Links risk management processes at the information system level to risk management processes at the
organization level through a risk executive.
•Establishes responsibility and accountability for security controls deployed within organizational
information systems and inherited by those systems.
Which of the following statements reflect the 'Code of Ethics Canons' in the '(ISC)2 Code of Ethics'? -
CORRECT ANSWER✅✅•Protect society, the commonwealth, and the infrastructure
•Act honorably, honestly, justly, responsibly, and legally
•Provide diligent and competent service to principals
•Advance and protect the profession
,Risk Management is used to identify, assess, and control risks. What are the objectives of risk
management? - CORRECT ANSWER✅✅•Enable organizations to accomplish their missions by securing
the IT systems that store, process, or transmit organizational information.
•Enable management to make well-informed risk management decisions to justify expenses that are
part of the IT budget.
•Assist management in authorizing (or accrediting) the IT systems.
Which of the following tasks includes developing, reviewing, and approving a plan to assess the security
controls in the step 4 known as assess security controls of the RMF? - CORRECT ANSWER✅✅Task 1
includes developing, reviewing, and approving a plan to assess the security controls.
RMF step 4 is known as Assess Security Controls. What are the different tasks of the RMF step 4? -
CORRECT ANSWER✅✅1.The first task is to develop, review, and approve a plan to assess the security
controls.
2.The second task is to assess the security controls in accordance with the assessment procedures
defined in the security assessment plan.
3.The third task is to prepare a security assessment report, documenting the issues, findings, and
recommendations from security control assessment.
4.The fourth task is to conduct initial remediation actions on the security controls based on
recommendations of the security assessment report.
Risk management is a holistic activity and it is fully integrated in every aspect of the organization. Which
of the following are the risk related concerns that are addressed by the three-tiered approach? -
CORRECT ANSWER✅✅1.The organization level
2.The mission and business process level
3.The information system level
Which of the following individuals is responsible for establishing an effective continuous monitoring
program for the organization? - CORRECT ANSWER✅✅The chief information officer is responsible for
establishing an effective continuous monitoring program for the organization. He also confirms that
information systems are covered by a permitted security plan and monitored throughout the System
Development Life Cycle (SDLC).
, The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly
given to the most senior executive in an enterprise. What are the responsibilities of a Chief Information
Officer? - CORRECT ANSWER✅✅•Establishes effective continuous monitoring program for the
organization.
•Facilitates continuous monitoring process for the organizations.
•Preserves high-level communications and working group relationships in an organization.
•Confirms that information systems are covered by a permitted security plan and monitored throughout
the System Development Life Cycle (SDLC).
•Manages and delegates decisions to employees in large enterprises.
•Proposes the information technology needed by an enterprise to achieve its goals and then works
within a budget to implement the plan.
The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the
role of a supporter and advisor, respectively. Which of the following statements are true about ISSO and
ISSE? - CORRECT ANSWER✅✅•An ISSO manages the security of the information system that is slated
for Certification & Accreditation (C&A)
•An ISSE provides advice on the impacts of stem changes.
•An ISSE provides advice on the continuous monitoring system.
Which of the following individuals are responsible for identifying, planning, documenting, overseeing,
budgeting, maintaining, and monitoring security of the individual systems in an organization? - CORRECT
ANSWER✅✅Information System Owner and Information System Security Officer are responsible for
identifying, planning, documenting, overseeing, budgeting, maintaining, and monitoring security of the
individual systems in an organization.
What are the responsibilities of a system owner? - CORRECT ANSWER✅✅The system owner is
responsible for one or more systems, each of which may hold and process data owned by different data
owners.
• A system owner is responsible for integrating security considerations into application and system
purchasing decisions and development projects.
• The system owner is responsible for ensuring that adequate security is being provided by the
necessary controls, password management, remote access controls, operating system configurations,
and so on.
• This role needs to ensure that the systems are properly assessed for vulnerabilities and must report
any to the incident response team and data owner.
Which of the following phases are defined in the system authorization plan (SAP)? - CORRECT
ANSWER✅✅•Phase 1 - Pre-certification
•Phase 2 - Certification
•Phase 3 - Authorization
•Phase 4 - Post-Authorization
Which of the following enables organizations to accomplish their missions by securing the IT systems
that store, process, or transmit organizational information? - CORRECT ANSWER✅✅Risk management
The Risk Management Framework (RMF) provides a disciplined and structured process that integrates
information security and risk management activities into the system development life cycle. What are
the characteristics of RMF? - CORRECT ANSWER✅✅• Promotes the concept of near real-time risk
management and ongoing information system authorization through the implementation of robust
continuous monitoring processes.
• Encourages the use of automation to provide senior leaders the necessary information to make cost-
effective, risk-based decisions with regard to the organizational information systems, supporting their
core missions and business functions.
•Integrates information security into the enterprise architecture and system development life cycle.
•Provides emphasis on the selection, implementation, assessment, and monitoring of security controls,
and authorization of information systems.
•Links risk management processes at the information system level to risk management processes at the
organization level through a risk executive.
•Establishes responsibility and accountability for security controls deployed within organizational
information systems and inherited by those systems.
Which of the following statements reflect the 'Code of Ethics Canons' in the '(ISC)2 Code of Ethics'? -
CORRECT ANSWER✅✅•Protect society, the commonwealth, and the infrastructure
•Act honorably, honestly, justly, responsibly, and legally
•Provide diligent and competent service to principals
•Advance and protect the profession
,Risk Management is used to identify, assess, and control risks. What are the objectives of risk
management? - CORRECT ANSWER✅✅•Enable organizations to accomplish their missions by securing
the IT systems that store, process, or transmit organizational information.
•Enable management to make well-informed risk management decisions to justify expenses that are
part of the IT budget.
•Assist management in authorizing (or accrediting) the IT systems.
Which of the following tasks includes developing, reviewing, and approving a plan to assess the security
controls in the step 4 known as assess security controls of the RMF? - CORRECT ANSWER✅✅Task 1
includes developing, reviewing, and approving a plan to assess the security controls.
RMF step 4 is known as Assess Security Controls. What are the different tasks of the RMF step 4? -
CORRECT ANSWER✅✅1.The first task is to develop, review, and approve a plan to assess the security
controls.
2.The second task is to assess the security controls in accordance with the assessment procedures
defined in the security assessment plan.
3.The third task is to prepare a security assessment report, documenting the issues, findings, and
recommendations from security control assessment.
4.The fourth task is to conduct initial remediation actions on the security controls based on
recommendations of the security assessment report.
Risk management is a holistic activity and it is fully integrated in every aspect of the organization. Which
of the following are the risk related concerns that are addressed by the three-tiered approach? -
CORRECT ANSWER✅✅1.The organization level
2.The mission and business process level
3.The information system level
Which of the following individuals is responsible for establishing an effective continuous monitoring
program for the organization? - CORRECT ANSWER✅✅The chief information officer is responsible for
establishing an effective continuous monitoring program for the organization. He also confirms that
information systems are covered by a permitted security plan and monitored throughout the System
Development Life Cycle (SDLC).
, The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly
given to the most senior executive in an enterprise. What are the responsibilities of a Chief Information
Officer? - CORRECT ANSWER✅✅•Establishes effective continuous monitoring program for the
organization.
•Facilitates continuous monitoring process for the organizations.
•Preserves high-level communications and working group relationships in an organization.
•Confirms that information systems are covered by a permitted security plan and monitored throughout
the System Development Life Cycle (SDLC).
•Manages and delegates decisions to employees in large enterprises.
•Proposes the information technology needed by an enterprise to achieve its goals and then works
within a budget to implement the plan.
The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the
role of a supporter and advisor, respectively. Which of the following statements are true about ISSO and
ISSE? - CORRECT ANSWER✅✅•An ISSO manages the security of the information system that is slated
for Certification & Accreditation (C&A)
•An ISSE provides advice on the impacts of stem changes.
•An ISSE provides advice on the continuous monitoring system.
Which of the following individuals are responsible for identifying, planning, documenting, overseeing,
budgeting, maintaining, and monitoring security of the individual systems in an organization? - CORRECT
ANSWER✅✅Information System Owner and Information System Security Officer are responsible for
identifying, planning, documenting, overseeing, budgeting, maintaining, and monitoring security of the
individual systems in an organization.
What are the responsibilities of a system owner? - CORRECT ANSWER✅✅The system owner is
responsible for one or more systems, each of which may hold and process data owned by different data
owners.
• A system owner is responsible for integrating security considerations into application and system
purchasing decisions and development projects.
• The system owner is responsible for ensuring that adequate security is being provided by the
necessary controls, password management, remote access controls, operating system configurations,
and so on.
• This role needs to ensure that the systems are properly assessed for vulnerabilities and must report
any to the incident response team and data owner.
