CAP : Certified Authorization Professional : Part 08

CAP : Certified Authorization Professional : Part 08

  1. Shoulder surfing is a type of in-person attack in which the attacker gathers information about the premises of an organization. This attack is often performed by looking surreptitiously at the keyboard of an employee’s computer while he is typing in his password at any access point such as a terminal/Web site. Which of the following is violated in a shoulder surfing attack?

    • Authenticity
    • Integrity
    • Availability
    • Confidentiality

  2. Eric is the project manager of the NQQ Project and has hired the ZAS Corporation to complete part of the project work for Eric’s organization. Due to a change request the ZAS Corporation is no longer needed on the project even though they have completed nearly all of the project work. Is Eric’s organization liable to pay the ZAS Corporation for the work they have completed so far on the project?

    • No, the ZAS Corporation did not complete all of the work.
    • Yes, the ZAS Corporation did not choose to terminate the contract work.
    • It depends on what the outcome of a lawsuit will determine.
    • It depends on what the termination clause of the contract stipulates

  3. Which one of the following is the only output for the qualitative risk analysis process?

    • Enterprise environmental factors
    • Project management plan
    • Risk register updates
    • Organizational process assets

  4. Which of the following RMF phases is known as risk analysis?

    • Phase 0
    • Phase 1
    • Phase 2
    • Phase 3

  5. You work as a project manager for BlueWell Inc. There has been a delay in your project work that is adversely affecting the project schedule. You decided, with your stakeholders’ approval, to fast track the project work to get the project done faster. When you fast track the project which of the following are likely to increase?

    • Risks
    • Human resource needs
    • Quality control concerns
    • Costs

  6. Which of the following DITSCAP phases validates that the preceding work has produced an IS that operates in a specified computing environment?

    • Phase 3
    • Phase 2
    • Phase 4
    • Phase 1

  7. Harry is a project manager of a software development project. In the early stages of planning, he and the stakeholders operated with the belief that the software they were developing would work with their organization’s current computer operating system. Now that the project team has started developing the software it has become apparent that the software will not work with nearly half of the organization’s computer operating systems. The incorrect belief Harry had in the software compatibility is an example of what in project management?

    • Assumption
    • Issue
    • Risk
    • Constraint

  8. The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statements are true about ISSO and ISSE?

    Each correct answer represents a complete solution. Choose all that apply.

    • An ISSE manages the security of the information system that is slated for Certification & Accreditation (C&A).
    • An ISSO takes part in the development activities that are required to implement system changes.
    • An ISSE provides advice on the continuous monitoring of the information system.
    • An ISSE provides advice on the impacts of system changes.
    • An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A).

  9. Which of the following statements about the authentication concept of information security management is true?

    • It determines the actions and behaviors of a single individual within a system, and identifies that particular individual.
    • It ensures that modifications are not made to data by unauthorized personnel or processes .
    • It establishes the users’ identity and ensures that the users are who they say they are.
    • It ensures the reliable and timely access to resources.

  10. You and your project team have identified the project risks and now are analyzing the probability and impact of the risks. What type of analysis of the risks provides a quick and high-level review of each identified risk event?

    • Qualitative risk analysis
    • Seven risk responses
    • Quantitative risk analysis
    • A risk probability-impact matrix

  11. NIST SP 800-53A defines three types of interview depending on the level of assessment conducted. Which of the following NIST SP 800-53A interviews consists of informal and ad hoc interviews?

    • Substantial
    • Significant
    • Abbreviated
    • Comprehensive

  12. Which of the following acts promote a risk-based policy for cost effective security?

    Each correct answer represents a part of the solution. Choose all that apply.

    • Clinger-Cohen Act
    • Lanham Act
    • Computer Misuse Act
    • Paperwork Reduction Act (PRA)

  13. To help review or design security controls, they can be classified by several criteria. One of these criteria is based on time. According to this criteria, which of the following controls are intended to prevent an incident from occurring?

    • Adaptive controls
    • Preventive controls
    • Detective controls
    • Corrective controls

  14. You are the project manager for a construction project. The project involves casting of a column in a very narrow space. Because of lack of space, casting it is highly dangerous. High technical skill will be required for casting that column. You decide to hire a local expert team for casting that column. Which of the following types of risk response are you following?

    • Mitigation
    • Avoidance
    • Transference
    • Acceptance

  15. You work as a project manager for BlueWell Inc. Your project is running late and you must respond to the risk. Which risk response can you choose that will also cause you to update the human resource management plan?

    • Fast tracking the project
    • Teaming agreements
    • Transference
    • Crashing the project

  16. Which of the following groups represents the most likely source of an asset loss through the inappropriate use of computers?

    • Hackers
    • Visitors
    • Customers
    • Employees

  17. You are the project manager of the NNN project for your company. You and the project team are working together to plan the risk responses for the project. You feel that the team has successfully completed the risk response planning and now you must initiate what risk process it is. Which of the following risk processes is repeated after the plan risk responses to determine if the overall project risk has been satisfactorily decreased?

    • Risk identification
    • Qualitative risk analysis
    • Risk response implementation
    • Quantitative risk analysis

  18. What are the responsibilities of a system owner?

    Each correct answer represents a complete solution. Choose all that apply.

    • Integrates security considerations into application and system purchasing decisions and development projects.
    • Ensures that the systems are properly assessed for vulnerabilities and must report any to the incident response team and data owner.
    • Ensures that adequate security is being provided by the necessary controls, password management, remote access controls, operating system configurations, and so on.
    • Ensures that the necessary security controls are in place.

  19. During which of the following processes, probability and impact matrix is prepared?

    • Plan Risk Responses
    • Perform Quantitative Risk Analysis
    • Perform Qualitative Risk Analysis
    • Monitoring and Control Risks

  20. Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. Which of the following statements are true about Certification and Accreditation?

    Each correct answer represents a complete solution. Choose two.

    • Accreditation is the official management decision given by a senior agency official to authorize operation of an information system.
    • Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system.
    • Accreditation is a comprehensive assessment of the management, operational, and technical security controls in an information system.
    • Certification is the official management decision given by a senior agency official to authorize operation of an information system.
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments