FedVTE CAP Exam 50 Questions with Verified Answers
Which of the following groups represents the most likely source of an asset loss through the
... [Show More] inappropriate use of computers?
A. Employees
B. Hackers
C. Visitors
D. Customers - CORRECT ANSWER A. Employees
FISMA charges which one of the following agencies with the responsibility of overseeing the security policies and practices of all agencies of the executive branch of the Federal government?
A. Office of Management and Budget (OMB)
B. National Institute of Standards and Technology (NIST)
C. National Security Agency (NSA)
D. Department of Justice - CORRECT ANSWER A. Office of Management and Budget (OMB)
Which one of the following publications provides details of the monitoring security control?
A. NIST SP 800 53
B. NIST SP 800 42
C. NIST SP 800 37
D. NIST SP 800 41 - CORRECT ANSWER C. NIST SP 800 37
Which of the following statements about Discretionary Access Control List (DACL) is true?
A. It is a list containing user accounts, groups, and computers that are allowed (or denied) access to the object.
B. It specifies whether an audit activity should be performed when an object attempts to access a resource.
C. It is a unique number that identifies a user, group, and computer account.
D. It is a rule list containing access control entries. - CORRECT ANSWER A. It is a list containing user accounts, groups, and computers that are allowed (or denied) access to the object.
FIPS Publication 199 defines three levels of potential impact to the compromise of confidentiality, integrity, and availability. These levels are:
A. Minimum, Normal, Maximum
B. Low, Moderate, High
C. Unclassified, Confidential, Secret
D. Confidential, Secret, Top Secret - CORRECT ANSWER B. Low, Moderate, High
Which of the following individuals is responsible for monitoring the information system environment that can negatively impact the security of the system and its accreditation?
A. Chief Information Security Officer
B. Chief Information Officer
C. Chief Risk Officer
D. Information System Owner - CORRECT ANSWER D. Information System Owner
Which of the following professionals plays the role of a monitor and takes part in the organizations configuration management process?
A. Senior Agency Information Security Officer
B. Authorizing Official
C. Common Control Provider
D. Chief Information Officer - CORRECT ANSWER C. Common Control Provider
Which of the following is not a standard phase in the System Authorization Process?
A. Pre certification
B. Post authorization
C. Post certification
D. Certification - CORRECT ANSWER C. Post certification
What is the potential impact if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States?
A. Low
B. Moderate
C. High
D. Limited - CORRECT ANSWER A. Low
An assessment procedure consists of a set of which things, each with an associated set of potential assessment methods and assessment objects?
A. Assessment objectives
B. Security controls
C. Operational requirements
D. Assessment objects - CORRECT ANSWER A. Assessment objectives
This process is used to determine if the security controls in the information system continue to be effective over time in light of the inevitable changes that occur in the system as well as the environment in which the system operates between authorization decisions.
A. Continuous monitoring
B. Configuration management
C. Vulnerability assessment
D. Certification and accreditation - CORRECT ANSWER A. Continuous monitoring
Who does an organization require that is capable of conducting an impartial assessment of security controls employed within or inherited by an information system?
A. Vendor assessor
B. Technical expert
C. Authorization assessor
D. Independent assessor - CORRECT ANSWER D. Independent assessor
Which of the following NIST documents provides a guideline for identifying an information system as a National Security System?
A. NIST SP 800 59
B. NIST SP 800 53
C. NIST SP 800 60
D. NIST SP 800 37 - CORRECT ANSWER A. NIST SP 800 59
Subsequent to a security breach, which of the following techniques are used with the intention to limit the extent of damage caused by the incident?
A. Corrective controls
B. Preventive controls
C. Change controls
D. Incident controls - CORRECT ANSWER A. Corrective controls
What process should be initiated when changes to the information system negatively impact the security of the system or when a period of time has elapsed as specified by agency or federal policy?
A. IS audit
B. Systems acquisition
C. Reauthorization
D. Reclassification of data - CORRECT ANSWER C. Reauthorization
Which of the following documents can be best aid in selecting controls to be monitored?
A. NIST SP 800 37
B. FISMA
C. FIPS 199
D. NIST SP 800 18 - CORRECT ANSWER C. FIPS 199
Applying the first three steps in the RMF to legacy systems can be viewed in what way to determine if the necessary and sufficient security controls have been appropriately selected and allocated?
