CAP : Certified Authorization Professional : Part 13

CAP : Certified Authorization Professional : Part 13

  1. Fred is the project manager of the PKL project. He is working with his project team to complete the quantitative risk analysis process as a part of risk management planning. Fred understands that once the quantitative risk analysis process is complete, the process will need to be completed again in at least two other times in the project. When will the quantitative risk analysis process need to be repeated?

    • Quantitative risk analysis process will be completed again after the plan risk response planning and as part of procurement.
    • Quantitative risk analysis process will be completed again after the cost management planning and as a part of monitoring and controlling.
    • Quantitative risk analysis process will be completed again after new risks are identified and as part of monitoring and controlling.
    • Quantitative risk analysis process will be completed again after the risk response planning and as a part of monitoring and controlling.

  2. Which of the following are the common roles with regard to data in an information classification program?

    Each correct answer represents a complete solution. Choose all that apply.

    • Custodian
    • User
    • Security auditor
    • Editor
    • Owner

  3. To help review or design security controls, they can be classified by several criteria. One of these criteria is based on nature. According to this criteria, which of the following controls consists of incident response processes, management oversight, security awareness, and training?

    • Technical control
    • Physical control
    • Procedural control
    • Compliance control

  4. An Authorizing Official plays the role of an approver. What are the responsibilities of an

    Authorizing Official?

    Each correct answer represents a complete solution. Choose all that apply.

    • Establishing and implementing the organization’s continuous monitoring program
    • Determining the requirement of reauthorization and reauthorizing information systems when required
    • Reviewing security status reports and critical security documents
    • Ascertaining the security posture of the organization’s information system

  5. You are the project manager for GHY Project and are working to create a risk response for a negative risk. You and the project team have identified the risk that the project may not complete on time, as required by the management, due to the creation of the user guide for the software you’re creating. You have elected to hire an external writer in order to satisfy the requirements and to alleviate the risk event. What type of risk response have you elected to use in this instance?

    • Sharing
    • Avoidance
    • Transference
    • Exploiting

  6. You are the project manager of the GHQ project for your company. You are working you’re your project team to prepare for the qualitative risk analysis process. Mary, a project team member, does not understand why you need to complete qualitative risks analysis. You explain to Mary that qualitative risks analysis helps you determine which risks needs additional analysis. There are also some other benefits that qualitative risks analysis can do for the project. Which one of the following is NOT an accomplishment of the qualitative risk analysis process?

    • Cost of the risk impact if the risk event occurs
    • Corresponding impact on project objectives
    • Time frame for a risk response
    • Prioritization of identified risk events based on probability and impact

  7. Mark works as a Network Administrator for NetTech Inc. He wants users to access only those resources that are required for them. Which of the following access control models will he use?

    • Discretionary Access Control
    • Mandatory Access Control
    • Policy Access Control
    • Role-Based Access Control

  8. According to U.S. Department of Defense (DoD) Instruction 8500.2, there are eight Information

    Assurance (IA) areas, and the controls are referred to as IA controls. Which of the following are among the eight areas of IA defined by DoD?

    Each correct answer represents a complete solution. Choose all that apply.

    • VI Vulnerability and Incident Management
    • DC Security Design & Configuration
    • EC Enclave and Computing Environment
    • Information systems acquisition, development, and maintenance

  9. DIACAP applies to the acquisition, operation, and sustainment of any DoD system that collects, stores, transmits, or processes unclassified or classified information since December 1997. What phases are identified by DIACAP?

    Each correct answer represents a complete solution. Choose all that apply.

    • Validation
    • Re-Accreditation
    • Verification
    • System Definition
    • Identification
    • Accreditation

  10. Which of the following is a subset discipline of Corporate Governance focused on information security systems and their performance and risk management?

    • Lanham Act
    • ISG
    • Clinger-Cohen Act
    • Computer Misuse Act

  11. Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. Which of the following statements are true about Certification and Accreditation?

    Each correct answer represents a complete solution. Choose two.

    • Accreditation is the official management decision given by a senior agency official to authorize operation of an information system.
    • Accreditation is a comprehensive assessment of the management, operational, and technical security controls in an information system.
    • Certification is the official management decision given by a senior agency official to authorize operation of an information system.
    • Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system.

  12. Which of the following requires all general support systems and major applications to be fully certified and accredited before these systems and applications are put into production?

    Each correct answer represents a part of the solution. Choose all that apply.

    • NIST
    • FIPS
    • FISMA
    • Office of Management and Budget (OMB)

  13. The National Information Assurance Certification and Accreditation Process (NIACAP) is the minimum standard process for the certification and accreditation of computer and telecommunications systems that handle U.S. national security information. What are the different types of NIACAP accreditation?

    Each correct answer represents a complete solution. Choose all that apply.

    • Secure accreditation
    • Type accreditation
    • System accreditation
    • Site accreditation

  14. There are five inputs to the quantitative risk analysis process. Which one of the following is NOT an input to the perform quantitative risk analysis process?

    • Risk register
    • Cost management plan
    • Risk management plan
    • Enterprise environmental factors

  15. Your project has several risks that may cause serious financial impact should they happen. You have studied the risk events and made some potential risk responses for the risk events but management wants you to do more. They’d like for you to create some type of a chart that identified the risk probability and impact with a financial amount for each risk event. What is the likely outcome of creating this type of chart?

    • Risk response plan
    • Quantitative analysis
    • Risk response
    • Contingency reserve

  16. Which of the following professionals is responsible for starting the Certification & Accreditation

    (C&A) process?

    • Authorizing Official
    • Chief Risk Officer (CRO)
    • Chief Information Officer (CIO)
    • Information system owner

  17. Ben is the project manager of the YHT Project for his company. Alice, one of his team members, is confused about when project risks will happen in the project. Which one of the following statements is the most accurate about when project risk happens?

    • Project risk can happen at any moment.
    • Project risk is uncertain, so no one can predict when the event will happen.
    • Project risk happens throughout the project execution.
    • Project risk is always in the future.

  18. You are the project manager of the NKJ Project for your company. The project’s success or failure will have a significant impact on your organization’s profitability for the coming year. Management has asked you to identify the risk events and communicate the event’s probability and impact as early as possible in the project. Management wants to avoid risk events and needs to analyze the cost-benefits of each risk event in this project. What term is assigned to the low-level of stakeholder tolerance in this project?

    • Risk avoidance
    • Mitigation-ready project management
    • Risk utility function
    • Risk-reward mentality

  19. Where can a project manager find risk-rating rules?

    • Risk probability and impact matrix
    • Organizational process assets
    • Enterprise environmental factors
    • Risk management plan

  20. Which of the following professionals is responsible for starting the Certification & Accreditation (C&A) process?

    • Information system owner
    • Authorizing Official
    • Chief Risk Officer (CRO)
    • Chief Information Officer (CIO)
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments