Month End Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

ISC CAP CAP – Certified Authorization Professional Exam Practice Test

Demo: 59 questions
Total 395 questions

CAP – Certified Authorization Professional Questions and Answers

Question 1

Certification and Accreditation (C&A or CnA) is a process for implementing information security.

Which of the following is the correct order of C&A phases in a DITSCAP assessment?

Options:

A.

Definition, Validation, Verification, and Post Accreditation

B.

Verification, Definition, Validation, and Post Accreditation

C.

Verification, Validation, Definition, and Post Accreditation

D.

Definition, Verification, Validation, and Post Accreditation

Question 2

Frank is the project manager of the NHH Project. He is working with the project team to create a plan to document the procedures to manage risks throughout the project. This document will define how risks will be identified and quantified. It will also define how contingency plans will be implemented by the project team. What document is Frank and the NHH Project team creating in this scenario?

Options:

A.

Project management plan

B.

Resource management plan

C.

Risk management plan

D.

Project plan

Question 3

What are the subordinate tasks of the Initiate and Plan IA C&A phase of the DIACAP process?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Develop DIACAP strategy.

B.

Assign IA controls.

C.

Assemble DIACAP team.

D.

Initiate IA implementation plan.

E.

Register system with DoD Component IA Program.

F.

Conduct validation activity.

Question 4

You are the project manager of the GHG project. You are preparing for the quantitative risk analysis process. You are using organizational process assets to help you complete the quantitative risk analysis process. Which one of the following is NOT a valid reason to utilize organizational process assets as a part of the quantitative risk analysis process?

Options:

A.

You will use organizational process assets for risk databases that may be available from industry sources.

B.

You will use organizational process assets for studies of similar projects by risk specialists.

C.

You will use organizational process assets to determine costs of all risks events within thecurrent project.

D.

You will use organizational process assets for information from prior similar projects.

Question 5

Which of the following requires all general support systems and major applications to be fully certified and accredited before these systems and applications are put into production?

Each correct answer represents a part of the solution. Choose all that apply.

Options:

A.

NIST

B.

FIPS

C.

FISMA

D.

Office of Management and Budget (OMB)

Question 6

You are the project manager for your company and a new change request has been approved for your project. This change request, however, has introduced several new risks to the project. You have communicated these risk events and the project stakeholders understand the possible effects these risks could have on your project. You elect to create a mitigation response for the identified risk events. Where will you record the mitigation response?

Options:

A.

Project management plan

B.

Risk management plan

C.

Risk log

D.

Risk register

Question 7

You are the project manager of the NKJ Project for your company. The project's success or failure will have a significant impact on your organization's profitability for the coming year. Management has asked you to identify the risk events and communicate the event's probability and impact as early as possible in the project. Management wants to avoid risk events and needs to analyze the cost-benefits of each risk event in this project. What term is assigned to the low-level of stakeholder tolerance in this project?

Options:

A.

Risk avoidance

B.

Mitigation-ready project management

C.

Risk utility function

D.

Risk-reward mentality

Question 8

The IAM/CA makes certification accreditation recommendations to the DAA. The DAA issues accreditation determinations. Which of the following are the accreditation determinations issued by the DAA?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

IATO

B.

ATO

C.

IATT

D.

ATT

E.

DATO

Question 9

You work as a project manager for SoftTech Inc. You are working with the project stakeholders to begin the qualitative risk analysis process. You will need all of the following as inputs to the qualitative risk analysis process except for which one?

Options:

A.

Risk management plan

B.

Risk register

C.

Stakeholder register

D.

Project scope statement

Question 10

Fred is the project manager of the PKL project. He is working with his project team to complete the quantitative risk analysis process as a part of risk management planning. Fred understands that once the quantitative risk analysis process is complete, the process will need to be completed again in at least two other times in the project. When will the quantitative risk analysis process need to be repeated?

Options:

A.

Quantitative risk analysisprocess will be completed again after the plan risk response planning and as part of procurement.

B.

Quantitative risk analysis process will be completed again after the cost managementplanning and as a part of monitoring and controlling.

C.

Quantitativerisk analysis process will be completed again after new risks are identified and as part of monitoring and controlling.

D.

Quantitative risk analysis process will be completed again after the risk response planning and as a part of monitoring and controlling.

Question 11

The National Information Assurance Certification and Accreditation Process (NIACAP) is the minimum standard process for the certification and accreditation of computer and telecommunications systems that handle U.S. national security information. What are the different types of NIACAP accreditation?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Secure accreditation

B.

Type accreditation

C.

System accreditation

D.

Site accreditation

Question 12

Which of the following roles is also known as the accreditor?

Options:

A.

Chief Risk Officer

B.

Data owner

C.

Designated Approving Authority

D.

Chief Information Officer

Question 13

Which of the following processes is a structured approach to transitioning individuals, teams, and organizations from a current state to a desired future state?

Options:

A.

Procurement management

B.

Change management

C.

Risk management

D.

Configuration management

Question 14

James work as an IT systems personnel in SoftTech Inc. He performs the following tasks:

Runs regular backups and routine tests of the validity of the backup data.

Performs data restoration from the backups whenever required.

Maintains the retained records in accordance with the established information classification policy.

What is the role played by James in the organization?

Options:

A.

Manager

B.

Owner

C.

Custodian

D.

User

Question 15

Which of the following assessment methodologies defines a six-step technical security evaluation?

Options:

A.

OCTAVE

B.

FITSAF

C.

DITSCAP

D.

FIPS 102

Question 16

Mary is the project manager of the HGH Project for her company. She and her project team have agreed that if the vendor is late by more than ten days they will cancel the order and hire the NBG Company to fulfill the order. The NBG Company can guarantee orders within three days, but the costs of their products are significantly more expensive than the current vendor. What type of a response strategy is this?

Options:

A.

External risk response

B.

Internal risk management strategy

C.

Contingent response strategy

D.

Expert judgment

Question 17

Ned is the program manager for his organization and he's considering some new materials for his program. He and his team have never worked with these materials before and he wants to ask the vendor for some additional information, a demon, and even some samples. What type of a document should Ned send to the vendor?

Options:

A.

IFB

B.

RFI

C.

RFQ

D.

RFP

Question 18

Which of the following relations correctly describes residual risk?

Options:

A.

Residual Risk = Threats x Vulnerability x Asset Gap x Control Gap

B.

Residual Risk = Threats x Exploit x Asset Value x Control Gap

C.

Residual Risk = Threats x Exploit x Asset Value x Control Gap

D.

Residual Risk = Threats x Vulnerability x Asset Value x Control Gap

Question 19

Which of the following components ensures that risks are examined for all new proposed change requests in the change control system?

Options:

A.

Risk monitoring and control

B.

Scope change control

C.

Configuration management

D.

Integrated change control

Question 20

Which of the following are the goals of risk management?

Each correct answer represents a complete solution. Choose three.

Options:

A.

Finding an economic balance between the impact of the risk and the cost of the countermeasure

B.

Identifying the risk

C.

Assessing the impact of potential threats

D.

Identifying the accused

Question 21

Which of the following NIST documents provides a guideline for identifying an information system as a National Security System?

Options:

A.

NIST SP 800-53

B.

NIST SP 800-59

C.

NIST SP 800-53A

D.

NIST SP 800-37

E.

NIST SP 800-60

Question 22

Which of the following techniques are used after a security breach and are intended to limit the extent of any damage caused by the incident?

Options:

A.

Safeguards

B.

Preventive controls

C.

Detective controls

D.

Corrective controls

Question 23

Which of the following NIST documents defines impact?

Options:

A.

NIST SP 800-53

B.

NIST SP 800-26

C.

NIST SP 800-30

D.

NIST SP 800-53A

Question 24

Which of the following describes residual risk as the risk remaining after risk mitigation has occurred?

Options:

A.

DIACAP

B.

ISSO

C.

SSAA

D.

DAA

Question 25

Courtney is the project manager for her organization. She is working with the project team to complete the qualitative risk analysis for her project. During the analysis Courtney encourages the project team to begin the grouping of identified risks by common causes. What is the primary advantage to group risks by common causes during qualitative risk analysis?

Options:

A.

It can lead to developing effective risk responses.

B.

It can lead to the creation of risk categories unique to each project.

C.

It helps the project team realize the areas of the project most laden with risks.

D.

It saves time by collecting the related resources, such as project team members, to analyze the risk events.

Question 26

Joan is a project management consultant and she has been hired by a firm to help them identify risk events within the project. Joan would first like to examine the project documents including the plans, assumptions lists, project files, and contracts. What key thing will help Joan to discover risks within the review of the project documents?

Options:

A.

Lack of consistency between the plans and the project requirements and assumptions can bethe indicators of risk in the project.

B.

The project documents will help the project manager, or Joan, to identify what risk identification approach is best to pursue.

C.

Plans that have loose definitions of terms and disconnected approaches will revealrisks.

D.

Poorly written requirements will reveal inconsistencies in the project plans and documents.

Question 27

Which of the following classification levels defines the information that, if disclosed to the unauthorized parties, could be reasonably expected to cause exceptionally grave damage to the national security?

Options:

A.

Secret information

B.

Top Secret information

C.

Confidential information

D.

Unclassified information

Question 28

Which of the following is a security policy implemented by an organization due to compliance, regulation, or other legal requirements?

Options:

A.

Advisory policy

B.

Informative policy

C.

System Security policy

D.

Regulatory policy

Question 29

You are the project manager of the GHY project for your organization. You are working with your project team to begin identifying risks for the project. As part of your preparation for identifying the risks within the project you will need eleven inputs for the process. Which one of the following is NOT an input to the risk identification process?

Options:

A.

Cost management plan

B.

Quality management plan

C.

Procurement management plan

D.

Stakeholder register

Question 30

Which of the following is an Information Assurance (IA) model that protects and defends information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation?

Options:

A.

Parkerian Hexad

B.

Capability Maturity Model (CMM)

C.

Classic information security model

D.

Five Pillars model

Question 31

Management wants you to create a visual diagram of what resources will be utilized in the project deliverables. What type of a chart is management asking you to create?

Options:

A.

Work breakdown structure

B.

Roles and responsibility matrix

C.

Resource breakdown structure

D.

RACI chart

Question 32

Which of the following processes is described in the statement below?

"It is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project."

Options:

A.

Perform Quantitative Risk Analysis

B.

Monitor and Control Risks

C.

Perform Qualitative Risk Analysis

D.

Identify Risks

Question 33

Which of the following statements best describes the difference between the role of a data owner and the role of a data custodian?

Options:

A.

The custodian implements the information classification scheme after the initial assignment by the operations manager.

B.

The datacustodian implements the information classification scheme after the initial assignment by the data owner.

C.

The data owner implements the information classification scheme after the initial assignment by the custodian.

D.

The custodian makes the initialinformation classification assignments, and the operations manager implements the scheme.

Question 34

Which of the following C&A professionals plays the role of an advisor?

Options:

A.

Information System Security Engineer (ISSE)

B.

Chief Information Officer (CIO)

C.

Authorizing Official

D.

Information Owner

Question 35

Which of the following statements is true about the continuous monitoring process?

Options:

A.

It takes place in the middle of system security accreditation.

B.

It takes place before and after system security accreditation.

C.

It takes place before the initial system security accreditation.

D.

It takes place after the initial system security accreditation.

Question 36

To help review or design security controls, they can be classified by several criteria. One of these criteria is based on time. According to this criteria, which of the following controls are intended to prevent an incident from occurring?

Options:

A.

Adaptive controls

B.

Preventive controls

C.

Detective controls

D.

Corrective controls

Question 37

Which one of the following is the only output for the qualitative risk analysis process?

Options:

A.

Enterprise environmental factors

B.

Project management plan

C.

Risk register updates

D.

Organizational process assets

Question 38

Which of the following processes has the goal to ensure that any change does not lead to reduced or compromised security?

Options:

A.

Risk management

B.

Security management

C.

Configuration management

D.

Changecontrol management

Question 39

You are the project manager of the NHQ project for your company. Management has told you that you must implement an agreed upon contingency response if the Cost Performance Index in your project is less than 0.90. Consider that your project has a budget at completion of $250,000 and is 60 percent complete. You are scheduled to be however, 75 percent complete, and you have spent $165,000 to date. What is the Cost Performance Index for this project to determine if the contingency response should happen?