A. Sequential
B. Level of effort
C. Gap analysis
D. Common control - CORRECT ANSWER C. Gap analysis
In which type of access control do user ID and password system come under?
A. Physical
B. Administrative
C. Power
D. Technical - CORRECT ANSWER D. Technical
Which role in the security authorization process is responsible for organizational information systems?
A. IS program manager
B. Designated authorizing official
C. Certification agent
D. User representative - CORRECT ANSWER B. Designated authorizing official
What assessment procedure is designed to work with and complement the assessment procedures to contribute to the grounds for confidence in the effectiveness of the security controls employed in the information system?
A. Extended
B. Subordinate
C. Based
D. Cross control - CORRECT ANSWER A. Extended
Why would the authorization decision issue a determination of Not Authorized?
A. If the system is not authorized (NA) to process classified information.
B. If it is deemed that the agency level risk is unacceptably high.
C. If the system is mission critical and requires an interim authority to operate.
D. The information system is always accredited without any restrictions or limitations on its operation. - CORRECT ANSWER B. If it is deemed that the agency level risk is unacceptably high.
Which of the following persons is responsible for testing and verifying whether the security policy is properly implemented and the derived security solutions are adequate or not?
A. Data owner
B. Data custodian
C. User
D. Auditor - CORRECT ANSWER D. Auditor
FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls have been implemented?
A. Level 2
B. Level 1
C. Level 5
D. Level 3 - CORRECT ANSWER D. Level 3
When does monitoring security controls take place?
A. Before the initial system certification
B. After the initial system security authorization
C. Before and after the initial system security accreditation
D. During the system design phase - CORRECT ANSWER B. After the initial system security authorization
NIST SP 800 53A defines three types of interview depending on the level of assessment conducted. Which of the following NIST SP 800 53A interviews consists of informal and ad hoc interviews?
A. Substantial
B. Abbreviated
C. Comprehensive
D. Significant - CORRECT ANSWER B. Abbreviated
The British Standard BS7799 was the basis for which of the following standards?
A. ISO/IEC 154508
B. ISO/IEC 17799
C. ICO/ICE 17799
D. Executive Order (E.O.) 13231 - CORRECT ANSWER B. ISO/IEC 17799
If an organization shares financial and personal details of a client to other companies without prior consent of the individuals that organization is violating what following Internet law?
A. Security law
B. Copyright law
C. Privacy law
D. Trademark law - CORRECT ANSWER C. Privacy law
Which of the following NIST Special Publication documents provides a guideline on network security testing?
A. NIST SP 800 53A
B. NIST SP 800 53
C. NIST SP 800 42
D. NIST SP 800 37 - CORRECT ANSWER C. NIST SP 800 42
How many steps are defined in the RMF process?
A. Three
B. Four
C. Six
D. Five - CORRECT ANSWER C. Six
Which of the following statements about the authentication concept of information security management is true?
A. It ensures that modifications are not made to data by unauthorized personnel or processes.
B. It determines the actions and behaviors of a single individual within a system and identifies that particular individual.
C. It ensures the reliable and timely access to resources.
D. It establishes the identity of users and ensures that the users are who they say they are. - CORRECT ANSWER D. It establishes the identity of users and ensures that the users are who they say they are.
Which of the following classification levels defines the information that, if disclosed to the unauthorized parties, could be reasonably expected to cause exceptionally grave damage to the national security?
A. Top Secret information
B. Secret information
C. Confidential information
D. Unclassified information - CORRECT ANSWER A. Top Secret information
Which of the following statements best describes the difference between the role of a data owner and the role of a data custodian?
A. The data owner implements the information classification scheme after the initial assignment by the custodian.
B. The custodian implements the information classification scheme after the initial assignment by the operations manager.
C. The data custodian implements the information classification scheme after the initial assignment by the data owner.
D. The custodian makes the initial information classification assignments and the operations manager implements the scheme. - CORRECT ANSWER C. The data custodian implements the information classification scheme after the initial assignment by the data owner.
FIPS 200 provides how many minimum security requirements for federal information and information systems? The requirements represent a broad based, balanced information security program that addresses the management, operational, and technical aspects of protecting the CIA of federal information and information systems.
A. 5
B. 17
C. 21
D. 10 - CORRECT ANSWER B. 17
This stakeholders involvement is required to determine acceptable residual risk and also advises the development team if the risks associated with eventual operation of the system appear to be unacceptable.
