March Sale Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: geek65

Note! Following CAP Exam is Retired now. Please select the alternative replacement for your Exam Certification.

CAP CAP – Certified Authorization Professional Questions and Answers

Questions 4

Information Security management is a process of defining the security controls in order to protect information assets. The first action of a management program to implement information security is to have a security program in place. What are the objectives of a security program?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Security organization

B.

System classification

C.

Information classification

D.

Security education

Buy Now
Questions 5

Which of the following DITSCAP C&A phases takes place between the signing of the initial version of the SSAA and the formal accreditation of the system?

Options:

A.

Phase 3

B.

Phase 1

C.

Phase 2

D.

Phase 4

Buy Now
Questions 6

Harry is a project manager of a software development project. In the early stages of planning, he and the stakeholders operated with the belief that the software they were developing would work with their organization's current computer operating system. Now that the project team has started developing the software it has become apparent that the software will not work with nearly half of the organization's computer operating systems. The incorrect belief Harry had in the software compatibility is an example of what in project management?

Options:

A.

Issue

B.

Risk

C.

Constraint

D.

Assumption

Buy Now
Questions 7

Which of the following is NOT an objective of the security program?

Options:

A.

Security organization

B.

Security plan

C.

Security education

D.

Information classification

Buy Now
Questions 8

Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and systems?

Options:

A.

FIPS

B.

TCSEC

C.

SSAA

D.

FITSAF

Buy Now
Questions 9

According to U.S. Department of Defense (DoD) Instruction 8500.2, there are eight Information

Assurance (IA) areas, and the controls are referred to as IA controls. Which of the following are among the eight areas of IA defined by DoD?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

DC Security Design & Configuration

B.

VI Vulnerability and Incident Management

C.

EC Enclave and Computing Environment

D.

Information systems acquisition, development, and maintenance

Buy Now
Questions 10

Gary is the project manager for his project. He and the project team have completed the qualitative risk analysis process and are about to enter the quantitative risk analysis process when Mary, the project sponsor, wants to know what quantitative risk analysis will review. Which of the following statements best defines what quantitative risk analysis will review?

Options:

A.

The quantitative risk analysis process will analyze the effect of risk events that may substantially impact the project's competing demands.

B.

The quantitative risk analysis reviews the results of risk identification and prepares the project for risk response management.

C.

The quantitative risk analysis process will review risk events for their probability and impact on the project objectives.

D.

The quantitative risk analysis seeks to determine the true cost of each identified risk event and the probability of each risk event to determine the risk exposure.

Buy Now
Questions 11

Which of the following is a temporary approval to operate based on an assessment of the implementation status of the assigned IA Controls?

Options:

A.

IATT

B.

ATO

C.

IATO

D.

DATO

Buy Now
Questions 12

Amy is the project manager for her company. In her current project the organization has a very low tolerance for risk events that will affect the project schedule. Management has asked Amy to consider the affect of all the risks on the project schedule. What approach can Amy take to create a bias against risks that will affect the schedule of the project?

Options:

A.

She can have the project team pad their time estimates to alleviate delays in the project schedule.

B.

She can shift risk-laden activities that affect the project schedule from the critical path as much as possible.

C.

She can create an overall project rating scheme to reflect the bias towards risks that affect the project schedule.

D.

She can filter all risks based on their affect on schedule versus other project objectives.

Buy Now
Questions 13

Which of the following phases of the DITSCAP C&A process is used to define the C&A level of effort, to identify the main C&A roles and responsibilities, and to create an agreement on the method for implementing the security requirements?

Options:

A.

Phase 3

B.

Phase 2

C.

Phase 4

D.

Phase 1

Buy Now
Questions 14

Mary is the project manager of the HGH Project for her company. She and her project team have agreed that if the vendor is late by more than ten days they will cancel the order and hire the NBG Company to fulfill the order. The NBG Company can guarantee orders within three days, but the costs of their products are significantly more expensive than the current vendor. What type of a response strategy is this?

Options:

A.

External risk response

B.

Internal risk management strategy

C.

Contingent response strategy

D.

Expert judgment

Buy Now
Questions 15

What project management plan is most likely to direct the quantitative risk analysis process for a project in a matrix environment?

Options:

A.

Staffing management plan

B.

Risk analysis plan

C.

Human resource management plan

D.

Risk management plan

Buy Now
Questions 16

Tracy is the project manager of the NLT Project for her company. The NLT Project is scheduled to last 14 months and has a budget at completion of $4,555,000. Tracy's organization will receive a bonus of $80,000 per day that the project is completed early up to $800,000. Tracy realizes that there are several opportunities within the project to save on time by crashing the project work.

Crashing the project is what type of risk response?

Options:

A.

Mitigation

B.

Exploit

C.

Enhance

D.

Transference

Buy Now
Questions 17

You are the project manager of the BlueStar project in your company. Your company is structured as a functional organization and you report to the functional manager that you are ready to move onto the qualitative risk analysis process. What will you need as inputs for the qualitative risk analysis of the project in this scenario?

