Massive Summer Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: netdisc

ISC CAP CAP – Certified Authorization Professional Exam Practice Test

Demo: 59 questions
Total 395 questions

CAP – Certified Authorization Professional Questions and Answers

Question 1

Which of the following DITSCAP C&A phases takes place between the signing of the initial version of the SSAA and the formal accreditation of the system?

Options:

A.

Phase 3

B.

Phase 1

C.

Phase 2

D.

Phase 4

Question 2

An organization monitors the hard disks of its employees' computers from time to time. Which policy does this pertain to?

Options:

A.

Network security policy

B.

User password policy

C.

Backup policy

D.

Privacy policy

Question 3

Your project team has identified a project risk that must be responded to. The risk has been recorded in the risk register and the project team has been discussing potential risk responses for the risk event. The event is not likely to happen for several months but the probability of the event is high. Which one of the following is a valid response to the identified risk event?

Options:

A.

Corrective action

B.

Technical performance measurement

C.

Risk audit

D.

Earned value management

Question 4

You are the project manager of the GHY Project for your company. You have completed the risk response planning with your project team. You now need to update the WBS. Why would the project manager need to update the WBS after the risk response planning process? Choose the best answer.

Options:

A.

Because of risks associated with work packages

B.

Because of work that was omitted during the WBS creation

C.

Because of risk responses that are now activities

D.

Because of new work generated by the risk responses

Question 5

What NIACAP certification levels are recommended by the certifier?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Minimum Analysis

B.

Basic System Review

C.

Detailed Analysis

D.

Maximum Analysis

E.

Comprehensive Analysis

F.

Basic Security Review

Question 6

Eric is the project manager of the NQQ Project and has hired the ZAS Corporation to complete part of the project work for Eric's organization. Due to a change request the ZAS Corporation is no longer needed on the project even though they have completed nearly all of the project work. Is Eric's organization liable to pay the ZAS Corporation for the work they have completed so far on the project?

Options:

A.

It depends on what the outcome of a lawsuit will determine.

B.

No, the ZAS Corporation did not complete all of the work.

C.

It depends on what the termination clause of the contract stipulates.

D.

Yes, the ZAS Corporation did not choose to terminate the contract work.

Question 7

What project management plan is most likely to direct the quantitative risk analysis process for a project in a matrix environment?

Options:

A.

Staffing management plan

B.

Risk analysis plan

C.

Human resource management plan

D.

Risk management plan

Question 8

Which of the following is NOT an objective of the security program?

Options:

A.

Security organization

B.

Security plan

C.

Security education

D.

Information classification

Question 9

Which of the following statements about the availability concept of Information security management is true?

Options:

A.

It ensures that modifications are not made to data by unauthorized personnel or processes .

B.

It ensures reliable and timely access to resources.

C.

It determines actions and behaviors of a single individual within a system.

D.

It ensures that unauthorized modifications are not made to data by authorized personnel or processes.

Question 10

You are preparing to complete the quantitative risk analysis process with your project team and several subject matter experts. You gather the necessary inputs including the project's cost management plan. Why is it necessary to include the project's cost management plan in the preparation for the quantitative risk analysis process?

Options:

A.

The project's cost management plan can help you to determine what the total cost of the project is allowed to be.

B.

The project's cost management plan provides direction on how costs may be changed due to identified risks.

C.

The project's cost management plan provides control that may help determine the structure for quantitative analysis of the budget.

D.

The project's cost management plan is not an input to the quantitative risk analysis process .

Question 11

BS 7799 is an internationally recognized ISM standard that provides high level, conceptual recommendations on enterprise security. BS 7799 is basically divided into three parts. Which of the following statements are true about BS 7799?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

BS 7799 Part 1 was adopted by ISO as ISO/IEC 27001 in November 2005.

B.

BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005.

C.

BS 7799 Part 1 was a standard originally published as BS 7799 by the British Standards Institute (BSI) in 1995.

D.

BS 7799 Part 3 was published in 2005, covering risk analysis and management.

Question 12

Which of the following terms related to risk management represents the estimated frequency at which a threat is expected to occur?

Options:

A.

Safeguard

B.

Single Loss Expectancy (SLE)

C.