A. Authorization Official
B. Acceptance Official
C. Accreditation Officer
D. Assessment Officer - CORRECT ANSWER C. Accreditation Officer
Security categorization of an National Security System must consider the security categories of all information types resident on it.
A. True
B. False - CORRECT ANSWER A. True
During the security impact analysis vulnerabilities were uncovered in the information system. Which of the following documents should address the outstanding items?
A. Plan of action and milestones
B. System security plan
C. System discrepancy plan
D. System deficiency plan - CORRECT ANSWER A. Plan of action and milestones
Which of the following governance bodies directs and coordinates implementations of the information security program?
A. Chief Information Security Officer
B. Information Security Steering Committee
C. Senior Management
D. Business Unit Manager - CORRECT ANSWER A. Chief Information Security Officer
The authorization decision document conveys the final security authorization decision from the authorizing official to the information system owner. The authorization decision document contains all of the following information except?
A. Authorization decision
B. Terms and conditions for the authorization
C. Approving revisions to the SSAA
D. Authorization termination date - CORRECT ANSWER C. Approving revisions to the SSAA
Which of the following acts is used to recognize the importance of information security to the economic and national security interests of the United States?
A. FISMA
B. Computer Fraud and Abuse Act
C. Lanham Act
D. Computer Misuse Act - CORRECT ANSWER A. FISMA
The security authorization package contains multiple key documents enabling the authorization officials to make risk based authorization decisions. Which of the following documents is not part of the package?
A. The security plan
B. The security assessment report
C. The plan of action and milestones
D. The security service level agreements - CORRECT ANSWER D. The security service level agreements
Which of the following would be an accurate description of the role of the ISSO in the RMF process?
A. The ISSO determines whether a system is ready for certification and conducts the certification process.
B. The operational interests of system users are vested in the ISSO.
C. The ISSO coordinates all aspects of the system from initial concept through development to implementation and system maintenance.
D. The ISSO is responsible to the DAA for maintaining the appropriate operational security posture for an information system or program. - CORRECT ANSWER D. The ISSO is responsible to the DAA for maintaining the appropriate operational security posture for an information system or program.
Which of the following activities is not a element of monitoring security controls?
A. Operation and maintenance
B. Security control monitoring and impact analyses
C. Status reporting and documentation
D. Configuration management and control - CORRECT ANSWER A. Operation and maintenance
The guidelines in this publication apply to the security controls defined in NIST Special Publication 800 53 in an effort to enable more consistent, comparable, and repeatable assessments of security controls.
A. SP 800 53
B. SP 800 53A
C. SP 800 37
D. FIPS 200 - CORRECT ANSWER B. SP 800 53A
Change management is initiated under which phase?
A. Select security controls
B. Categorize information system
C. Authorize information system
D. Monitor security controls - CORRECT ANSWER D. Monitor security controls
Who is primarily responsible for categorizing the Information System?
A. IS program manager
B. CIO
C. Information system owner
D. System architect - CORRECT ANSWER C. Information system owner
What is the potential impact if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States?
A. Low
B. Moderate
C. Severe
D. High - CORRECT ANSWER D. High
Concerning residual risk which of the following statements is true?
A. It is a weakness or lack of control that can be exploited by a risk.
B. It is an indicator of threats coupled with vulnerability.
C. It is the possible risk after implementing all security measures.
D. It is the possible risk prior to implementing all security measures. - CORRECT ANSWER C. It is the possible risk after implementing all security measures.
FISMA assigned the responsibility for developing standards to be used by all Federal agencies to categorize all information and information systems to which one of the following organizations?
A. OMB
B. NIST
C. NSA
D. DoD - CORRECT ANSWER B. NIST
This is a standard that sets essential requirements for assessing the effectiveness of computer security controls built into a computer system?
A. FITSAF
B. TCSEC
C. FIPS
D. SSAA - CORRECT ANSWER B. TCSEC
The first item listed in the system security plan is the system name and identifier. As required in OMB Circular A 11, each system should be assigned a name and unique identifier. The assignment of a unique identifier supports the agency's ability to do what?
A. Collect agency information and security metrics specific to the system.
B. Establish budget auditability.
C. Identify risks associated to location.
D. Create an RTM. - CORRECT ANSWER A. Collect agency information and security metrics specific to the system. [Show Less]