CAP : Certified Authorization Professional : Part 05

The National Information Assurance Certification and Accreditation Process (NIACAP) is the minimum standard process for the certification and accreditation of computer and telecommunications systems that handle U.S. national security information. Which of the following participants are required in a NIACAP security assessment?

Each correct answer represents a part of the solution. Choose all that apply.
- Information Assurance Manager
- Designated Approving Authority
- IS program manager
- User representative
- Certification agent
Which of the following processes is described in the statement below?

“It is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project.”
- Perform Quantitative Risk Analysis
- Perform Qualitative Risk Analysis
- Monitor and Control Risks
- Identify Risks
There are seven risk responses for any project. Which one of the following is a valid risk response for a negative risk event?
- Enhance
- Exploit
- Acceptance
- Share
You are the project manager for TTP project. You are in the Identify Risks process. You have to create the risk register. Which of the following are included in the risk register?

Each correct answer represents a complete solution. Choose two.
- List of potential responses
- List of identified risks
- List of mitigation techniques
- List of key stakeholders
The Software Configuration Management (SCM) process defines the need to trace changes, and the ability to verify that the final delivered software has all of the planned enhancements that are supposed to be included in the release. What are the procedures that must be defined for each software project to ensure that a sound SCM process is implemented?

Each correct answer represents a complete solution. Choose all that apply.
- Configuration status accounting
- Configuration change control
- Configuration deployment
- Configuration audits
- Configuration identification
- Configuration implementation
Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and systems?
- FIPS
- TCSEC
- SSAA
- FITSAF
Your project team has identified a project risk that must be responded to. The risk has been recorded in the risk register and the project team has been discussing potential risk responses for the risk event. The event is not likely to happen for several months but the probability of the event is high. Which one of the following is a valid response to the identified risk event?
- Corrective action
- Technical performance measurement
- Risk audit
- Earned value management
Which of the following documents is described in the statement below?

“It is developed along with all processes of the risk management. It contains the results of the qualitative risk analysis, quantitative risk analysis, and risk response planning.”
- Project charter
- Risk management plan
- Risk register
- Quality management plan
Joan is a project management consultant and she has been hired by a firm to help them identify risk events within the project. Joan would first like to examine the project documents including the plans, assumptions lists, project files, and contracts. What key thing will help Joan to discover risks within the review of the project documents?
- The project documents will help the project manager, or Joan, to identify what risk identification approach is best to pursue.
- Plans that have loose definitions of terms and disconnected approaches will reveal risks.
- Poorly written requirements will reveal inconsistencies in the project plans and documents.
- Lack of consistency between the plans and the project requirements and assumptions can be the indicators of risk in the project.
Which of the following requires all general support systems and major applications to be fully certified and accredited before these systems and applications are put into production?

Each correct answer represents a part of the solution. Choose all that apply.
- NIST
- FIPS
- Office of Management and Budget (OMB)
- FISMA
Which of the following refers to a process that is used for implementing information security?
- Certification and Accreditation (C&A)
- Information Assurance (IA)
- Five Pillars model
- Classic information security model
What project management plan is most likely to direct the quantitative risk analysis process for a project in a matrix environment?
- Staffing management plan
- Risk analysis plan
- Human resource management plan
- Risk management plan
Kelly is the project manager of the BHH project for her organization. She is completing the risk identification process for this portion of her project. Which one of the following is the only thing that the risk identification process will create for Kelly?
- Project document updates
- Risk register updates
- Change requests
- Risk register
You are the project manager for your organization. You are working with your project team to complete the qualitative risk analysis process. The first tool and technique you are using requires that you assess the probability and what other characteristic of each identified risk in the project?
- Risk owner
- Risk category
- Impact
- Cost
You are preparing to complete the quantitative risk analysis process with your project team and several subject matter experts. You gather the necessary inputs including the project’s cost management plan. Why is it necessary to include the project’s cost management plan in the preparation for the quantitative risk analysis process?
- The project’s cost management plan can help you to determine what the total cost of the project is allowed to be.
- The project’s cost management plan provides direction on how costs may be changed due to identified risks.
- The project’s cost management plan provides control that may help determine the structure for quantitative analysis of the budget.
- The project’s cost management plan is not an input to the quantitative risk analysis process .
Which of the following statements about the availability concept of Information security management is true?
- It ensures that modifications are not made to data by unauthorized personnel or processes .
- It ensures reliable and timely access to resources.
- It determines actions and behaviors of a single individual within a system.
- It ensures that unauthorized modifications are not made to data by authorized personnel or processes.
Which of the following are the objectives of the security certification documentation task?

