CAP : Certified Authorization Professional : Part 10

CAP : Certified Authorization Professional : Part 10

  1. In which of the following phases does the SSAA maintenance take place?

    • Phase 4
    • Phase 2
    • Phase 1
    • Phase 3

  2. Which of the following statements is true about the continuous monitoring process?

    • It takes place in the middle of system security accreditation.
    • It takes place before and after system security accreditation.
    • It takes place before the initial system security accreditation.
    • It takes place after the initial system security accreditation.

  3. Which of the following individuals is responsible for the final accreditation decision?

    • Information System Owner
    • Certification Agent
    • User Representative
    • Risk Executive

  4. Which of the following is a risk that is created by the response to another risk?

    • Secondary risk
    • Residual risk
    • Positive risk
    • Negative risk

  5. Which of the following processes has the goal to ensure that any change does not lead to reduced or compromised security?

    • Risk management
    • Security management
    • Configuration management
    • Change control management

  6. There are seven risk responses for any project. Which one of the following is a valid risk response for a negative risk event?

    • Exploit
    • Share
    • Enhance
    • Acceptance

  7. Which of the following persons is responsible for testing and verifying whether the security policy is properly implemented, and the derived security solutions are adequate or not?

    • Auditor
    • User
    • Data custodian
    • Data owner

  8. Which of the following processes provides a standard set of activities, general tasks, and a management structure to certify and accredit systems, which maintain the information assurance and the security posture of a system or site?

    • DITSCAP
    • NIACAP
    • NSA-IAM
    • ASSET

  9. Which of the following statements about role-based access control (RBAC) model is true?

    • In this model, the permissions are uniquely assigned to each user account.
    • In this model, a user can access resources according to his role in the organization.
    • In this model, the same permission is assigned to each user account.
    • In this model, the users can access resources according to their seniority.

  10. The Project Risk Management knowledge area focuses on which of the following processes?

    Each correct answer represents a complete solution. Choose all that apply.

    • Quantitative Risk Analysis
    • Potential Risk Monitoring
    • Risk Monitoring and Control
    • Risk Management Planning

  11. Certification and Accreditation (C&A or CnA) is a process for implementing information security.

    Which of the following is the correct order of C&A phases in a DITSCAP assessment?

    • Definition, Validation, Verification, and Post Accreditation
    • Verification, Definition, Validation, and Post Accreditation
    • Definition, Verification, Validation, and Post Accreditation
    • Verification, Validation, Definition, and Post Accreditation

  12. Which of the following system security policies is used to address specific issues of concern to the organization?

    • Program policy
    • Issue-specific policy
    • Informative policy
    • System-specific policy

  13. Which of the following individuals is responsible for ensuring the security posture of the organization’s information system?

    • Authorizing Official
    • Chief Information Officer
    • Security Control Assessor
    • Common Control Provider

  14. In which of the following Risk Management Framework (RMF) phases is a risk profile created for threats?

    • Phase 3
    • Phase 1
    • Phase 2
    • Phase 0

  15. You work as a project manager for BlueWell Inc. You are working on a project and the management wants a rapid and cost-effective means for establishing priorities for planning risk responses in your project. Which risk management process can satisfy management’s objective for your project?

    • Qualitative risk analysis
    • Quantitative analysis
    • Historical information
    • Rolling wave planning

  16. Which of the following statements best describes the difference between the role of a data owner and the role of a data custodian?

    • The custodian implements the information classification scheme after the initial assignment by the operations manager.
    • The data custodian implements the information classification scheme after the initial assignment by the data owner.
    • The data owner implements the information classification scheme after the initial assignment by the custodian.
    • The custodian makes the initial information classification assignments, and the operations manager implements the scheme.

  17. Which of the following NIST C&A documents is the guideline for identifying an information system as a National Security System?

    • NIST SP 800-53
    • NIST SP 800-59
    • NIST SP 800-37
    • NIST SP 800-53A

  18. The only output of the perform qualitative risk analysis are risk register updates. When the project manager updates the risk register he will need to include several pieces of information including all of the following except for which one?

    • Trends in qualitative risk analysis
    • Risk probability-impact matrix
    • Watchlist of low-priority risks
    • Risks grouped by categories

  19. Wendy is about to perform qualitative risk analysis on the identified risks within her project. Which one of the following will NOT help Wendy to perform this project management activity?

    • Stakeholder register
    • Risk register
    • Project scope statement
    • Risk management plan

  20. Which of the following roles is responsible for review and risk analysis of all contracts on a regular basis?

    • The Supplier Manager
    • The IT Service Continuity Manager
    • The Service Catalogue Manager
    • The Configuration Manager
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments