CAP : Certified Authorization Professional : Part 07

CAP : Certified Authorization Professional : Part 07

1. Which of the following is used throughout the entire C&A process?

   • DAA
   • DITSCAP
   • SSAA
   • DIACAP

2. What does OCTAVE stand for?

   • Operationally Computer Threat, Asset, and Vulnerability Evaluation
   • Operationally Critical Threat, Asset, and Vulnerability Evaluation
   • Operationally Computer Threat, Asset, and Vulnerability Elimination
   • Operationally Critical Threat, Asset, and Vulnerability Elimination

3. Which of the following C&A professionals plays the role of an advisor?

   • Information System Security Engineer (ISSE)
   • Chief Information Officer (CIO)
   • Authorizing Official
   • Information Owner

4. Which of the following DoD directives is referred to as the Defense Automation Resources Management Manual?

   • DoD 5200.22-M
   • DoD 5200.1-R
   • DoD 8910.1
   • DoDD 8000.1
   • DoD 7950.1-M

5. Walter is the project manager of a large construction project. He’ll be working with several vendors on the project. Vendors will be providing materials and labor for several parts of the project. Some of the works in the project are very dangerous so Walter has implemented safety requirements for all of the vendors and his own project team. Stakeholders for the project have added new requirements, which have caused new risks in the project. A vendor has identified a new risk that could affect the project if it comes into fruition. Walter agrees with the vendor and has updated the risk register and created potential risk responses to mitigate the risk. What should Walter also update in this scenario considering the risk event?

   • Project contractual relationship with the vendor
   • Project communications plan
   • Project management plan
   • Project scope statement

6. During which of the following processes, probability and impact matrix is prepared?

   • Plan Risk Responses
   • Perform Quantitative Risk Analysis
   • Perform Qualitative Risk Analysis
   • Monitoring and Control Risks

7. During qualitative risk analysis you want to define the risk urgency assessment. All of the following are indicators of risk priority except for which one?

   • Symptoms
   • Cost of the project
   • Warning signs
   • Risk rating

8. An authentication method uses smart cards as well as usernames and passwords for authentication. Which of the following authentication methods is being referred to?

   • Anonymous
   • Multi-factor
   • Biometrics
   • Mutual

9. In 2003, NIST developed a new Certification & Accreditation (C&A) guideline known as FIPS 199.

   What levels of potential impact are defined by FIPS 199?

   Each correct answer represents a complete solution. Choose all that apply.

   • Low
   • Moderate
   • High
   • Medium

10. Which of the following is NOT an objective of the security program?

    • Security organization
    • Security plan
    • Security education
    • Information classification

11. A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. What are the different types of policies?

    Each correct answer represents a complete solution. Choose all that apply.

    • Systematic
    • Regulatory
    • Advisory
    • Informative

12. Which of the following is a standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system?

    • TCSEC
    • FIPS
    • SSAA
    • FITSAF

13. Which of the following statements correctly describes DIACAP residual risk?

    • It is the remaining risk to the information system after risk palliation has occurred.
    • It is a process of security authorization.
    • It is the technical implementation of the security design.
    • It is used to validate the information system.

14. Which of the following statements about Discretionary Access Control List (DACL) is true?

    • It is a rule list containing access control entries.
    • It specifies whether an audit activity should be performed when an object attempts to access a resource.
    • It is a list containing user accounts, groups, and computers that are allowed (or denied) access to the object.
    • It is a unique number that identifies a user, group, and computer account

15. Which of the following is used to indicate that the software has met a defined quality level and is ready for mass distribution either by electronic means or by physical media?

    • DAA
    • RTM
    • ATM
    • CRO

16. Which of the following processes is a structured approach to transitioning individuals, teams, and organizations from a current state to a desired future state?

    • Configuration management
    • Procurement management
    • Change management
    • Risk management

17. In which type of access control do user ID and password system come under?

    • Administrative
    • Technical
    • Physical
    • Power

18. There are seven risk responses for any project. Which one of the following is a valid risk response for a negative risk event?

    • Enhance
    • Exploit
    • Acceptance
    • Share

19. Which of the following processes is described in the statement below?

    “It is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project.”

    • Perform Quantitative Risk Analysis
    • Monitor and Control Risks
    • Perform Qualitative Risk Analysis
    • Identify Risks

20. Management wants you to create a visual diagram of what resources will be utilized in the project deliverables. What type of a chart is management asking you to create?

    • Work breakdown structure
    • Roles and responsibility matrix
    • Resource breakdown structure
    • RACI chart