CAP : Certified Authorization Professional : Part 14

CAP : Certified Authorization Professional : Part 14

1. Which of the following assessment methodologies defines a six-step technical security evaluation?

   • FITSAF
   • FIPS 102
   • OCTAVE
   • DITSCAP

2. DIACAP applies to the acquisition, operation, and sustainment of any DoD system that collects, stores, transmits, or processes unclassified or classified information since December 1997. What phases are identified by DIACAP?

   Each correct answer represents a complete solution. Choose all that apply.

   • Accreditation
   • Identification
   • System Definition
   • Verification
   • Validation
   • Re-Accreditation

3. Which of the following professionals plays the role of a monitor and takes part in the organization’s configuration management process?

   • Senior Agency Information Security Officer
   • Authorizing Official
   • Common Control Provider
   • Chief Information Officer

4. The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the most senior executive in an enterprise. What are the responsibilities of a Chief Information Officer?

   Each correct answer represents a complete solution. Choose all that apply.

   • Preserving high-level communications and working group relationships in an organization
   • Facilitating the sharing of security risk-related information among authorizing officials
   • Establishing effective continuous monitoring program for the organization
   • Proposing the information technology needed by an enterprise to achieve its goals and then working within a budget to implement the plan

5. The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statements are true about ISSO and ISSE?

   Each correct answer represents a complete solution. Choose all that apply.

   • An ISSE provides advice on the impacts of system changes.
   • An ISSE manages the security of the information system that is slated for Certification & Accreditation (C&A).
   • An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A).
   • An ISSO takes part in the development activities that are required to implement system changes.
   • An ISSE provides advice on the continuous monitoring of the information system.

6. FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls have been implemented?

   • Level 4
   • Level 1
   • Level 3
   • Level 5
   • Level 2

7. Certification and Accreditation (C&A or CnA) is a process for implementing information security.

   Which of the following is the correct order of C&A phases in a DITSCAP assessment?

   • Definition, Validation, Verification, and Post Accreditation
   • Verification, Definition, Validation, and Post Accreditation
   • Verification, Validation, Definition, and Post Accreditation
   • Definition, Verification, Validation, and Post Accreditation

8. System Authorization is the risk management process. System Authorization Plan (SAP) is a comprehensive and uniform approach to the System Authorization Process. What are the different phases of System Authorization Plan?

   Each correct answer represents a part of the solution. Choose all that apply.

   • Post-Authorization
   • Pre-certification
   • Post-certification
   • Certification
   • Authorization

9. Mark works as a Network Administrator for NetTech Inc. He wants users to access only those resources that are required for them. Which of the following access control models will he use?

   • Mandatory Access Control
   • Role-Based Access Control
   • Discretionary Access Control
   • Policy Access Control

10. Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and systems?

    • FITSAF
    • FIPS
    • TCSEC
    • SSAA

11. James work as an IT systems personnel in SoftTech Inc. He performs the following tasks:

    Runs regular backups and routine tests of the validity of the backup data.

    Performs data restoration from the backups whenever required.

    Maintains the retained records in accordance with the established information classification policy.

    What is the role played by James in the organization?

    • Manager
    • Owner
    • Custodian
    • User

12. You are working as a project manager in your organization. You are nearing the final stages of project execution and looking towards the final risk monitoring and controlling activities. For your project archives, which one of the following is an output of risk monitoring and control?

    • Quantitative risk analysis
    • Qualitative risk analysis
    • Requested changes
    • Risk audits

13. You are preparing to start the qualitative risk analysis process for your project. You will be relying on some organizational process assets to influence the process. Which one of the following is NOT a probable reason for relying on organizational process assets as an input for qualitative risk analysis?

    • Information on prior, similar projects
    • Review of vendor contracts to examine risks in past projects
    • Risk databases that may be available from industry sources
    • Studies of similar projects by risk specialists

14. System Authorization is the risk management process. System Authorization Plan (SAP) is a comprehensive and uniform approach to the System Authorization Process. What are the different phases of System Authorization Plan?

    Each correct answer represents a part of the solution. Choose all that apply.

    • Pre-certification
    • Certification
    • Post-certification
    • Authorization
    • Post-Authorization

15. A part of a project deals with the hardware work. As a project manager, you have decided to hire a company to deal with all hardware work on the project. Which type of risk response is this?

    • Avoidance
    • Mitigation
    • Exploit
    • Transference

16. You are the project manager for your organization. You have identified a risk event you’re your organization could manage internally or externally. If you manage the event internally it will cost your project $578,000 and an additional $12,000 per month the solution is in use. A vendor can manage the risk event for you. The vendor will charge $550,000 and $14,500 per month that the solution is in use. How many months will you need to use the solution to pay for the internal solution in comparison to the vendor’s solution?

    • Approximately 13 months
    • Approximately 11 months
    • Approximately 15 months
    • Approximately 8 months

17. Which of the following refers to the ability to ensure that the data is not modified or tampered with?

    • Confidentiality
    • Availability
    • Integrity
    • Non-repudiation

18. Management wants you to create a visual diagram of what resources will be utilized in the project deliverables. What type of a chart is management asking you to create?

    • Work breakdown structure
    • Resource breakdown structure
    • RACI chart
    • Roles and responsibility matrix

19. In which of the following testing methodologies do assessors use all available documentation and work under no constraints, and attempt to circumvent the security features of an information system?

    • Full operational test
    • Walk-through test
    • Penetration test
    • Paper test

20. Which of the following DITSCAP phases validates that the preceding work has produced an IS that operates in a specified computing environment?

    • Phase 4
    • Phase 3
    • Phase 2
    • Phase 1