Options:

A.

You will need the risk register, risk management plan, project scope statement, and any relevant organizational process assets.

B.

You will need the risk register, risk management plan, outputs of qualitative risk analysis, and any relevant organizational process assets.

C.

You will need the risk register, risk management plan, permission from the functional manager, and any relevant organizational process assets.

D.

Qualitative risk analysis does not happen through the project manager in a functional struc ture.

Buy Now
Questions 18

There are seven risk responses for any project. Which one of the following is a valid risk response for a negative risk event?

Options:

A.

Enhance

B.

Exploit

C.

Acceptance

D.

Share

Buy Now
Questions 19

Eric is the project manager of the NQQ Project and has hired the ZAS Corporation to complete part of the project work for Eric's organization. Due to a change request the ZAS Corporation is no longer needed on the project even though they have completed nearly all of the project work. Is Eric's organization liable to pay the ZAS Corporation for the work they have completed so far on the project?

Options:

A.

It depends on what the outcome of a lawsuit will determine.

B.

No, the ZAS Corporation did not complete all of the work.

C.

It depends on what the termination clause of the contract stipulates.

D.

Yes, the ZAS Corporation did not choose to terminate the contract work.

Buy Now
Questions 20

Which of the following tasks are identified by the Plan of Action and Milestones document?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

The plans that need to be implemented

B.

The resources needed to accomplish the elements of the plan

C.

Any milestones that are needed in meeting the tasks

D.

The tasks that are required to be accomplished

E.

Scheduled completion dates for the milestones

Buy Now
Questions 21

Your project team has identified a project risk that must be responded to. The risk has been recorded in the risk register and the project team has been discussing potential risk responses for the risk event. The event is not likely to happen for several months but the probability of the event is high. Which one of the following is a valid response to the identified risk event?

Options:

A.

Corrective action

B.

Technical performance measurement

C.

Risk audit

D.

Earned value management

Buy Now
Questions 22

Which of the following statements about the authentication concept of information security management is true?

Options:

A.

It determines the actions and behaviors of a single individual within a system, and identifies that particular individual.

B.

It ensures that modifications are not made to data by unauthorized personnel or processes .

C.

It establishes the users' identity and ensures that the users are who they say they are.

D.

It ensures the reliable and timely access to resources.

Buy Now
Questions 23

Management wants you to create a visual diagram of what resources will be utilized in the project deliverables. What type of a chart is management asking you to create?

Options:

A.

Work breakdown structure

B.

Roles and responsibility matrix

C.

Resource breakdown structure

D.

RACI chart

Buy Now
Questions 24

In which of the following Risk Management Framework (RMF) phases is a risk profile created for threats?

Options:

A.

Phase 3

B.

Phase 1

C.

Phase 2

D.

Phase 0

Buy Now
Questions 25

Which of the following NIST documents includes components for penetration testing?

Options:

A.

NIST SP 800-53

B.

NIST SP 800-26

C.

NIST SP 800-37

D.

NIST SP 800-30

Buy Now
Questions 26

You are the project manager for your organization. You are preparing for the quantitative risk analysis. Mark, a project team member, wants to know why you need to do quantitative risk analysis when you just completed qualitative risk analysis. Which one of the following statements best defines what quantitative risk analysis is?

Options:

A.

Quantitative risk analysis is the planning and quantification of risk responses based on probability and impact of each risk event.

B.

Quantitative risk analysis is the process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact.

C.

Quantitative risk analysis is the review of the risk events with the high probability and the highest impact on the project objectives.

D.

Quantitative risk analysis is the process of numerically analyzing the effect of identified risks on overall project objectives.

Buy Now
Questions 27

There are seven risk responses for any project. Which one of the following is a valid risk response for a negative risk event?

Options:

A.

Enhance

B.

Exploit

C.

Acceptance

D.

Share

Buy Now
Questions 28

In which of the following phases do the system security plan update and the Plan of Action and Milestones (POAM) update take place?

Options:

A.

Continuous Monitoring Phase

B.

Accreditation Phase

C.

Preparation Phase

D.

DITSCAP Phase

Buy Now
Questions 29

Harry is a project manager of a software development project. In the early stages of planning, he and the stakeholders operated with the belief that the software they were developing would work with their organization's current computer operating system. Now that the project team has started developing the software it has become apparent that the software will not work with nearly half of the organization's computer operating systems. The incorrect belief Harry had in the software compatibility is an example of what in project management?

Options:

A.

Assumption

B.

Issue

C.

Risk

D.

Constraint

Buy Now
Questions 30

Which of the following is NOT an objective of the security program?

Options:

A.

Security organization

B.

Security plan

C.

Security education

D.

Information classification

Buy Now
Questions 31

Shoulder surfing is a type of in-person attack in which the attacker gathers information about the premises of an organization. This attack is often performed by looking surreptitiously at the keyboard of an employee's computer while he is typing in his password at any access point such as a terminal/Web site. Which of the following is violated in a shoulder surfing attack?

