Certified Authorization Professional 1. What is included in the Plan of Action and Milestones (POA&M) that is presented in the Authorizing Official (AO) as part of the initial authorization package? A. All items identified throughout the Risk Management Framework (RMF) process B. Only volatile findings that require prioritization in remediation C. Deficiencies that have not yet been remediate and verified throughout the Risk Management Framework (RMF) process D. Only findings that have evaluated as moderate or high 2. What are the steps of a risk assessment? A. B. C. D. Prepare, Conduct, Communicate, Maintain Prepare, Conduct, Communicate Prepare, Communicate, Conduct Prepare, Communicate, Maintain, Conduct 3. Which of the following cannot be delegated by the Authorizing Official (AO)? A. Certificate resources** B. Authorization decision C. Acceptance of Security Plan (SP) D. Determination of risk to agency operations. 4. Configuring an Information System (IS) to prohibit the use of unused ports and protocols A. Helps provide least privilege B. Helps provide least functionality C. Streamlines the functionality of the system D. Violates configuration management best practice 5. The Authorization boundary of a system undergoing assessment includes A. The Information System (IS) components to be authorized for operation B. The Information (IS) components to be authorized for operation and any outside system it connects to C. Any components or systems the Information Owner (IO) states should be included in the assessment D. Any components found within the given Internet Protocol (IP) range 6. Which of the following BEST describes a government-wide standard for security Assessment and Authorization (A&A) and continuous monitoring for cloud products, which is mandatory for federal agencies and Cloud Service Providers (CSP)? A. Federal Risk and Authorization Management Program (FedRAMP) B. National Institute of Standards and Technology (NIST) C. Federal Information Technology Acquisition Reform Act (FITARA) D. National Cyber Security Program (NCSP) ---------- page 2 ---------7. All Federal agencies are required by law to conduct which of the following activities? A. Protect Information Systems (IS) used or operated by a contractor of an agency or other organization on behalf of an agency B. Coordinate with the National Institutes of Standards and Technologies (NIST) to develop binding operational directives C. Report the effectiveness of information security policies and practices to the Office of Personnel Management (OPM) D. Monitor the implementation of information security policies and practices of other agencies to ensure compliance 8. What is the PRIMARY goal of an Information Security Continuous Monitoring (ISCM) strategy? A. Create expedited assessment process for cost savings B. Maintain visibility of an organization’s high-cost controls C. Support organization risk management decisions D. Assess the organizational tiers 9. An organization is developing a risk assessment for a newly installed Information System (IS) to determine the best configuration or a supporting Information Technology (IT) product. Which of the following specific factors is often overlooked in this analysis? A. Exposure of interconnections to organizational core mission functions B. Effectiveness of inherited security controls C. Cost benefits that can be gained from a broad-based security implementation D. Implementation of stove-piped activities that enhance security solutions 10. If an assessment of a common control determines that it is not effective, what documentation is required? A. Letter describing findings sent to system owners using the common control B. Security Plan (SP) addendum for each system using the common control C. Plan of Action and Milestones (POA&M) D. Continuous monitoring plan 11. As part of an annual Federal Information Security Management Act (FISMA) compliance audit the inspector general security program review has identified vulnerabilities to an Information System (IS) in an operational division, which of the following activities is the MOST likely to occur? A. Update the Plan of Action and Milestones (POA&M) B. Perform additional security scans of systems C. Update the Security Plan (SP) immediately D. Revoke the Authorization to Operate (ATO) 12. Which of the following documents provides a function description of the Information System (IS) control implementation? A. Security and Privacy assessment reports B. Security and Privacy Plans C. Plans of Action and Milestones (POA&M) D. Risk Assessment Report ---------- page 3 ----------13. Which is the likelihood that security controls with a low level of volatility will change? A. Likely to change from year to year B. Unlikely to change from year to year C. Likely to change during system upgrades D. Unlikely to change during system upgrades 14. A System Owner (SO) is implementing a new system with their existing organization Information Technology (IT) environment. What objectives are considered when determining possible impact to risk? A. Low, Moderate, and High B. Authentication, Authorization, and Accountability C. Common, Hybrid, and System-Specific D. Integrity, Confidentiality, and Availability 15. Besides the System Owner (SO), what role has the PRIMARY responsibility for implementing the security controls into the security and privacy plans for the Information Systems (IS?) A. System Security Officer B. System administrator C. Common Control Provider (CCP) D. Information Owner 16. In order to receive an Authorization to Operate (ATO), the Plan of Action and Milestones (POA&M) MUST A. Be implemented within 90 days B. Have all vulnerabilities mitigated C. Be implemented after the ATO is granted D. Address the remaining vulnerabilities 17. Which of the following documents is updated when a vulnerability is discovered during continuous monitoring? A. Plan of Action and Milestones (POA&M)** B. Business Impact Analysis (BIA) C. Security Assessment Report (SAR) D. Incident Response Plan (IRP) 18. The process of uniquely assigning information resources to an Information System (IS) defines the A. Overall security management program B. Authorization boundary C. Rules of engagement D. Acceptable risk 19. The PRIMARY benefit of documenting the control implementation is that it A. Protects the Information Owner/Steward B. Allows traceability of deployment decisions taken C. Supports the Plan of Action and Milestones (POA&M) D. Demonstrates the use of sound information system methodologies ---------- page 4 ---------20. What is used by System Owners (SO) to establish a disciplined and structured process to monitor the residual risk in the Information System (IS)? A. Security and privacy assessment reports B. Security and privacy assessment plans C. Plan of Action and Milestones (POA&M) D. Security Plan (SP) 21. In the security and privacy assessment reports, the control assessor identified some weaknesses and proposed initial remediation actions. Based on the identified weaknesses, it is determined that certain findings are inconsequential and present no threat to the organization. Who is PRIMARILY responsible for determining the initial risk response? A. System Owner (SO) B. System Security Officer C. Authorizing Official (AO) D. Risk executive (function) 22. When addressing Configuration Management (CM), why is it MOST important to document the proposed changes? A. It is mandated by the federal Information Security Management Act (FISMA) B. It can affect the overall security and privacy posture of the system C. It is required for authorization to operate D. It will be used across accreditation boundaries 23. What is a KEY consideration when selecting a media sanitization method of destruction tool when decommissioning an Information System (IS)? A. Accountability B. Confidentiality C. Availability D. Integrity 24. The potential impact value “not applicable” applies to which of the following security objectives A. Confidentiality B. Availability C. Integrity D. Non-repudiation 25. The new Authorizing Official (AO) is reviewing all moderate and high systems to determine formal authorization action is needed for any of the systems. Which of the following documents BEST facilities this process? A. The recent Risk Assessment Report (RAR) for each system B. The recent assessment reports for each system C. The recent vulnerability scan for each system D. The recent security status report for each system ---------- page 5 ---------26. The baseline configuration of an information system should be consistent with the A. Enterprise architecture B. Original design specification C. Disaster Recovery (DR) procedures D. Security authorization Process 27. When implementing the organizational disposal process, what factors are considered when making a final decision about sanitization of media? A. Cost versus benefit B. Function versus security C. Availability versus integrity D. Accountability versus authentication 28. In establishing the rules of behavior for a system, which of the following is necessary? A. For a user to have system access before reviewing the rules B. Ensuring that users submit a formal acknowledgement of the rules C. That testing is conducted in order to validate the rules D. Ensuring that all applicable controls are detailed within the rules 29. Which of the following BEST describes the objective of the Security Assessment Plan (SAP)? A. It provides a detailed roadmap for how to conduct the assessment. B. It provides an assessment process for the integration of software and hardware C. It describes how to verify the change control and Configuration Management (CM) practices. D. It ensures that changes made during system development are included in security assessments. 30. An Information System (IS) is registered with appropriate program/management offices in order to A. Manage and track the system B. Determine security categorization C. Set security authorization boundaries D. Initiate the risk management process 31. For a new system, the controls are selected and the security and privacy plans are written during which System Development Life Cycle (SDLC) phase? A. Development/Acquisition B. Initiation C. Operation/Maintenance D. Implementation/Assessment 32. If the protection offered by a common control proves to be unacceptable or insufficient, how would the problem be corrected? A. Revise the control to make it system specific B. Perform a second vulnerability scan C. Implement supplementary controls D. Inform the Common Control Provider (CCP) ---------- page 6 --------33. Which of the following phases is identified as one of the four Incident Response (IR) phases? A. Initiation Phase B. Reconstitution Phase C. Preparation Phase D. Activation Phase 34. What document is based on the findings and recommendations of the assessment report? A. Security Test Plan (STP) B. Plan of Action and Milestones (POA&M) C. Security and Privacy Plans D. Configuration Management Plan (CMP) 35. Which of the following is the BEST approach to authorizing operations of complex systems? A. Assuring the system works both in a secure and functional manner B. Decomposing and authorizing the system into multiple