Exposure Factor (EF)

D.

Annualized Rate of Occurrence (ARO)

Question 13

Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls. Which of the following are the U.S. Federal Government information security standards?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

SA System and Services Acquisition

B.

CA Certification, Accreditation, and Security Assessments

C.

IR Incident Response

D.

Information systems acquisition, development, and maintenance

Question 14

Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in. What are the different categories of penetration testing?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Full-box

B.

Zero-knowledge test

C.

Full-knowledge test

D.

Open-box

E.

Partial-knowledge test

F.

Closed-box

Question 15

Mark works as a project manager for TechSoft Inc. Mark, the project team, and the key project stakeholders have completed a round of qualitative risk analysis. He needs to update the risk register with his findings so that he can communicate the risk results to the project stakeholders - including management. Mark will need to update all of the following information except for which one?

Options:

A.

Watchlist of low-priority risks

B.

Prioritized list of quantified risks

C.

Risks grouped by categories

D.

Trends in qualitative risk analysis

Question 16

During qualitative risk analysis you want to define the risk urgency assessment. All of the following are indicators of risk priority except for which one?

Options:

A.

Risk rating

B.

Warning signs

C.

Cost of the project

D.

Symptoms

Question 17

Eric is the project manager of the MTC project for his company. In this project a vendor has offered Eric a sizeable discount on all hardware if his order total for the project is more than $125,000. Right now, Eric is likely to spend $118,000 with vendor. If Eric spends $7,000 his cost savings for the project will be $12,500, but he cannot purchase hardware if he cannot implement the hardware immediately due to organizational policies. Eric consults with Amy and Allen, other project managers in the organization, and asks if she needs any hardware for their projects. Both Amy and Allen need hardware and they agree to purchase the hardware through Eric's relationship with the vendor. What positive risk response has happened in this instance?

Options:

A.

Transference

B.

Exploiting

C.

Sharing

D.

Enhancing

Question 18

You are the project manager for the NHH project. You are working with your project team to examine the project from four different defined perspectives to increase the breadth of identified risks by including internally generated risks. What risk identification approach are you using in this example?

Options:

A.

SWOT analysis

B.

Root cause analysis

C.

Assumptions analysis

D.

Influence diagramming techniques

Question 19

You are the project manager of the NHH project for your company. You have completed the first round of risk management planning and have created four outputs of the risk response planning process. Which one of the following is NOT an output of the risk response planning?

Options:

A.

Risk-related contract decisions

B.

Project document updates

C.

Risk register updates

D.

Organizational process assets updates

Question 20

You and your project team are just starting the risk identification activities for a project that is scheduled to last for 18 months. Your project team has already identified a long list of risks that need to be analyzed. How often should you and the project team do risk identification?

Options:

A.

At least once per month

B.

Identify risks is an iterative process.

C.

It depends on how many risks are initially identified.

D.

Several times until the project moves into execution

Question 21

Certification and Accreditation (C&A or CnA) is a process for implementing information security.

Which of the following is the correct order of C&A phases in a DITSCAP assessment?

Options:

A.

Definition, Validation, Verification, and Post Accreditation

B.

Verification, Definition, Validation, and Post Accreditation

C.

Verification, Validation, Definition, and Post Accreditation

D.

Definition, Verification, Validation, and Post Accreditation

Question 22

The National Information Assurance Certification and Accreditation Process (NIACAP) is the minimum standard process for the certification and accreditation of computer and telecommunications systems that handle U.S. national security information. What are the different types of NIACAP accreditation?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Secure accreditation

B.

Type accreditation

C.

System accreditation

D.

Site accreditation

Question 23

You are working as a project manager in your organization. You are nearing the final stages of project execution and looking towards the final risk monitoring and controlling activities. For your project archives, which one of the following is an output of risk monitoring and control?

Options:

A.

Quantitative risk analysis

B.

Qualitative risk analysis

C.

Requested changes

D.

Risk audits

Question 24

Neil works as a project manager for SoftTech Inc. He is working with Tom, the COO of his company, on several risks within the project. Tom understands that through qualitative analysis Neil has identified many risks in the project. Tom's concern, however, is that the priority list of these risk events are sorted in "high-risk," "moderate-risk," and "low-risk" as conditions apply within the project. Tom wants to know that is there any other objective on which Neil can make the priority list for project risks. What will be Neil's reply to Tom?

Options:

A.

Risk may be listed by the responses inthe near-term

B.

Risks may be listed by categories

C.

Risks may be listed by the additional analysis and response

D.

Risks may be listed by priority separately for schedule, cost, and performance

Question 25

You work as a project manager for BlueWell Inc. You are currently working with the project stakeholders to identify risks in your project. You understand that the qualitative risk assessment and analysis can reflect the attitude of the project team and other stakeholders to risk. Effective assessment of risk requires management of the risk attitudes of the participants. What should you, the project manager, do with assessment of identified risks in consideration of the attitude and bias of the participants towards the project risk?

Options:

A.

Document the bias for the risk events and communicate the bias with management

B.

Evaluate and document the bias towards the risk events

C.

Evaluate the bias through SWOT for true analysis of the risk events

D.

Evaluate the bias towards the risk events and correct the assessment accordingly

Question 26

You are the project manager for your company and a new change request has been approved for your project. This change request, however, has introduced several new risks to the project. You have communicated these risk events and the project stakeholders understand the possible effects these risks could have on your project. You elect to create a mitigation response for the identified risk events. Where will you record the mitigation response?

Options:

A.

Project management plan

B.

Risk management plan

C.

Risk log

D.

Risk register

Question 27

Wendy is about to perform qualitative risk analysis on the identified risks within her project. Which one of the following will NOT help Wendy to perform this project management activity?

Options:

A.

Stakeholder register

B.

Risk register

C.

Project scope statement

D.

Risk management plan

Question 28

You are the project manager of the NKJ Project for your company. The project's success or failure will have a significant impact on your organization's profitability for the coming year. Management has asked you to identify the risk events and communicate the event's probability and impact as early as possible in the project. Management wants to avoid risk events and needs to analyze the cost-benefits of each risk event in this project. What term is assigned to the low-level of stakeholder tolerance in this project?

Options:

A.

Risk avoidance

B.

Mitigation-ready project management

C.

Risk utility function

D.

Risk-reward mentality

Question 29

You are the project manager of the NNH Project. In this project you have created a contingency response that the schedule performance index should be less than 0.93. The NHH Project has a budget at completion of $945,000 and is 45 percent complete though the project should be 49 percent complete. The project has spent $455,897 to reach the 45 percent complete milestone.

What is the project's schedule performance index?

Options:

A.

1.06

B.

0.92

C.

-$37,800

D.

0.93

Question 30

You are the project manager of the GHG project. You are preparing for the quantitative risk analysis process. You are using organizational process assets to help you complete the quantitative risk analysis process. Which one of the following is NOT a valid reason to utilize organizational process assets as a part of the quantitative risk analysis process?

Options:

A.

You will use organizational process assets for risk databases that may be available from industry sources.

B.

You will use organizational process assets for studies of similar projects by risk specialists.

C.

You will use organizational process assets to determine costs of all risks events within thecurrent project.

D.

You will use organizational process assets for information from prior similar projects.

Question 31

The only output of the perform qualitative risk analysis are risk register updates. When the project manager updates the risk register he will need to include several pieces of information including all of the following except for which one?

Options:

A.

Trends in qualitative risk analysis

B.

Risk probability-impact matrix

C.

Watchlist of low-priority risks

D.

Risks grouped by categories

Question 32

Harry is the project manager of the MMQ Construction Project. In this project Harry has identified a supplier who can create stained glass windows for 1,000 window units in the construction project. The supplier is an artist who works by himself, but creates windows for several companies throughout the United States. Management reviews the proposal to use this supplier and while they agree that the supplier is talented, they do not think the artist can fulfill the 1,000 window units in time for the project's deadline. Management asked Harry to find a supplier who will guarantee the completion of the windows by the needed date in the schedule. What risk response has management asked Harry to implement?

Options:

A.

Mitigation

B.

Acceptance

C.

Transference

D.

Avoidance

Question 33

Which of the following is an Information Assurance (IA) model that protects and defends information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation?

Options:

A.

