CAP : Certified Authorization Professional : Part 11

CAP : Certified Authorization Professional : Part 11

1. You are the project manager for the NHH project. You are working with your project team to examine the project from four different defined perspectives to increase the breadth of identified risks by including internally generated risks. What risk identification approach are you using in this example?

   • SWOT analysis
   • Root cause analysis
   • Assumptions analysis
   • Influence diagramming techniques

2. You are the project manager for your company and a new change request has been approved for your project. This change request, however, has introduced several new risks to the project. You have communicated these risk events and the project stakeholders understand the possible effects these risks could have on your project. You elect to create a mitigation response for the identified risk events. Where will you record the mitigation response?

   • Project management plan
   • Risk management plan
   • Risk log
   • Risk register

3. Which of the following RMF phases is known as risk analysis?

   • Phase 2
   • Phase 1
   • Phase 0
   • Phase 3

4. Jenny is the project manager of the NHJ Project for her company. She has identified several positive risk events within the project and she thinks these events can save the project time and money. You, a new team member wants to know that how many risk responses are available for a positive risk event. What will Jenny reply to you?

   • Four
   • Seven
   • Acceptance is the only risk response for positive risk events.
   • Three

5. You are the project manager of the GHG project. You are preparing for the quantitative risk analysis process. You are using organizational process assets to help you complete the quantitative risk analysis process. Which one of the following is NOT a valid reason to utilize organizational process assets as a part of the quantitative risk analysis process?

   • You will use organizational process assets for risk databases that may be available from industry sources.
   • You will use organizational process assets for studies of similar projects by risk specialists.
   • You will use organizational process assets to determine costs of all risks events within the current project.
   • You will use organizational process assets for information from prior similar projects.

6. Which of the following objectives are defined by integrity in the C.I.A triad of information security systems?

   Each correct answer represents a part of the solution. Choose three.

   • It preserves the internal and external consistency of information.
   • It prevents the unauthorized or unintentional modification of information by the authorized users.
   • It prevents the modification of information by the unauthorized users.
   • It prevents the intentional or unintentional unauthorized disclosure of a message’s contents .

7. You and your project team are just starting the risk identification activities for a project that is scheduled to last for 18 months. Your project team has already identified a long list of risks that need to be analyzed. How often should you and the project team do risk identification?

   • At least once per month
   • Identify risks is an iterative process.
   • It depends on how many risks are initially identified.
   • Several times until the project moves into execution

8. Which of the following are included in Physical Controls?

   Each correct answer represents a complete solution. Choose all that apply.

   • Locking systems and removing unnecessary floppy or CD-ROM drives
   • Environmental controls
   • Password and resource management
   • Identification and authentication methods
   • Monitoring for intrusion
   • Controlling individual access into the facility and different departments

9. Which of the following NIST Special Publication documents provides a guideline on network security testing?

   • NIST SP 800-60
   • NIST SP 800-53A
   • NIST SP 800-37
   • NIST SP 800-42
   • NIST SP 800-59
   • NIST SP 800-53

10. Which one of the following is the only output for the qualitative risk analysis process?

    • Project management plan
    • Risk register updates
    • Enterprise environmental factors
    • Organizational process assets

11. Thomas is a key stakeholder in your project. Thomas has requested several changes to the project scope for the project you are managing. Upon review of the proposed changes, you have discovered that these new requirements are laden with risks and you recommend to the change control board that the changes be excluded from the project scope. The change control board agrees with you. What component of the change control system communicates the approval or denial of a proposed change request?

    • Configuration management system
    • Change log
    • Scope change control system
    • Integrated change control

12. Which of the following assessment methodologies defines a six-step technical security evaluation?

    • OCTAVE
    • FITSAF
    • DITSCAP
    • FIPS 102

13. You are the project manager of the NNH Project. In this project you have created a contingency response that the schedule performance index should be less than 0.93. The NHH Project has a budget at completion of $945,000 and is 45 percent complete though the project should be 49 percent complete. The project has spent $455,897 to reach the 45 percent complete milestone.

    What is the project’s schedule performance index?

    • 1.06
    • 0.92
    • -$37,800
    • 0.93

14. Which of the following roles is also known as the accreditor?

    • Chief Risk Officer
    • Data owner
    • Designated Approving Authority
    • Chief Information Officer

15. In which of the following phases of the DITSCAP process does Security Test and Evaluation (ST&E) occur?

    • Phase 2
    • Phase 3
    • Phase 1
    • Phase 4

16. You are the project manager of the NHH project for your company. You have completed the first round of risk management planning and have created four outputs of the risk response planning process. Which one of the following is NOT an output of the risk response planning?

    • Risk-related contract decisions
    • Project document updates
    • Risk register updates
    • Organizational process assets updates

17. Which of the following is used to indicate that the software has met a defined quality level and is ready for mass distribution either by electronic means or by physical media?

    • RTM
    • CRO
    • DAA
    • ATM

18. Amy is the project manager for her company. In her current project the organization has a very low tolerance for risk events that will affect the project schedule. Management has asked Amy to consider the affect of all the risks on the project schedule. What approach can Amy take to create a bias against risks that will affect the schedule of the project?

    • She can have the project team pad their time estimates to alleviate delays in the project schedule.
    • She can create an overall project rating scheme to reflect the bias towards risks that affect the project schedule.
    • She can filter all risks based on their affect on schedule versus other project objectives.
    • She can shift risk-laden activities that affect the project schedule from the critical path as much as possible.

19. Which of the following processes is a structured approach to transitioning individuals, teams, and organizations from a current state to a desired future state?

    • Procurement management
    • Change management
    • Risk management
    • Configuration management

20. A Web-based credit card company had collected financial and personal details of Mark before issuing him a credit card. The company has now provided Mark’s financial and personal details to another company. Which of the following Internet laws has the credit card issuing company violated?

    • Security law
    • Privacy law
    • Copyright law
    • Trademark law