CAP : Certified Authorization Professional : Part 18

Which of the following is used in the practice of Information Assurance (IA) to define assurance requirements?
- Classic information security model
- Communications Management Plan
- Five Pillars model
- Parkerian Hexad
Joan is the project manager of the BTT project for her company. She has worked with her project to create risk responses for both positive and negative risk events within the project. As a result of this process Joan needs to update the project document updates. She has updated the assumptions log as a result of the findings and risk responses, but what other documentation will need to be updated as an output of risk response planning?
- Lessons learned
- Scope statement
- Risk Breakdown Structure
- Technical documentation
Which of the following access control models uses a predefined set of access privileges for an object of a system?
- Discretionary Access Control
- Mandatory Access Control
- Policy Access Control
- Role-Based Access Control
Ned is the program manager for his organization and he’s considering some new materials for his program. He and his team have never worked with these materials before and he wants to ask the vendor for some additional information, a demon, and even some samples. What type of a document should Ned send to the vendor?
- IFB
- RFI
- RFQ
- RFP
Which of the following acts is used to recognize the importance of information security to the economic and national security interests of the United States?
- Computer Fraud and Abuse Act
- FISMA
- Lanham Act
- Computer Misuse Act
What approach can a project manager use to improve the project’s performance during qualitative risk analysis?
- Create a risk breakdown structure and delegate the risk analysis to the appropriate project team members.
- Focus on high-priority risks.
- Focus on near-term risks first.
- Analyze as many risks as possible regardless of who initiated the risk event.
Mary is the project manager for the BLB project. She has instructed the project team to assemble, to review the risks. She has included the schedule management plan as an input for the quantitative risk analysis process. Why is the schedule management plan needed for quantitative risk analysis?
- Mary will utilize the schedule controls and the nature of the schedule for the quantitative analysis of the schedule.
- Mary will schedule when the identified risks are likely to happen and affect the project schedule.
- Mary will utilize the schedule controls to determine how risks may be allowed to change the project schedule.
- Mary will use the schedule management plan to schedule the risk identification meetings throughout the remaining project.
Sammy is the project manager for her organization. She would like to rate each risk based on its probability and affect on time, cost, and scope. Harry, a project team member, has never done this before and thinks Sammy is wrong to attempt this approach. Harry says that an accumulative risk score should be created, not three separate risk scores. Who is correct in this scenario?
- Sammy is correct, because organizations can create risk scores for each objective of the project.
- Harry is correct, because the risk probability and impact considers all objectives of the project.
- Harry is correct, the risk probability and impact matrix is the only approach to risk assessment.
- Sammy is correct, because she is the project manager.
Which of the following phases of the DITSCAP C&A process is used to define the C&A level of effort, to identify the main C&A roles and responsibilities, and to create an agreement on the method for implementing the security requirements?
- Phase 3
- Phase 2
- Phase 4
- Phase 1
You are the project manager of the GGG project. You have completed the risk identification process for the initial phases of your project. As you begin to document the risk events in the risk register what additional information can you associate with the identified risk events?
- Risk schedule
- Risk potential responses
- Risk cost
- Risk owner
Which of the following are the tasks performed by the owner in the information classification schemes?

Each correct answer represents a part of the solution. Choose three.
- To make original determination to decide what level of classification the information requires, which is based on the business requirements for the safety of the data.
- To perform data restoration from the backups whenever required.
- To review the classification assignments from time to time and make alterations as the business requirements alter.
- To delegate the responsibility of the data safeguard duties to the custodian.
Which of the following approaches can be used to build a security program?

Each correct answer represents a complete solution. Choose all that apply.
- Bottom-Up Approach
- Right-Up Approach
- Top-Down Approach
- Left-Up Approach
Which of the following are the goals of risk management?

Each correct answer represents a complete solution. Choose three.
- Finding an economic balance between the impact of the risk and the cost of the countermeasure
- Identifying the risk
- Assessing the impact of potential threats
- Identifying the accused
In which of the following testing methodologies do assessors use all available documentation and work under no constraints, and attempt to circumvent the security features of an information system?
- Full operational test
- Penetration test
- Paper test
- Walk-through test
You are the project manager of the GHG project. You are preparing for the quantitative risk analysis process. You are using organizational process assets to help you complete the quantitative risk analysis process. Which one of the following is NOT a valid reason to utilize organizational process assets as a part of the quantitative risk analysis process?
- You will use organizational process assets for studies of similar projects by risk specialists.
- You will use organizational process assets to determine costs of all risks events within the current project.
- You will use organizational process assets for information from prior similar projects.
- You will use organizational process assets for risk databases that may be available from industry sources.
A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. Which of the following are required to be addressed in a well designed policy?

Each correct answer represents a part of the solution. Choose all that apply.
- Who is expected to exploit the vulnerability?
- What is being secured?
- Where is the vulnerability, threat, or risk?
- Who is expected to comply with the policy?
The Project Risk Management knowledge area focuses on which of the following processes?

Each correct answer represents a complete solution. Choose all that apply.
- Potential Risk Monitoring
- Risk Management Planning
- Quantitative Risk Analysis
- Risk Monitoring and Control
Which of the following objectives are defined by integrity in the C.I.A triad of information security systems?

Each correct answer represents a part of the solution. Choose three.
- It preserves the internal and external consistency of information.
- It prevents the unauthorized or unintentional modification of information by the authorized users.
- It prevents the intentional or unintentional unauthorized disclosure of a message’s contents .
- It prevents the modification of information by the unauthorized users.
You work as a project manager for BlueWell Inc. Management has asked you to work with the key project stakeholder to analyze the risk events you have identified in the project. They would like you to analyze the project risks with a goal of improving the project’s performance as a whole.

What approach can you use to achieve the goal of improving the project’s performance through risk analysis with your project stakeholders?
- Involve subject matter experts in the risk analysis activities
- Focus on the high-priority risks through qualitative risk analysis
- Use qualitative risk analysis to quickly assess the probability and impact of risk events
- Involve the stakeholders for risk identification only in the phases where the project directly affects them
Your project is an agricultural-based project that deals with plant irrigation systems. You have discovered a byproduct in your project that your organization could use to make a profityou’re your organization seizes this opportunity it would be an example of what risk response?
- Opportunistic
- Positive
- Enhancing
- Exploiting

CAP : Certified Authorization Professional : All Parts
CAP Part 01	CAP Part 06	CAP Part 11	CAP Part 16
CAP Part 02	CAP Part 07	CAP Part 12	CAP Part 17
CAP Part 03	CAP Part 08	CAP Part 13	CAP Part 18
CAP Part 04	CAP Part 09	CAP Part 14	CAP Part 19
CAP Part 05	CAP Part 10	CAP Part 15	CAP Part 20

CAP : Certified Authorization Professional : All Parts
CAP Part 01	CAP Part 06	CAP Part 11	CAP Part 16
CAP Part 02	CAP Part 07	CAP Part 12	CAP Part 17
CAP Part 03	CAP Part 08	CAP Part 13	CAP Part 18
CAP Part 04	CAP Part 09	CAP Part 14	CAP Part 19
CAP Part 05	CAP Part 10	CAP Part 15	CAP Part 20

CAP : Certified Authorization Professional : Part 18

Which of the following is used in the practice of Information Assurance (IA) to define assurance requirements?

Which of the following access control models uses a predefined set of access privileges for an object of a system?

Which of the following acts is used to recognize the importance of information security to the economic and national security interests of the United States?

What approach can a project manager use to improve the project’s performance during qualitative risk analysis?

Mary is the project manager for the BLB project. She has instructed the project team to assemble, to review the risks. She has included the schedule management plan as an input for the quantitative risk analysis process. Why is the schedule management plan needed for quantitative risk analysis?

Which of the following phases of the DITSCAP C&A process is used to define the C&A level of effort, to identify the main C&A roles and responsibilities, and to create an agreement on the method for implementing the security requirements?

You are the project manager of the GGG project. You have completed the risk identification process for the initial phases of your project. As you begin to document the risk events in the risk register what additional information can you associate with the identified risk events?

Which of the following are the tasks performed by the owner in the information classification schemes?

Each correct answer represents a part of the solution. Choose three.

Which of the following approaches can be used to build a security program?

Each correct answer represents a complete solution. Choose all that apply.

Which of the following are the goals of risk management?

Each correct answer represents a complete solution. Choose three.

In which of the following testing methodologies do assessors use all available documentation and work under no constraints, and attempt to circumvent the security features of an information system?

A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. Which of the following are required to be addressed in a well designed policy?

Each correct answer represents a part of the solution. Choose all that apply.

The Project Risk Management knowledge area focuses on which of the following processes?

Each correct answer represents a complete solution. Choose all that apply.

Which of the following objectives are defined by integrity in the C.I.A triad of information security systems?

Each correct answer represents a part of the solution. Choose three.

You work as a project manager for BlueWell Inc. Management has asked you to work with the key project stakeholder to analyze the risk events you have identified in the project. They would like you to analyze the project risks with a goal of improving the project’s performance as a whole.

What approach can you use to achieve the goal of improving the project’s performance through risk analysis with your project stakeholders?

Your project is an agricultural-based project that deals with plant irrigation systems. You have discovered a byproduct in your project that your organization could use to make a profityou’re your organization seizes this opportunity it would be an example of what risk response?