subsystems C. Documenting the decomposition of the information in the Security Plan (SP) D. Decomposing the system into smaller subsystems and authorizing them as a single system 36. What should be included in a functional description of security control implementation? A. Planned inputs, expected behavior, and expected outputs B. Owner, process, and procedure C. Controls metrics and monitoring plan D. Planned metrics, expected behavior, and monitoring description 37. The results of the completed control assessments, including recommendations for correcting any weaknesses or deficiencies in the control, are documented in which document? A. Plan of Action and Milestones (POA&M) B. Security and privacy assessment plans C. Risk Assessment Report (RAR) D. Security and privacy assessment reports 38. What can an organization choose to eliminate the authorization termination data? A. The authorization termination date can never be eliminated B. A continuous monitoring plan is approved by the Risk executive (function) C. Risk acceptance activities are performed by the Information System Security Officer (ISSO) so that the effectiveness of common controls are inherited periodically D. The continuous monitoring program is sufficiently robust to provide the Authorizing Official (AO) with the needed information to conduct risk determination. 39. Which of the following is the principal vehicle used to verify that Information Systems (IS) are meeting their stated security goals and objectives? A. Security Plan (SP) B. Risk assessment C. Security Control Assessment (SCA) D. Requirements traceability Matrix (RMT) ---------- page 7 ---------40. When should a Plan of Action and Milestones (POA&M) be updated? A. When time permits B. On an ongoing basis C. When the budget allows it D. After the Security Plan (SP) is updated 41. In determining residual risk, an organization considers impact on which of the following? A. System budget and personnel B. Operations, assets, and individual C. System maintenance and Disaster Recovery (DR) D. Administrative, technical, and operational functions 42. Which of the following MUST be done when a federal Information System (IS) is removed from service? A. A comprehensive control assessment is conducted for the environment B. The Plan of Action and Milestones (POA&M) is updated to reflect the removal C. Organizational documentation is updated to reflect the system’s removal D. An updated authorization memo is signed by the Authorizing Official (AO) 43. Which will an Authorizing Official (AO) find implementation details for a control? A. Plan of Action and Milestones (POA&M) B. Security and Privacy Plans** C. Continuous monitoring strategy D. Risk Assessment Report (RAR) 44. The compliance schedules for National Institutes of Standards and Technology (NIST) security standards and guidelines are established by the A. Agency implementing them, as they apply to new systems B. Secretary of Commerce when the documents are finalized C. Office of Management and Budget (OMB) in policies, directives, or memoranda D. Joint Task Force Transformation Initiative Interagency Working Group when the documents are issued 45. An organization’s Information System (IS) is categorized as a high-impact system. The organization’s architecture does NOT support wireless connectivity. The initial security control baseline requires the organization to implement AC-18: wireless access. What process can the organization implement to eliminate this unnecessary control? A. Baseline and tailoring B. Tailoring and scoping C. Compensating controls D. Baseline and scoping 46. Which of the following roles within the organization is responsible for clearly defining the impact level of the information the system processes? A. Risk executive (function) B. Information Owner (IO) C. Authorizing Official (AO) D. System security officer ---------- page 8 ---------47. Who has the authority to divide a complex system in order to establish realistic security authorization boundaries? A. Authorizing Official (AO) and Information System Security Officer (ISSO) B. Authorizing Official (AO) and Senior Information Security Officer (SISO) C. Security Control Assessor (SCA) and risk executive D. Security Control Assessor (SCA) and Information System Security Officer (ISSO) 48. Which document in support of the authorization package defines the well-defined set of security and privacy controls? A. Security Plan (SP) B. Initial risk assessment C. Security and privacy assessment reports D. Plan of Action and Milestones (POA&M) 49. The organization has implemented a project to move the physical servers to virtual machines (VM) over the next year. Which risk perspective addresses this project? A. Mission and business B. Organization-wide C. Information system (IS) D. Enterprise-wide 50. What is the MOST important reason for developing a continuous monitoring strategy? A. To maintain an up-to-date Configuration Management Plan B. To conduct a point-in-time assessment to demonstrate due diligence and compliance C. To determine if the deployed security controls continue to be effective over time D. To validate an Interconnection Service Agreement (ISA) 51. The determination of risk for a particular threat/vulnerability pair include assessment of the A. Probability assigned for each threat likelihood examined during initiation B. Cost of remediating the vulnerability and the value of the data C. Value of confidentiality, availability, or integrity of the system concerned D. Likelihood of a given threat source’s attempt to exercise the vulnerability 52. Organizations