CAP : Certified Authorization Professional : Part 17

CAP : Certified Authorization Professional : Part 17

1. In which of the following Risk Management Framework (RMF) phases is strategic risk assessment planning performed?

   • Phase 0
   • Phase 1
   • Phase 2
   • Phase 3

2. Which of the following assessment methods is used to review, inspect, and analyze assessment objects?

   • Testing
   • Examination
   • Interview
   • Debugging

3. Which of the following classification levels defines the information that, if disclosed to the unauthorized parties, could be reasonably expected to cause exceptionally grave damage to the national security?

   • Secret information
   • Top Secret information
   • Confidential information
   • Unclassified information

4. Mary is the project manager of the HGH Project for her company. She and her project team have agreed that if the vendor is late by more than ten days they will cancel the order and hire the NBG Company to fulfill the order. The NBG Company can guarantee orders within three days, but the costs of their products are significantly more expensive than the current vendor. What type of a response strategy is this?

   • Contingent response strategy
   • Expert judgment
   • Internal risk management strategy
   • External risk response

5. Which of the following individuals is responsible for monitoring the information system environment for factors that can negatively impact the security of the system and its accreditation?

   • Chief Risk Officer
   • Chief Information Security Officer
   • Information System Owner
   • Chief Information Officer

6. Which of the following describes residual risk as the risk remaining after risk mitigation has occurred?

   • DIACAP
   • ISSO
   • SSAA
   • DAA

7. You work as the project manager for Bluewell Inc. There has been a delay in your project work that is adversely affecting the project schedule. You decide, with your stakeholders’ approval, to fast track the project work to get the project done faster. When you fast track the project, what is likely to increase?

   • Human resource needs
   • Risks
   • Costs
   • Quality control concerns

8. Which of the following components ensures that risks are examined for all new proposed change requests in the change control system?

   • Risk monitoring and control
   • Scope change control
   • Configuration management
   • Integrated change control

9. Nancy is the project manager of the NHH project. She and the project team have identified a significant risk in the project during the qualitative risk analysis process. Bob is familiar with the technology that the risk is affecting and proposes to Nancy a solution to the risk event. Nancy tells Bob that she has noted his response, but the risk really needs to pass through the quantitative risk analysis process before creating responses. Bob disagrees and ensures Nancy that his response is most appropriate for the identified risk. Who is correct in this scenario?

   • Bob is correct. Bob is familiar with the technology and the risk event so his response should be implemented.
   • Nancy is correct. Because Nancy is the project manager she can determine the correct procedures for risk analysis and risk responses. In addition, she has noted the risk response that Bob recommends.
   • Nancy is correct. All risks of significant probability and impact should pass the quantitative risk analysis process before risk responses are created.
   • Bob is correct. Not all risk events have to pass the quantitative risk analysis process to develop effective risk responses.

10. Which of the following is a standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system?

    • FITSAF
    • TCSEC
    • FIPS
    • SSAA

11. The Phase 4 of DITSCAP C&A is known as Post Accreditation. This phase starts after the system has been accredited in Phase 3. What are the process activities of this phase?

    Each correct answer represents a complete solution. Choose all that apply.

    • Maintenance of the SSAA
    • Compliance validation
    • Change management
    • System operations
    • Security operations
    • Continue to review and refine the SSAA

12. Walter is the project manager of a large construction project. He’ll be working with several vendors on the project. Vendors will be providing materials and labor for several parts of the project. Some of the works in the project are very dangerous so Walter has implemented safety requirements for all of the vendors and his own project team. Stakeholders for the project have added new requirements, which have caused new risks in the project. A vendor has identified a new risk that could affect the project if it comes into fruition. Walter agrees with the vendor and has updated the risk register and created potential risk responses to mitigate the risk. What should Walter also update in this scenario considering the risk event?

    • Project management plan
    • Project contractual relationship with the vendor
    • Project communications plan
    • Project scope statement

13. Which of the following is a temporary approval to operate based on an assessment of the implementation status of the assigned IA Controls?

    • IATT
    • ATO
    • IATO
    • DATO

14. SIMULATION

    Fill in the blank with an appropriate word.
    ________ ensures that the information is not disclosed to unauthorized persons or processes.

    • Confidentiality

15. Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls. Which of the following are the international information security standards?

    Each correct answer represents a complete solution. Choose all that apply.

    • Human resources security
    • Organization of information security
    • Risk assessment and treatment
    • AU audit and accountability

16. Beth is the project manager of the BFG Project for her company. In this project Beth has decided to create a contingency response based on the performance of the project schedule. If the project schedule variance is greater than $10,000 the contingency plan will be implemented. What is the formula for the schedule variance?

    • SV=EV-PV
    • SV=EV/AC
    • SV=PV-EV
    • SV=EV/PV

17. You are the project manager of the HJK Project for your organization. You and the project team have created risk responses for many of the risk events in the project. Where should you document the proposed responses and the current status of all identified risks?

    • Risk management plan
    • Stakeholder management strategy
    • Risk register
    • Lessons learned documentation

18. Which of the following documents is used to provide a standard approach to the assessment of NIST SP 800-53 security controls?

    • NIST SP 800-37
    • NIST SP 800-41
    • NIST SP 800-53A
    • NIST SP 800-66

19. What is the objective of the Security Accreditation Decision task?

    • To determine whether the agency-level risk is acceptable or not.
    • To make an accreditation decision
    • To accredit the information system
    • To approve revisions of NIACAP

20. You are the project manager for your organization. You are working with your key stakeholders in the qualitative risk analysis process. You understand that there is certain bias towards the risk events in the project that you need to address, manage, and ideally reduce. What solution does the PMBOK recommend to reduce the influence of bias during qualitative risk analysis?

    • Establish the definitions of the levels of probability and impact
    • Isolate the stakeholders by project phases to determine their risk bias
    • Involve all stakeholders to vote on the probability and impact of the risk events
    • Provide iterations of risk analysis for true reflection of a risk probability and impact