Options:

A.

0.88

B.

0.80

C.

-$37,500

D.

0.91

Question 40

Which of the following NIST publications defines impact?

Options:

A.

NIST SP 800-41

B.

NIST SP 800-37

C.

NIST SP 800-30

D.

NIST SP 800-53

Question 41

There are seven risk responses for any project. Which one of the following is a valid risk response for a negative risk event?

Options:

A.

Exploit

B.

Share

C.

Enhance

D.

Acceptance

Question 42

Certification and Accreditation (C&A or CnA) is a process for implementing information security.

Which of the following is the correct order of C&A phases in a DITSCAP assessment?

Options:

A.

Definition, Validation, Verification, and Post Accreditation

B.

Verification, Definition, Validation, and Post Accreditation

C.

Definition, Verification, Validation, and Post Accreditation

D.

Verification, Validation, Definition, and Post Accreditation

Question 43

Which of the following acts promote a risk-based policy for cost effective security?

Each correct answer represents a part of the solution. Choose all that apply.

Options:

A.

Clinger-Cohen Act

B.

Lanham Act

C.

Computer Misuse Act

D.

Paperwork Reduction Act (PRA)

Question 44

You are the project manager for your organization. You are preparing for the quantitative risk analysis. Mark, a project team member, wants to know why you need to do quantitative risk analysis when you just completed qualitative risk analysis. Which one of the following statements best defines what quantitative risk analysis is?

Options:

A.

Quantitative risk analysis is the planning and quantification of risk responses based on probability and impact of each risk event.

B.

Quantitative risk analysis is the process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact.

C.

Quantitative risk analysis is the review of the risk events with the high probability and the highest impact on the project objectives.

D.

Quantitative risk analysis is the process of numerically analyzing the effect of identified risks on overall project objectives.

Question 45

Which of the following DoD directives is referred to as the Defense Automation Resources Management Manual?

Options:

A.

DoD 5200.22-M

B.

DoD 5200.1-R

C.

DoD 8910.1

D.

DoDD 8000.1

E.

DoD 7950.1-M

Question 46

Adrian is a project manager for a new project using a technology that has recently been released and there's relatively little information about the technology. Initial testing of the technology makes the use of it look promising, but there's still uncertainty as to the longevity and reliability of the technology. Adrian wants to consider the technology factors a risk for her project. Where should she document the risks associated with this technology so she can track the risk status and responses?

Options:

A.

Project charter

B.

Risk register

C.

Project scope statement

D.

Risk low-level watch list

Question 47

You are preparing to complete the quantitative risk analysis process with your project team and several subject matter experts. You gather the necessary inputs including the project's cost management plan. Why is it necessary to include the project's cost management plan in the preparation for the quantitative risk analysis process?

Options:

A.

The project's cost management plan can help you to determine what the total cost of the project is allowed to be.

B.

The project's cost management plan provides direction on how costs may be changed due to identified risks.

C.

The project's cost management plan provides control that may help determine the structure for quantitative analysis of the budget.

D.

The project's cost management plan is not an input to the quantitative risk analysis process .

Question 48

The Software Configuration Management (SCM) process defines the need to trace changes, and the ability to verify that the final delivered software has all of the planned enhancements that are supposed to be included in the release. What are the procedures that must be defined for each software project to ensure that a sound SCM process is implemented?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Configuration status accounting

B.

Configuration change control

C.

Configuration deployment

D.

Configuration audits

E.

Configuration identification

F.

Configuration implementation

Question 49

Jenny is the project manager for the NBT projects. She is working with the project team and several subject matter experts to perform the quantitative risk analysis process. During this process she and the project team uncover several risks events that were not previously identified.

What should Jenny do with these risk events?

Options:

A.

The events should be determined if they need to be accepted or responded to.

B.

The events should be entered into qualitative risk analysis.

C.

The events should continue on with quantitative risk analysis.

D.

The events should be entered into the risk register.

Question 50

Which of the following statements reflect the 'Code of Ethics Canons' in the '(ISC)2 Code of Ethics'?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Protect society, the commonwealth, and the infrastructure.

