CAP : Certified Authorization Professional : Part 01

CAP : Certified Authorization Professional : Part 01

1. The Identify Risk process determines the risks that affect the project and document their characteristics. Why should the project team members be involved in the Identify Risk process?

   • They are the individuals that will have the best responses for identified risks events within the project.
   • They are the individuals that are most affected by the risk events.
   • They are the individuals that will need a sense of ownership and responsibility for the risk e vents.
   • They are the individuals that will most likely cause and respond to the risk events.

2. Which of the following NIST Special Publication documents provides a guideline on questionnaires and checklists through which systems can be evaluated for compliance against specific control objectives?

   • NIST SP 800-53A
   • NIST SP 800-26
   • NIST SP 800-53
   • NIST SP 800-59
   • NIST SP 800-60
   • NIST SP 800-37

3. Which of the following recovery plans includes specific strategies and actions to deal with specific variances to assumptions resulting in a particular security problem, emergency, or state of affairs?

   • Business continuity plan
   • Continuity of Operations Plan
   • Disaster recovery plan
   • Contingency plan

4. You work as a project manager for TechSoft Inc. You, the project team, and the key project stakeholders have completed a round of quantitative risk analysis. You now need to update the risk register with your findings so that you can communicate the risk results to the project stakeholders – including management. You will need to update all of the following information except for which one?

   • Probability of achieving cost and time objectives
   • Risk distributions within the project schedule
   • Probabilistic analysis of the project
   • Trends in quantitative risk analysis

5. Lisa is the project manager of the SQL project for her company. She has completed the risk response planning with her project team and is now ready to update the risk register to reflect the risk response. Which of the following statements best describes the level of detail Lisa should include with the risk responses she has created?

   • The level of detail is set by historical information.
   • The level of detail must define exactly the risk response for each identified risk.
   • The level of detail is set of project risk governance.
   • The level of detail should correspond with the priority ranking

6. David is the project manager of HGF project for his company. David, the project team, and several key stakeholders have completed risk identification and are ready to move into qualitative risk analysis. Tracy, a project team member, does not understand why they need to complete qualitative risk analysis. Which one of the following is the best explanation for completing qualitative risk analysis?

   • It is a rapid and cost-effective means of establishing priorities for the plan risk responses and lays the foundation for quantitative analysis.
   • It is a cost-effective means of establishing probability and impact for the project risks.
   • Qualitative risk analysis helps segment the project risks, create a risk breakdown structure, and create fast and accurate risk responses.
   • All risks must pass through quantitative risk analysis before qualitative risk analysis.

7. FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls have been implemented?

   • Level 2
   • Level 5
   • Level 4
   • Level 1
   • Level 3

8. Sammy is the project manager for her organization. She would like to rate each risk based on its probability and affect on time, cost, and scope. Harry, a project team member, has never done this before and thinks Sammy is wrong to attempt this approach. Harry says that an accumulative risk score should be created, not three separate risk scores. Who is correct in this scenario?

   • Harry is correct, because the risk probability and impact considers all objectives of the proj ect.
   • Harry is correct, the risk probability and impact matrix is the only approach to risk assessm ent.
   • Sammy is correct, because she is the project manager.
   • Sammy is correct, because organizations can create risk scores for each objective of the pr oject.

9. An authentication method uses smart cards as well as usernames and passwords for authentication. Which of the following authentication methods is being referred to?

   • Anonymous
   • Multi-factor
   • Biometrics
   • Mutual

10. An organization monitors the hard disks of its employees’ computers from time to time. Which policy does this pertain to?

    • Network security policy
    • User password policy
    • Backup policy
    • Privacy policy

11. You work as a project manager for BlueWell Inc. You are working with your team members on the risk responses in the project. Which risk response will likely cause a project to use the procurement processes?

    • Acceptance
    • Mitigation
    • Exploiting
    • Sharing

12. ISO 17799 has two parts. The first part is an implementation guide with guidelines on how to build a comprehensive information security infrastructure and the second part is an auditing guide based on requirements that must be met for an organization to be deemed compliant with ISO 17799. What are the ISO 17799 domains?

    Each correct answer represents a complete solution. Choose all that apply.

    • Information security policy for the organization
    • System architecture management
    • Business continuity management
    • System development and maintenance
    • Personnel security

13. Adrian is a project manager for a new project using a technology that has recently been released and there’s relatively little information about the technology. Initial testing of the technology makes the use of it look promising, but there’s still uncertainty as to the longevity and reliability of the technology. Adrian wants to consider the technology factors a risk for her project. Where should she document the risks associated with this technology so she can track the risk status and responses?

    • Project charter
    • Risk register
    • Project scope statement
    • Risk low-level watch list

14. Which of the following is a risk response planning technique associated with threats that seeks to reduce the probability of occurrence or impact of a risk to below an acceptable threshold?

    • Exploit
    • Transference
    • Mitigation
    • Avoidance

15. BS 7799 is an internationally recognized ISM standard that provides high level, conceptual recommendations on enterprise security. BS 7799 is basically divided into three parts. Which of the following statements are true about BS 7799?

    Each correct answer represents a complete solution. Choose all that apply.

    • BS 7799 Part 1 was adopted by ISO as ISO/IEC 27001 in November 2005.
    • BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005.
    • BS 7799 Part 1 was a standard originally published as BS 7799 by the British Standards Institute (BSI) in 1995.
    • BS 7799 Part 3 was published in 2005, covering risk analysis and management.

16. The National Information Assurance Certification and Accreditation Process (NIACAP) is the minimum standard process for the certification and accreditation of computer and telecommunications systems that handle U.S. national security information. What are the different types of NIACAP accreditation?

    Each correct answer represents a complete solution. Choose all that apply.

    • System accreditation
    • Type accreditation
    • Site accreditation
    • Secure accreditation

17. You are the project manager of the GHY Project for your company. You have completed the risk response planning with your project team. You now need to update the WBS. Why would the project manager need to update the WBS after the risk response planning process? Choose the best answer.

    • Because of risks associated with work packages
    • Because of work that was omitted during the WBS creation
    • Because of risk responses that are now activities
    • Because of new work generated by the risk responses

18. The risk transference is referred to the transfer of risks to a third party, usually for a fee, it creates a contractual-relationship for the third party to manage the risk on behalf of the performing organization. Which one of the following is NOT an example of the transference risk response?

    • Use of insurance
    • Life cycle costing
    • Warranties
    • Performance bonds

19. Tracy is the project manager of the NLT Project for her company. The NLT Project is scheduled to last 14 months and has a budget at completion of $4,555,000. Tracy’s organization will receive a bonus of $80,000 per day that the project is completed early up to $800,000. Tracy realizes that there are several opportunities within the project to save on time by crashing the project work.

    Crashing the project is what type of risk response?

    • Mitigation
    • Exploit
    • Enhance
    • Transference

20. Diana is the project manager of the QPS project for her company. In this project Diana and the project team have identified a pure risk. Diana and the project team decided, along with the key stakeholders, to remove the pure risk from the project by changing the project plan altogether.

    What is a pure risk?

    • It is a risk event that only has a negative side, such as loss of life or limb.
    • It is a risk event that cannot be avoided because of the order of the work.
    • It is a risk event that is created by a risk response.
    • It is a risk event that is generated due to errors or omission in the project work.