Certified Authorization Professional (CAP) Practice Exam

Certified Authorization Professional (CAP) Practice Exam

 

The Certified Authorization Professional (CAP), recently renamed to Certified in Governance, Risk and Compliance (CGRC), is a vendor-neutral certification that validates your knowledge and skills in managing information systems authorization processes. It's particularly relevant for individuals involved in information security, risk management, and governance within organizations.

 

Who should consider the CGRC (Formerly CAP) Certification?

This certification is ideal for:

• Information security professionals: Security analysts, security administrators, and risk management professionals looking to specialize in authorization.
• IT auditors: Individuals performing audits related to information security controls and authorization processes.
• Compliance professionals: Those responsible for ensuring compliance with regulations and standards that require proper authorization of information systems.
• Anyone seeking to advance their career in information security, risk management, or governance.

 

Key Roles and Responsibilities:

Individuals with the CGRC certification may be involved in various tasks, including:

• Assessing and classifying information systems based on their security requirements and potential risks.
• Implementing and maintaining the Risk Management Framework (RMF), the U.S. government's framework for managing information security risk.
• Developing and reviewing security controls to mitigate identified risks.
• Authorizing information systems for operation, ensuring they meet the required security standards.
• Monitoring and auditing security controls to ensure their effectiveness.

 

Exam Details (for CGRC):

• Exam Name: Certified in Governance, Risk and Compliance (CGRC)
• Exam Provider: (ISC)²
• Format: Multiple-choice questions
• Number of Questions: 125
• Duration: 180 minutes
• Passing Score: 70%
• Delivery: Testing center or online proctored

 

Course Outline 

 

Domain 1. Information Security Risk Management Program 15%

1.1 Understand the Foundation of an Organization-Wide Information Security Risk Management Program

• Principles of information security
• National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)
• RMF and System Development Life Cycle (SDLC) integration
• Information System (IS) boundary requirements
• Approaches to security control allocation
• Roles and responsibilities in the authorization process

1.2 Understand Risk Management Program Processes

• Enterprise program management controls
• Privacy requirements
• Third-party hosted Information Systems (IS)

1.3 Understand Regulatory and Legal Requirements

• Federal information security requirements
• Relevant privacy legislation
• Other applicable security-related mandates

 

Domain 2. Categorization of Information Systems (IS) 13%

2.1 Define the Information System (IS)

• Identify the boundary of the Information System (IS)
• Describe the architecture
• Describe Information System (IS) purpose and functionality

 2.2 Determine Categorization of the Information System (IS)

• Identify the information types processed, stored, or transmitted by the Information System (IS)
• Determine the impact level on confidentiality, integrity, and availability for each information type
• Determine Information System (IS) categorization and document results

 

Domain 3. Selection of Security Controls 13%

3.1 Identify and Document Baseline and Inherited Controls

3.2 Select and Tailor Security Controls

• Determine applicability of recommended baseline
• Determine appropriate use of overlays
• Document applicability of security controls

3.3 Develop Security Control Monitoring Strategy

3.4 Review and Approve Security Plan (SP)

 

Domain 4. Implementation of Security Controls 15%

4.1 Implement Selected Security Controls

• Confirm that security controls are consistent with enterprise architecture
• Coordinate inherited controls implementation with common control providers
• Determine mandatory configuration settings and verify implementation (e.g., United States Government Configuration Baseline (USGCB), National Institute of Standards and Technology (NIST) checklists, Defense Information Systems Agency (DISA), Security Technical Implementation Guides (STIGs), Center for Internet Security (CIS) benchmarks)
• Determine compensating security controls

4.2 Document Security Control Implementation

• Capture planned inputs, expected behavior, and expected outputs of security controls
• Verify documented details are in line with the purpose, scope, and impact of the Information System (IS)
• Obtain implementation information from appropriate organization entities (e.g., physical security, personnel security)

 

Domain 5. Assessment of Security Controls 14%

5.1 Prepare for Security Control Assessment (SCA)

• Determine Security Control Assessor (SCA) requirements
• Establish objectives and scope » Determine methods and level of effort
• Determine necessary resources and logistics
• Collect and review artifacts (e.g., previous assessments, system documentation, policies)
• Finalize Security Control Assessment (SCA) plan

5.2 Conduct Security Control Assessment (SCA)

• Assess security control using standard assessment methods
• Collect and inventory assessment evidence

5.3 Prepare Initial Security Assessment Report (SAR)

• Analyze assessment results and identify weaknesses
• Propose remediation actions

5.4 Review Interim Security Assessment Report (SAR) and Perform Initial Remediation Actions

• Determine initial risk responses
• Apply initial remediations
• Reassess and validate the remediated controls

5.5 Develop Final Security Assessment Report (SAR) and Optional Addendum

 

Domain 6. Authorization of Information Systems (IS) 14%

6.1 Develop Plan of Action and Milestones (POAM)

• Analyze identified weaknesses or deficiencies
• Prioritize responses based on risk level
• Formulate remediation plans
• Identify resources required to remediate deficiencies
• Develop schedule for remediation activities

6.2 Assemble Security Authorization Package

• Compile required security documentation for Authorizing Official (AO)

6.3 Determine Information System (IS) Risk

• Evaluate Information System (IS) risk
• Determine risk response options (i.e., accept, avoid, transfer, mitigate, share)

6.4 Make Security Authorization Decision

• Determine terms of authorization

 

Domain 7. Continuous Monitoring 16%

7.1 Determine Security Impact of Changes to Information Systems (IS) and Environment

• Understand configuration management processes
• Analyze risk due to proposed changes
• Validate that changes have been correctly implemented

7.2 Perform Ongoing Security Control Assessments (SCA)

• Determine specific monitoring tasks and frequency based on the agency’s strategy » Perform security control assessments based on monitoring strategy
• Evaluate security status of common and hybrid controls and interconnections

7.3 Conduct Ongoing Remediation Actions (e.g., resulting from incidents, vulnerability scans, audits, vendor updates)

• Assess risk(s)
• Formulate remediation plan(s)
• Conduct remediation tasks

7.4 Update Documentation

• Determine which documents require updates based on results of the continuous monitoring process

7.5 Perform Periodic Security Status Reporting

• Determine reporting requirements

7.6 Perform Ongoing Information System (IS) Risk Acceptance

• Determine ongoing Information System (IS)

7.7 Decommission Information System (IS)

• Determine Information System (IS) decommissioning requirements
• Communicate decommissioning of Information System (IS)