consider which of the following factors when selecting security or privacy control assessors? A. Technical expertise and level of independence B. System knowledge C. Technical expertise and relevant certifications D. Assessor certification 53. Overlays can be implemented as part of control tailoring after the completion of what process? A. Privacy Impact Assessment (PIA) B. Security Categorization C. Risk Assessment D. Contingency Plan (CP) --------- page 9 ---------54. Security controls are designed to be technology and implementation A. Independent B. Isolated C. Influenced D. Reliant 55. When monitoring controls, changes to the system should be A. Documented in the Security Plan (SP) B. Assessed for the information security and privacy impact C. Documented in the Plan of Action and Milestones (POA&M) D. Implemented once approved by the System Owner (SO) 56. Which of the following is a key step in the overall Contingency planning process? A. Completing the Security Plan (SP) B. Conducting the Business Impact Analysis (BIA) C. Developing the Plan of Action and Milestones (POA&M) D. Completing the security Requirement Traceability Matrix (RTM) 57. Subsystems are considered part of a larger system provided that they are A. Within the same physical network segment B. Certified by the same Security Control Assessor (SCA) C. Certified within six months of one another D. Under the same higher management authority 58. Residual risk can be categorized as risk A. That exists before the implementation of security controls B. That exists after the implementation of security controls C. Introduced by the implementation of security controls D. Introduced by implementing security controls 59. The Information Technology (IT) manager is responsible to the Information Officer for the implementation of Role Based Access Control (RBAC) assigned divisional resource. Specifically, the IT manager must facilitate the Identity and Access Management (IAM) for configured assets. Which System Development Life Cycle (SDLC) phase will enable the system security officer to verify accountability and authentication of these implemented safeguards? A. Development/Acquisition B. Planning C. Designing D. Initiation 60. The Authorizing Official may accept authorization recommendations based on A. Residual risks of similar system B. Impact to mission personnel C. Impact of environmental factors D. Residual risk of the specific systems** ---------- page 10 ---------61. The final Security Assessment Report (SAR) should contain which of the following A. Determination of the residual risk B. Security Control Assessment (SCA) plan C. System Security Plan (SSP) and Concept of Operations (CONOPS) D. Recommendations for correct deficiencies 62. Which of the following triggers a Security Plan (SP) update? A. A vulnerability scan run against a system B. Inspector general’s Security Assessment Report (SAR) C. Change in Information System Owner (ISO) D. Leave of absence of Authorizing Official (AO) 63. When a security control selected for a system cannot be applied, A. The security control list is deleted B. A compensating control is implemented C. A less restrictive security control is employed D. The security control is marked as non-applicable 64. What is the MOST appropriate action to take after weaknesses or deficiencies in controls are corrected? A. The remediated controls are reassessed B. The system is given an Authority to Operate (ATO) C. An assessment report is generated D. The original assessment results are changed 65. The assessment effort for effective incident handling MUST include the determination that an organization A. Implements an incident handling capability for security incidents B. Employs automated mechanisms to test the incident handling response capability C. Incorporates simulated events into incident response training D. Tracks and documents system security incidents on a quarterly basis 66. Common security controls are those that apply to one or more of which of the following? A. Organizational security families B. Organizational Information system (IS) C. Information security classes D. Information data categories 67. At which point in the Risk Management Framework (RMF) process is a system analyzed for changes that impact the security and privacy posture of the system? A. Implement B. Assess C. Select D. Monitor 68. Security controls that are shared throughout an organization’s enterprise require A. Approval by the system owner. B. Shared security controls costs across agencies’ system owners. C. Accept from the Information System Security Officer (ISSO). D. Documenting in a security plan by the Common Control Provider (CCP). ---------- page 11 ---------69. A key part of the risk decision process is the recognition that, regardless of the risk response there typically remains a degree of residual risk. On what basis does an organization determine the acceptable degrees of residual risk? A. Risk avoidance B. Risk mitigation C. Risk tolerance D. Risk transfer 70. Determining the level of acceptable risk associated with the operation of an Information System (IS), organization shall give A. Appropriate weight to mission and security requirements B. Greater weight to mission requirements than security requirements C. Appropriate weight to system performance and security requirements D. Greater weight to security requirements than performance requirements 71. What factor MUST be analyzed during risk determination activities? A. Threats, impacts, vulnerabilities, likelihood of occurrence, and predisposing conditions B. Threats, impacts, vulnerabilities, risk assessment results, and predisposing conditions C. Threats, impacts, vulnerabilities, likelihood of occurrence, and compliance verification D. Threats, impacts, vulnerabilities, risk assessment results, and compliance verification 72. The Least Privilege security control is a member of which control family? A. Access Control B. System and Information Integrity C. Audit and Accountability D. Identification and Authentication 73. Which process guides the selection of security controls to ensure adequate security commensurate with the risk of the organization? A. Risk assessment B. Security categorization** C. Vulnerability assessment D. Privacy Impact Assessment (PIA) 74. Which of the following is an essential element when an organization updates its authorization package documents? A. Version control B. Technical control C. Administrative control D. Operational control 75. When implementing a control on wireless access, the organization MUST do which of the following? A. Monitor for unauthorized access B. Prevent Denial of Service (DoS) conditions. C. Not broadcast the Service Set Identifier (SSID) D. Increase monitoring for non-wireless networks ---------- page 12 ---------76. Organization A has merged with another similar organization, organization B, and has expanded the data center operations to include Information Technology (IT) assets from both locations. What is the BEST reason for requiring an updated risk assessments? A. System Owner has changed B. System authorization boundary has changed C. System technical requirements has changed D. System regulatory and legal requirements has changed 77. Which of the following is an example of the test assessment method? A. Conducting a vulnerability scan on web applications B. Reading vulnerability scan policies and procedures C. Asking administrators about the scanning process D. Reviewing the most recent scan reports 78. Which of the following is TRUE when applying the Risk Management Framework (RMF) steps and associated tasks to existing systems? A. This can be omitted in order to expedite the assessment B. This can be waived by the System owner (SO) C. This can be carried out only by internal sources D. This can viewed as a gap analysis 79. The organizational and system monitoring strategies identifies A. The security controls to be monitored, the frequency of monitoring, and the weakness mitigation strategy B. The volatility of specific security controls, the frequency of monitoring, and the vulnerability scanning approach C. The security controls to be monitored, the frequency of monitoring, and the control assessment approach D. The security documentation to be updated, the frequency of updates, and the approval Process 80. An effective continuous monitoring strategy includes which of the following? A. Implementation of the United States Government Configuration Baseline (USGCB) B. Adherence to the organization’s approved enterprise architecture C. Documenting the functional security baseline configuration D. Reporting of security and privacy posture to organizational officials 81. Which of the following includes the resource required for mitigation? A. Corrective Action Plan B. Mitigation plan C. Monitoring strategy D. Plan of Action and Milestones (POA&M) ---------- page 13 ---------82. The Chief Information Officer (CIO) is establishing a policy of monthly assessment for access controls. What is the BEST corresponding action the system security officer should complete? A. Update the Security Plan (SP) with the CIO’s monitoring criteria B. Advise the System Owner (SO) of the CIO’s recommendation C. Ignore the CIO’s direction because they are inconsistent with Federal Information Processing Standard (FIPS) 199 standards D. Update the Plan of Action and Milestones (POA&M) with the CIO’s direction 83. When a system contains Personally Identifiable Information (PII) what additional action MUST be performed related to the specific system? A. Perform a Privacy Impact Assessment (PIA) B. Develop design documents C. Perform vulnerability scan of the hardware D. Send out a Notice of Privacy Practices (NPP) 84. Which role has the PRIMARY responsibility for the documentation of control implementation? A. Systems security engineer B. Control assessor C. Information System Owner (ISO) D. Information Owner/Steward 85. When making determinations regarding the adequacy of common controls for their respective systems, Information System Owner (ISO) refer to the Common Control Providers’ (CCP) A. Privacy Impact Assessment (PIA) B. Business Impact Analysis (BIA) C. Authorization Packages** D. Vulnerability Scans 86. An organization-wide approach to identifying common controls early in the Risk Management Framework (RMF) process does which of the following? A. Considers system-specific controls before assigning common controls B. Allows each Information System Owner (ISO) to accept only those common controls that are mission-critical C. Facilitates a more global strategy for assessing those controls and sharing essential assessment results D. Encourages Information System Owners and Authorizing Officials (AO) to complete their initial Security Plan (SP) prior to control assignment 87. From an organizational viewpoint, what effect does the designation of some security controls as common controls have? A. It is difficult for developers to build in security controls for individual applications B. Costs are increased in the Security Assessment and Authorization (A&A) activities C. Depth of analysis required is increased during the security Assessment and Authorization (A&A) D. Consistent application of security across the organization is enabled 88. What does a finding of “other than satisfied” reflect in an assessment report? A. An Information Security incident has occurred B. Information types should be reevaluated C. A lack of specified protection D. The contingency plan must be revised --------- page 14 ---------89. What is considered when establishing a system authorization boundary? A. Direct management control B. Cost of security authorization C. Network topography and complexity D. Interconnection Security Agreement (ISA) 90. Which organizational reference can an Information Systems Security Officer (ISSO) use to help prioritize the remediation of a vulnerability found during a weekly vulnerability scan? A. Risk Assessment (RA) B. Risk Management Strategy C. Assessment report D. Plan of Action and Milestones (POA&M) 91. What consideration leads to a less frequent assessment and monitoring activity? A. Volatile security controls B. High-impact level systems C. High organizational risk tolerance D. Risks in the control assessment 92. Which of the following is the mutual agreement among participating organizations to accept one another’s security assessments in order to reuse system resources or to accept each other’s assessed security posture in order to share information? A. Memorandum of Understanding (MOU) B. Memorandum of Agreement (MOA) C. Reciprocity** D. Reuse 93. What is essential when documenting the implementation of security controls? A. Security requirement and specification traceability B. Inclusion of threat and vulnerability pairs C. Organizational risk tolerance D. Control threat assessment 94. What activity MUST be completed before the System Owner (SO) considers the minimum security requirement of the system? A. Risk assessment B. Privacy Threshold Analysis (PTA) C. Impact level determination D. Vulnerability scanning ---------- page 15 ---------95. During the assessment of a new system, the System Owner (SO) mentioned that if unauthorized modification or destruction of medical information in the system occurred, it could result in potential loss of life because the system is the authoritative source of information about patient healthcare records including current and previous medications and ongoing medical procedures. Which of the following is the BEST Security categorization (SC) for the information type? A. SC medical information = (confidentiality, MODERATE), (integrity, LOW), (availability, LOW) B. SC medical information = (confidentiality, MODERATE), (integrity, MODERATE), (availability, MODERATE) C. SC medical information = (confidentiality, MODERATE), (integrity, HIGH), (availability, HIGH) D. SC medical information = (confidentiality, MODERATE), (integrity, MODERATE, ((availability, HIGH) 96. One of the primary goals in conducting analysis of the test results from a scan during Security Control Assessment (SCA) is to A. Identify false negative findings B. Categorize vulnerabilities C. Determine threats to the system D. Validated the system boundaries 97. Regardless of the task ordering, what is the last step before an Information System (IS) is placed into operation? A. Report the security status of the IS to the Authorizing Official (AO) B. Review the reported security status of the IS C. Update the Security Plan (SP) and the assessment report D. The explicit acceptance of risk by the Authorizing Official (AO) 98. Who is responsible for accepting the risk when a system undergoes a significant change? A. Information System Security Officer (ISSO) B. System Owner C. Risk executive (function) D. Authorizing Official (AO) 99. The security category of information 1 is determined to be: Security Category Information type = (Confidentiality, NOT APPLICABLE), (integrity, MODERATE), (availability, LOW) And the security category of information 2 is determined to be: Security Category Information type = (Confidentiality, LOW), (integrity, LOW), (availability, HIGH) What is the security category for the Information System (IS) A. Security Category Information type = (Confidentiality, LOW), (integrity, LOW), (availability, MODERATE) B. Security Category Information type = (Confidentiality, LOW), (integrity, MODERATE), (availability, HIGH) C. Security Category Information type = (Confidentiality, NOT APPLICABLE), (integrity, LOW), (availability, MODERATE) D. Security Category Information type = (Confidentiality, NOT APPLICABLE), (integrity, MODERATE), (availability, HIGH) ---------- page 16 ---------100. Which of the following BEST defines the purpose of the security assessment? A. To determine if the remaining known vulnerability pose an acceptable level of risk B. To determined the extent to which the security controls are implemented correctly and operating as intended** C. To perform oversight and monitor the security controls in the Information System (IS) D. To perform initial risk estimate and security categorization of the Information System (IS) 101. Which role does an System Owner (SO) coordinate inherited controls implemented with? A. Common Control Provider (CCP) B. System security officer C. Authorizing Official (AO) D. Authorizing Official Designated Representative (AODR) 102. A Security Control Assessment (SCA) was completed over two years ago, but the surrounding environment has changed. What, if anything, should the assessment team do with the previous results? A. Assessment only those controls that have changed B. Designed since the results are too old C. Assess all controls for the system D. Determine changes and impacts 103. The Authorizing Official (AO) issues