B.

Act honorably, honestly, justly, responsibly, and legally.

C.

Provide diligent and competent service to principals.

D.

Give guidance for resolving good versus good and bad versus baddilemmas.

Question 51

BS 7799 is an internationally recognized ISM standard that provides high level, conceptual recommendations on enterprise security. BS 7799 is basically divided into three parts. Which of the following statements are true about BS 7799?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

BS 7799 Part 1 was adopted by ISO as ISO/IEC 27001 in November 2005.

B.

BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005.

C.

BS 7799 Part 1 was a standard originally published as BS 7799 by the British Standards Institute (BSI) in 1995.

D.

BS 7799 Part 3 was published in 2005, covering risk analysis and management.

Question 52

Lisa is the project manager of the SQL project for her company. She has completed the risk response planning with her project team and is now ready to update the risk register to reflect the risk response. Which of the following statements best describes the level of detail Lisa should include with the risk responses she has created?

Options:

A.

The level of detail is set by historical information.

B.

The level of detail must define exactly the risk response for each identified risk.

C.

The level of detail is set of project risk governance.

D.

The level of detail should correspond with the priority ranking

Question 53

Which of the following requires all general support systems and major applications to be fully certified and accredited before these systems and applications are put into production?

Each correct answer represents a part of the solution. Choose all that apply.

Options:

A.

NIST

B.

FIPS

C.

Office of Management and Budget (OMB)

D.

FISMA

Question 54

You are the project manager of the NNQ Project for your company and are working you’re your project team to define contingency plans for the risks within your project. Mary, one of your project team members, asks what a contingency plan is. Which of the following statements best defines what a contingency response is?

Options:

A.

Some responses are designed for use only if certain events occur.

B.

Some responses have a cost and a time factor to consider for each risk event.

C.

Some responses must counteract pending risk events.

D.

Quantified risks should always have contingency responses.

Question 55

David is the project manager of HGF project for his company. David, the project team, and several key stakeholders have completed risk identification and are ready to move into qualitative risk analysis. Tracy, a project team member, does not understand why they need to complete qualitative risk analysis. Which one of the following is the best explanation for completing qualitative risk analysis?

Options:

A.

It isa rapid and cost-effective means of establishing priorities for the plan risk responses and lays the foundation for quantitative analysis.

B.

It is a cost-effective means of establishing probability and impact for the project risks.

C.

Qualitative risk analysis helps segment the project risks, create a risk breakdown structure, and create fast and accurate risk responses.

D.

All risks must pass through quantitative risk analysis before qualitative risk analysis.

Question 56

You work as a project manager for BlueWell Inc. There has been a delay in your project work that is adversely affecting the project schedule. You decided, with your stakeholders' approval, to fast track the project work to get the project done faster. When you fast track the project which of the following are likely to increase?

Options:

A.

Quality control concerns

B.

Costs

C.

Risks

D.

Human resource needs

Question 57

Which of the following statements about the availability concept of Information security management is true?

Options:

A.

It ensures that modifications are not made to data by unauthorized personnel or processes .

B.

It ensures reliable and timely access to resources.

C.

It determines actions and behaviors of a single individual within a system.

D.

It ensures that unauthorized modifications are not made to data by authorized personnel or processes.

Question 58

The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statements are true about ISSO and ISSE?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

An ISSO manages the security of the information system that is slated for Certification &Accreditation (C&A).

B.

An ISSE manages the security of the information system that is slated for Certification & Accreditation (C&A).

C.

An ISSE provides advice on the continuous monitoring of the information system.

D.

An ISSO takes part in the development activities that are required to implement system ch anges.

E.

An ISSE provides advice on the impacts of system changes.

Question 59

Mark is the project manager of the BFL project for his organization. He and the project team are creating a probability and impact matrix using RAG rating. There is some confusion and disagreement among the project team as to how a certain risk is important and priority for attention should be managed. Where can Mark determine the priority of a risk given its probability and impact?

Options:

A.

Risk response plan

B.

Project sponsor

C.

Risk management plan

D.

Look-up table

Demo: 59 questions
Total 395 questions