Parkerian Hexad

B.

Capability Maturity Model (CMM)

C.

Classic information security model

D.

Five Pillars model

Question 34

Joan is a project management consultant and she has been hired by a firm to help them identify risk events within the project. Joan would first like to examine the project documents including the plans, assumptions lists, project files, and contracts. What key thing will help Joan to discover risks within the review of the project documents?

Options:

A.

Lack of consistency between the plans and the project requirements and assumptions can bethe indicators of risk in the project.

B.

The project documents will help the project manager, or Joan, to identify what risk identification approach is best to pursue.

C.

Plans that have loose definitions of terms and disconnected approaches will revealrisks.

D.

Poorly written requirements will reveal inconsistencies in the project plans and documents.

Question 35

In which of the following phases do the system security plan update and the Plan of Action and Milestones (POAM) update take place?

Options:

A.

Continuous Monitoring Phase

B.

Accreditation Phase

C.

Preparation Phase

D.

DITSCAP Phase

Question 36

ISO 17799 has two parts. The first part is an implementation guide with guidelines on how to build a comprehensive information security infrastructure and the second part is an auditing guide based on requirements that must be met for an organization to be deemed compliant with ISO 17799. What are the ISO 17799 domains?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Information security policy for the organization

B.

Personnel security

C.

Business continuity management

D.

System architecture management

E.

System development and maintenance

Question 37

Mary is the project manager of the HGH Project for her company. She and her project team have agreed that if the vendor is late by more than ten days they will cancel the order and hire the NBG Company to fulfill the order. The NBG Company can guarantee orders within three days, but the costs of their products are significantly more expensive than the current vendor. What type of a response strategy is this?

Options:

A.

Contingent response strategy

B.

Expert judgment

C.

Internal risk management strategy

D.

External risk response

Question 38

Billy is the project manager of the HAR Project and is in month six of the project. The project is scheduled to last for 18 months. Management asks Billy how often the project team is participating in risk reassessment in this project. What should Billy tell management if he's following the best practices for risk management?

Options:

A.

At every status meeting the project team project risk management is an agenda item.

B.

Project risk management happens at every milestone.

C.

Project risk management has been concluded with the project planning.

D.

Project risk management is scheduled for every monthin the 18-month project.

Question 39

Fill in the blank with an appropriate word.

________ ensures that the information is not disclosed to unauthorized persons or processes.

Options:

A.

Confidentiality

Question 40

Which of the following formulas was developed by FIPS 199 for categorization of an information system?

Options:

A.

SC information system = {(confidentiality, impact), (integrity, controls), (availability, risk)}

B.

SC information system = {(confidentiality, impact), (integrity, impact),(availability, impact)}

C.

SC information system = {(confidentiality, controls), (integrity, controls), (availability, controls )}

D.

SC information system = {(confidentiality, risk), (integrity, impact), (availability, controls)}

Question 41

A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. Which of the following are required to be addressed in a well designed policy?

Each correct answer represents a part of the solution. Choose all that apply.

Options:

A.

Who is expected to exploit the vulnerability?

B.

What is being secured?

C.

Where is the vulnerability, threat, or risk?

D.

Who is expected to comply with the policy?

Question 42

Which of the following acts is used to recognize the importance of information security to the economic and national security interests of the United States?

Options:

A.

Computer Fraud and Abuse Act

B.

FISMA

C.

Lanham Act

D.

Computer Misuse Act

Question 43

Which of the following documents is described in the statement below?

"It is developed along with all processes of the risk management. It contains the results of the qualitative risk analysis, quantitative risk analysis, and risk response planning."

Options:

A.

Risk register

B.

Risk management plan

C.

Project charter

D.

Quality management plan

Question 44

You are the project manager for your company and a new change request has been approved for your project. This change request, however, has introduced several new risks to the project. You have communicated these risk events and the project stakeholders understand the possible effects these risks could have on your project. You elect to create a mitigation response for the identified risk events. Where will you record the mitigation response?

Options:

A.

Risk register

B.

Risk log

C.

Risk management plan

D.

Project management plan

Question 45

You work as the project manager for Bluewell Inc. There has been a delay in your project work that is adversely affecting the project schedule. You decide, with your stakeholders' approval, to fast track the project work to get the project done faster. When you fast track the project, what is likely to increase?

Options:

A.

Human resource needs

B.

Risks

C.

Costs

D.

Quality control concerns

Question 46

What are the responsibilities of a system owner?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Integrates security considerations into application and system purchasing decisions and development projects.

B.

Ensures that the systems are properly assessed for vulnerabilities and must report any to the incident response team and data owner.

C.

Ensures that adequate security is being provided by the necessary controls, password management, remoteaccess controls, operating system configurations, and so on.

D.

Ensures that the necessary security controls are in place.

Question 47

During qualitative risk analysis you want to define the risk urgency assessment. All of the following are indicators of risk priority except for which one?

Options:

A.

Symptoms

B.

Cost of the project

C.

Warning signs

D.

Risk rating

Question 48

You are the project manager for your organization. You are preparing for the quantitative risk analysis. Mark, a project team member, wants to know why you need to do quantitative risk analysis when you just completed qualitative risk analysis. Which one of the following statements best defines what quantitative risk analysis is?

Options:

A.

Quantitative risk analysis is the planning and quantification of risk responses based on probability and impact of each risk event.

B.

Quantitative risk analysis is the process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact.

C.

Quantitative risk analysis is the review of the risk events with the high probability and the highest impact on the project objectives.

D.

Quantitative risk analysis is the process of numerically analyzing the effect of identified risks on overall project objectives.

Question 49

Ned is the project manager of the HNN project for your company. Ned has asked you to help him complete some probability distributions for his project. What portion of the project will you most likely use for probability distributions?

Options:

A.

Uncertainty in values such as duration of schedule activities

B.

Bias towards risk in new resources

C.

Risk probabilityand impact matrixes

D.

Risk identification

Question 50

Tom is the project manager for his organization. In his project he has recently finished the risk response planning. He tells his manager that he will now need to update the cost and schedule baselines. Why would the risk response planning cause Tom the need to update the cost and schedule baselines?

Options:

A.

New or omitted work as part of a risk response can cause changes to the cost and/or schedule baseline.

B.

Risk responses protect the time and investment of the project.

C.

Risk responses may take time and money to implement.

D.

Baselines should not be updated, but refined through versions.

Question 51

Management wants you to create a visual diagram of what resources will be utilized in the project deliverables. What type of a chart is management asking you to create?

Options:

A.

Work breakdown structure

B.

Roles and responsibility matrix

C.

Resource breakdown structure

D.

RACI chart

Question 52

In which of the following elements of security does the object retain its veracity and is intentionally modified by the authorized subjects?

Options:

A.

Integrity

B.

Nonrepudiation

C.

Availability

D.

Confidentiality

Question 53

Which of the following individuals makes the final accreditation decision?

Options:

A.

DAA

B.

ISSO

C.

CIO

D.

CISO

Question 54

In which type of access control do user ID and password system come under?

Options:

A.

Administrative

B.

Technical

C.

Physical

D.

Power

Question 55

Which of the following individuals is responsible for configuration management and control task?

Options:

A.

Authorizing official

B.

Information system owner

C.

Chief information officer

D.

Common control provider

Question 56

Which of the following statements about the authentication concept of information security management is true?

Options:

A.

It determines the actions and behaviors of a single individual within a system, and identifies that particular individual.

B.

It ensures that modifications are not made to data by unauthorized personnel or processes .

C.

It establishes the users' identity and ensures that the users are who they say they are.

D.

It ensures the reliable and timely access to resources.

Question 57

In what portion of a project are risk and opportunities greatest and require intense planning and anticipation of risk events?

Options:

A.

Planning

B.

Executing

C.

Closing

D.

Initiating

Question 58

An authentication method uses smart cards as well as usernames and passwords for authentication. Which of the following authentication methods is being referred to?

Options:

A.

Anonymous

B.

Multi-factor

C.

Biometrics

D.

Mutual

Question 59

Which of the following is used to indicate that the software has met a defined quality level and is ready for mass distribution either by electronic means or by physical media?

Options:

A.

DAA

B.

RTM

C.

ATM

D.

CRO

Demo: 59 questions
Total 395 questions