an Authorization decision for an information system after A. Deciding whether or not the risk is acceptable B. Completing the risk analysis C. Updating the Security Plan (SP) D. Documenting the control assessment results 104. When documenting how system-specific and hybrid security controls are implemented, an organization takes into account A. Industry best practices B. Accepted management and technical controls C. Future hardware and software requirements D. Specific technologies and platform dependencies 105. Which process must be conducted during security categorization? A. Define information types B. Define baseline security controls C. Determine risk level D. Determine likelihood of impact ---------- page 17 ---------106. When determining the likelihood of a threat-source exploiting a system vulnerability, one MUST consider which of the following? A. Vulnerability’s root-level access, threat motivation, and system security control effectiveness B. Organization’s mission impact, system security control effectiveness, and threat’s capability C. Threat’s capability, system security control effectiveness, and threat motivation D. Organization’s readiness, mission impact, and system security control effectiveness 107. Security Content Automation Protocol (SCAP) is a method for which of the following? A. Automating the documentation of security controls B. Facilitating interconnected system to communicate regarding security control operational effectiveness C. Using specific standards to enable automated policy compliance evaluation D. Automating the review of the Security Plan (SP) 108. Common controls protecting multiple organizational Information Systems (IS) of different levels are implemented at the which impact level? A. The “HIGH” impact level B. The highest impact level C. The average impact level D. The most common impact level 109. What are the classifications of the system level security controls? A. Technical, operational, and mechanical B. Training, organizational, and mechanical C. Technical, operational, and management D. Technical, organization, and management 110. An Information System (IS) has the following Security Categories (SC) for each information type: SC public information = (confidentiality, NA), (integrity, HIGH), (availability, LOW) SC investigation information = (confidentiality, MODERATE), (integrity, HIGH), (availability, MODERATE) SC administrative = (confidentiality, NA), (integrity, LOW), (availability, LOW What is the overall IS security category for confidentiality? A. LOW B. MODERATE C. HIGH D. NA 111. The functional description of the control implementation includes A. The control description, effectiveness, and Plan of Action and Milestones (POA&M) B. Planned inputs, expected behavior, and expected outputs** C. A detailed description of the effectiveness of the control D. The operational parameters of the control ---------- page 18 ---------112. During which phase of the System Development Life Cycle (SDLC) of an existing system does the system owner conduct remediation action based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the Plan of Action and Milestones (POA&M)? A. Operational Maintenance B. Implementation C. Development/Acquisition D. Integration 113. While conducting an internal control review of a high impact system’s technical controls, the information System Security Officer (ISSO) notes that system’s audit logs are collecting only user login time. This is a violation of which of the following? A. Audit reduction and report generation B. Audit monitoring and reporting C. Processing of audit logs D. Content of audit records 114. What is the PRIMARY goal for establishing Information System (IS) boundaries? A. Identify common security controls B. Be cost effective C. Include mitigation for connection to legacy IS D. Be flexible enough to accommodate major changes without re-authorizing the system 115. Which of the following considerations MUST be taken into account regarding data or media on an Information System (IS) prior to it being decommissioned and removed? A. The records retention requirements for the data B. The type of data compression used on the system or media C. The cost of sanitizing and reuse D. The cost of destroying the system or media 116. Which of the following BEST determines the level of details required when describing the Information System (IS)? A. Proportionate to the system categorization level B. Dependent on the complexity of the system C. Commensurate with the size of the user community D. Based on the Cost-Benefit Analysis (CBA) 117. What is a key component of the initial security and privacy assessment reports? A. Optional addendum B. Information System (IS) description C. Security and privacy assessment plans D. Recommendations 118. An organization should consider which elements when selecting an assessment team? A. Expertise and cost B. Schedule and independence C. Schedule and cost D. Expertise and independence 119. What is a consequence of an authorization boundary that is too expensive? A. Increase the number of systems to be managed ---------- page 19 ---------B. The risk management is complex C. Inflates the total security costs for the organization D. The Configuration Management is uncontrollable 120. Which of the following are acceptable assessment methods for a control assessment? A. Examine, interview, and test B. Research, test, and interview C. Interview, examine, and measure D. Research, test, and validate 121. Which security control baseline does not require an independent assessment of security controls, as part of