Each correct answer represents a complete solution. Choose all that apply.
- To prepare the Plan of Action and Milestones (POAM) based on the security assessment
- To provide the certification findings and recommendations to the information system owner
- To assemble the final security accreditation package and then submit it to the authorizing o fficial
- To update the system security plan based on the results of the security assessment
Which of the following statements about System Access Control List (SACL) is true?
- It contains a list of any events that are set to audit for that particular object.
- It is a mechanism for reducing the need for globally unique IP addresses.
- It contains a list of both users and groups and whatever permissions they have.
- It exists for each and every permission entry assigned to any object.
Security Test and Evaluation (ST&E) is a component of risk assessment. It is useful in discovering system vulnerabilities. For what purposes is ST&E used?

Each correct answer represents a complete solution. Choose all that apply.
- To implement the design of system architecture
- To determine the adequacy of security mechanisms, assurances, and other properties to enforce the security policy
- To assess the degree of consistency between the system documentation and its implement ation
- To uncover design, implementation, and operational flaws that may allow the violation of security policy
Which of the following individuals is responsible for the final accreditation decision?
- Certification Agent
- User Representative
- Information System Owner
- Risk Executive

CAP : Certified Authorization Professional : All Parts
CAP Part 01	CAP Part 06	CAP Part 11	CAP Part 16
CAP Part 02	CAP Part 07	CAP Part 12	CAP Part 17
CAP Part 03	CAP Part 08	CAP Part 13	CAP Part 18
CAP Part 04	CAP Part 09	CAP Part 14	CAP Part 19
CAP Part 05	CAP Part 10	CAP Part 15	CAP Part 20

CAP : Certified Authorization Professional : All Parts
CAP Part 01	CAP Part 06	CAP Part 11	CAP Part 16
CAP Part 02	CAP Part 07	CAP Part 12	CAP Part 17
CAP Part 03	CAP Part 08	CAP Part 13	CAP Part 18
CAP Part 04	CAP Part 09	CAP Part 14	CAP Part 19
CAP Part 05	CAP Part 10	CAP Part 15	CAP Part 20

CAP : Certified Authorization Professional : Part 05

Each correct answer represents a part of the solution. Choose all that apply.

Which of the following processes is described in the statement below?

“It is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project.”

There are seven risk responses for any project. Which one of the following is a valid risk response for a negative risk event?

You are the project manager for TTP project. You are in the Identify Risks process. You have to create the risk register. Which of the following are included in the risk register?

Each correct answer represents a complete solution. Choose two.

Each correct answer represents a complete solution. Choose all that apply.

Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and systems?

Which of the following documents is described in the statement below?

“It is developed along with all processes of the risk management. It contains the results of the qualitative risk analysis, quantitative risk analysis, and risk response planning.”

Which of the following requires all general support systems and major applications to be fully certified and accredited before these systems and applications are put into production?

Each correct answer represents a part of the solution. Choose all that apply.

Which of the following refers to a process that is used for implementing information security?

What project management plan is most likely to direct the quantitative risk analysis process for a project in a matrix environment?

Kelly is the project manager of the BHH project for her organization. She is completing the risk identification process for this portion of her project. Which one of the following is the only thing that the risk identification process will create for Kelly?

You are the project manager for your organization. You are working with your project team to complete the qualitative risk analysis process. The first tool and technique you are using requires that you assess the probability and what other characteristic of each identified risk in the project?

Which of the following statements about the availability concept of Information security management is true?

Which of the following are the objectives of the security certification documentation task?

Each correct answer represents a complete solution. Choose all that apply.

Which of the following statements about System Access Control List (SACL) is true?

Security Test and Evaluation (ST&E) is a component of risk assessment. It is useful in discovering system vulnerabilities. For what purposes is ST&E used?

Each correct answer represents a complete solution. Choose all that apply.

Which of the following individuals is responsible for the final accreditation decision?