CAP : Certified Authorization Professional : Part 19

CAP : Certified Authorization Professional : Part 19

1. You are the program manager for your project. You are working with the project managers regarding the procurement processes for their projects. You have ruled out one particular contract type because it is considered too risky for the program. Which one of the following contract types is usually considered to be the most dangerous for the buyer?

   • Cost plus incentive fee
   • Time and materials
   • Cost plus percentage of costs
   • Fixed fee

2. Which of the following evidences are the collection of facts that, when considered together, can be used to infer a conclusion about the malicious activity/person?

   • Circumstantial
   • Incontrovertible
   • Direct
   • Corroborating

3. Courtney is the project manager for her organization. She is working with the project team to complete the qualitative risk analysis for her project. During the analysis Courtney encourages the project team to begin the grouping of identified risks by common causes. What is the primary advantage to group risks by common causes during qualitative risk analysis?

   • It can lead to developing effective risk responses.
   • It can lead to the creation of risk categories unique to each project.
   • It helps the project team realize the areas of the project most laden with risks.
   • It saves time by collecting the related resources, such as project team members, to analyze the risk events.

4. You work as a project manager for BlueWell Inc. You are working with Nancy, the COO of your company, on several risks within the project. Nancy understands that through qualitative analysis you have identified 80 risks that have a low probability and low impact as the project is currently planned. Nancy’s concern, however, is that the impact and probability of these risk events may change as conditions within the project may change. She would like to know where will you document and record these 80 risks that have low probability and low impact for future reference.

   What should you tell Nancy?

   • Risk identification is an iterative process so any changes to the low probability and low impact risks will be reassessed throughout the project life cycle.
   • Risks with low probability and low impact are recorded in a watchlist for future monitoring.
   • All risks, regardless of their assessed impact and probability, are recorded in the risk log.
   • All risks are recorded in the risk management plan

5. What course of action can be taken by a party if the current negotiations fail and an agreement cannot be reached?

   • PON
   • ZOPA
   • BATNA
   • Bias

6. Which of the following is the acronym of RTM?

   • Resource tracking method
   • Requirements Traceability Matrix
   • Resource timing method
   • Requirements Testing Matrix

7. Thomas is the project manager of the NHJ Project for his company. He has identified several positive risk events within his project and he thinks these events can save the project time and money. Positive risk events, such as these within the NHJ Project are also known as what?

   • Opportunities
   • Benefits
   • Ancillary constituent components
   • Contingency risks

8. Which of the following NIST documents provides a guideline for identifying an information system as a National Security System?

   • NIST SP 800-53
   • NIST SP 800-59
   • NIST SP 800-53A
   • NIST SP 800-37
   • NIST SP 800-60

9. You are the project manager of the GHY project for your organization. You are working with your project team to begin identifying risks for the project. As part of your preparation for identifying the risks within the project you will need eleven inputs for the process. Which one of the following is NOT an input to the risk identification process?

   • Cost management plan
   • Procurement management plan
   • Stakeholder register
   • Quality management plan

10. There are seven risks responses that a project manager can choose from. Which risk response is appropriate for both positive and negative risk events?

    • Acceptance
    • Mitigation
    • Sharing
    • Transference

11. Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and systems?

    • SSAA
    • FIPS
    • FITSAF
    • TCSEC

12. Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. Which of the following statements are true about Certification and Accreditation?

    Each correct answer represents a complete solution. Choose two.

    • Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system.
    • Accreditation is a comprehensive assessment of the management, operational, and technical security controls in an information system.
    • Certification is the official management decision given by a senior agency official to authorize operation of an information system.
    • Accreditation is the official management decision given by a senior agency official to authorize operation of an information system.

13. Amy is the project manager for her company. In her current project the organization has a very low tolerance for risk events that will affect the project schedule. Management has asked Amy to consider the affect of all the risks on the project schedule. What approach can Amy take to create a bias against risks that will affect the schedule of the project?

    • She can have the project team pad their time estimates to alleviate delays in the project schedule.
    • She can shift risk-laden activities that affect the project schedule from the critical path as much as possible.
    • She can create an overall project rating scheme to reflect the bias towards risks that affect the project schedule.
    • She can filter all risks based on their affect on schedule versus other project objectives.

14. Joan is a project management consultant and she has been hired by a firm to help them identify risk events within the project. Joan would first like to examine the project documents including the plans, assumptions lists, project files, and contracts. What key thing will help Joan to discover risks within the review of the project documents?

    • Lack of consistency between the plans and the project requirements and assumptions can be the indicators of risk in the project.
    • The project documents will help the project manager, or Joan, to identify what risk identification approach is best to pursue.
    • Plans that have loose definitions of terms and disconnected approaches will reveal risks.
    • Poorly written requirements will reveal inconsistencies in the project plans and documents.

15. Which of the following recovery plans includes specific strategies and actions to deal with specific variances to assumptions resulting in a particular security problem, emergency, or state of affairs?

    • Continuity of Operations Plan
    • Disaster recovery plan
    • Contingency plan
    • Business continuity plan

16. The Phase 2 of DITSCAP C&A is known as Verification. The goal of this phase is to obtain a fully integrated system for certification testing and accreditation. What are the process activities of this phase?

    Each correct answer represents a complete solution. Choose all that apply.

    • System development
    • Certification analysis
    • Registration
    • Assessment of the Analysis Results
    • Configuring refinement of the SSAA

17. ISO 17799 has two parts. The first part is an implementation guide with guidelines on how to build a comprehensive information security infrastructure and the second part is an auditing guide based on requirements that must be met for an organization to be deemed compliant with ISO 17799. What are the ISO 17799 domains?

    Each correct answer represents a complete solution. Choose all that apply.

    • Information security policy for the organization
    • Personnel security
    • Business continuity management
    • System architecture management
    • System development and maintenance

18. Which of the following individuals informs all C&A participants about life cycle actions, security requirements, and documented user needs?

    • IS program manager
    • Certification Agent
    • User representative
    • DAA

19. Your project has several risks that may cause serious financial impact should they happen. You have studied the risk events and made some potential risk responses for the risk events but management wants you to do more. They’d like for you to create some type of a chart that identified the risk probability and impact with a financial amount for each risk event. What is the likely outcome of creating this type of chart?

    • Quantitative analysis
    • Risk response plan
    • Contingency reserve
    • Risk response

20. Gary is the project manager for his project. He and the project team have completed the qualitative risk analysis process and are about to enter the quantitative risk analysis process when Mary, the project sponsor, wants to know what quantitative risk analysis will review. Which of the following statements best defines what quantitative risk analysis will review?

    • The quantitative risk analysis process will analyze the effect of risk events that may substantially impact the project’s competing demands.
    • The quantitative risk analysis reviews the results of risk identification and prepares the project for risk response management.
    • The quantitative risk analysis process will review risk events for their probability and impact on the project objectives.
    • The quantitative risk analysis seeks to determine the true cost of each identified risk event and the probability of each risk event to determine the risk exposure.