continuous monitoring? A. High B. Low C. Moderate D. Critical 122. Which process follows the selection of the initial baseline security controls? A. Tailoring the baseline requirements B. Determining the overall impact to the baseline C. Performing an assessment of organization risk D. Reviewing the consistency of the baseline requirements 123. A minor application is being added to an existing accredited distributed system. This application does not require any additional security functionality other than that provided by the distributed system. Which of the following actions is taken? A. The owner of the distributed system is responsible for the new application, and adds it to the existing distributed system Security Plan (SP) B. The owner of the distributed system needs to create a separate Security Plan (SP) and reference the distributed system Security Plan (SP) C. The owner of the new application needs to create an addendum/ application to the distributed system Security Plan (SP) detailing the necessary additional security mechanisms for the new application D. The owner of the new application is responsible for updating the distributed system Security Plan (SP) with the new application information 124. Which of the following documents tracks an Information System’s (IS) remediation actions? A. B. C. D. Security Plan (SP) Plan of Action and Milestones (POA&M) Assessment report Continuity of Operations Plan (COOP) ---------- page 20 ---------125. Which of the following professionals plays the role of a monitor and takes part in the organization’s configuration management process? A. Senior Agency Information Security Officer B. Authorizing Official C. Common Control Provider D. Chief Information Officer 126. The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the most senior executive in an enterprise. What are the responsibilities of a Chief Information Officer? Each correct answer represents a complete solution. Choose all that apply. A. Preserving high-level communications and working group relationships in an organization B. Facilitating the sharing of security risk-related information about authorizing officials C. Establishing effective continuous monitoring program for the organization D. Proposing the information technology needed by an enterprise to achieve its goals and then working within a budget to implement the plan 127. The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statements are true about ISSO and ISSE? Each correct answer represents a complete solution. Choose all that apply. A. An ISSE provides advice on the impacts of system changes. B. An ISSE manages the security of the information system that is slated for Certification & Accreditation (C&A) C. An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A) D. An ISSO takes part in the development activities that are required to implement system changes. E. An ISSE provides advice on the countinuous monitoring of the information system. 128. Which of the following professionals is responsible for starting the Certification & Accreditation (C&A) process? A. Information System Owner B. Authorizing Official C. Chief Risk Officer D. Chief Information Officer (CIO) ---------- page 21 ---------129. Which of the following assessment methodologies defines a six-step technical security evaluation? A. FITSAF B. FIPS 102 C. OCTAVE D. DITSCAP 130. DIACAP applies to the acquisition, operation, and sustainment of an DoD system that collects, stores, transmits, or processes unclassified or classified information since December 1997. What phases are identified by DIACAP? Each answer represents a complete solution. Choose all that apply. A. Accreditation B. Identification C. System Definition D. Verification E. Validation F. Re-Accreditation 131. Mark works as a Network Administrator for NetTech Inc. He wants users to access only those resources that are required for them. Which of the following access control models will he use? A. Mandatory Access Control B. Role-Based Access Control C. Discretionary Access Control D. Policy Access Control 132. Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and systems? A. FITSAF B. FIPS C. TCSEC D. SSAA ---------- page 22 ---------- 133. James works as an IT systems personnel in SoftTech Inc. He performs the following tasks: Runs regular backups and routine tests of the validity of the backup data. Performs data restoration from the backups whenever required. Maintains the retained records in accordance with the established information classification policy. What is the role played by James in the organization? A. Manager B. Owner C. Custodian D. User 134. FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls have been implemented? A. Level 4 B. Level 1 C. Level 3 D. Level 5 E. Level 2 135. Certification & Accreditation (C&A or CnA) is a process for implementing information security. Which of the following is the correct order of C&A phases in a DITSCAP assessment? A. Definition, Validation, Verification, and Post Accreditation B. Verification, Definition, Validation, and Post Accreditation C. Verification, Validation, Definition, and Post Accreditation D. Definition, Verification, Validation, and Post Accreditation 136. System Authorization is the risk management process. System Authorization Plan (SAP) is a comprehensive and uniform approach to the System Authorization Process. What are the different phases of the System Authorization Plan? Each correct answer represents a part of the solution. Choose all that apply. A. Post-Authorization B. Pre-certification C. Post-certification D. Certification E. Authorization