Options:

A.

Authenticity

B.

Integrity

C.

Availability

D.

Confidentiality

Buy Now
Questions 32

Which of the following documents is used to provide a standard approach to the assessment of NIST SP 800-53 security controls?

Options:

A.

NIST SP 800-53A

B.

NIST SP 800-66

C.

NIST SP 800-41

D.

NIST SP 800-37

Buy Now
Questions 33

Which of the following is used to indicate that the software has met a defined quality level and is ready for mass distribution either by electronic means or by physical media?

Options:

A.

DAA

B.

RTM

C.

ATM

D.

CRO

Buy Now
Questions 34

Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. Which of the following statements are true about Certification and Accreditation?

Each correct answer represents a complete solution. Choose two.

Options:

A.

Accreditation is the official management decision given by a senior agency official to authorize operation of an information system.

B.

Certification is a comprehensive assessment of the management, operational, and technical security controls inan information system.

C.

Accreditation is a comprehensive assessment of the management, operational, and technical security controls in an information system.

D.

Certification is the official management decision given by a senior agency official to authorize operation of an information system.

Buy Now
Questions 35

You and your project team have identified the project risks and now are analyzing the probability and impact of the risks. What type of analysis of the risks provides a quick and high-level review of each identified risk event?

Options:

A.

Qualitative risk analysis

B.

Seven risk responses

C.

Quantitative risk analysis

D.

A risk probability-impact matrix

Buy Now
Questions 36

According to FIPS Publication 199, what are the three levels of potential impact on organizations in the event of a compromise on confidentiality, integrity, and availability?

Options:

A.

Confidential, Secret, and High

B.

Minimum, Moderate, and High

C.

Low, Normal, and High

D.

Low, Moderate, and High

Buy Now
Questions 37

The Phase 4 of DITSCAP C&A is known as Post Accreditation. This phase starts after the system has been accredited in Phase 3. What are the process activities of this phase?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Maintenance of the SSAA

B.

Compliance validation

C.

Change management

D.

System operations

E.

Security operations

F.

Continue to review and refine the SSAA

Buy Now
Questions 38

Which of the following describes residual risk as the risk remaining after risk mitigation has occurred?

Options:

A.

DIACAP

B.

ISSO

C.

SSAA

D.

DAA

Buy Now
Questions 39

You work as a project manager for BlueWell Inc. You are working with Nancy, the COO of your company, on several risks within the project. Nancy understands that through qualitative analysis you have identified 80 risks that have a low probability and low impact as the project is currently planned. Nancy's concern, however, is that the impact and probability of these risk events may change as conditions within the project may change. She would like to know where will you document and record these 80 risks that have low probability and low impact for future reference.

What should you tell Nancy?

Options:

A.

Risk identification is an iterative process so any changes to the low probability and low impact risks will be reassessed throughout the project life cycle.

B.

Risks with low probability and low impact are recorded in a watchlist for future monitoring.

C.

All risks, regardless of their assessed impact and probability, are recorded in the risk log.

D.

All risks are recorded in the risk management plan

Buy Now
Questions 40

Your project uses a piece of equipment that if the temperature of the machine goes above 450 degree Fahrenheit the machine will overheat and have to be shut down for 48 hours. Should this machine overheat even once it will delay the project's end date. You work with your project to create a response that should the temperature of the machine reach 430, the machine will be paused for at least an hour to cool it down. The temperature of 430 is called what?

Options:

A.

Risk identification

B.

Risk response

C.

Risk trigger

D.

Risk event

Buy Now
Questions 41

You are the project manager of the GHY project for your organization. You are working with your project team to begin identifying risks for the project. As part of your preparation for identifying the risks within the project you will need eleven inputs for the process. Which one of the following is NOT an input to the risk identification process?

Options:

A.

Cost management plan

B.

Procurement management plan

C.

Stakeholder register

D.

Quality management plan

Buy Now
Questions 42

Which of the following methods of authentication uses finger prints to identify users?

Options:

A.

PKI

B.

Mutual authentication

C.

Biometrics

D.

Kerberos

Buy Now
Questions 43

Which of the following documents were developed by NIST for conducting Certification & Accreditation (C&A)?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

NIST Special Publication 800-53A

B.

NIST Special Publication 800-37A

C.

NIST Special Publication 800-59

D.

NIST Special Publication 800-53

E.

NIST Special Publication 800-37

F.

NIST Special Publication 800-60

Buy Now
Questions 44

Your project is an agricultural-based project that deals with plant irrigation systems. You have discovered a byproduct in your project that your organization could use to make a profityou’re your organization seizes this opportunity it would be an example of what risk response?

Options:

A.

Opportunistic

B.

Positive

C.

Enhancing

D.

Exploiting

Buy Now
Questions 45

Which of the following approaches can be used to build a security program?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Bottom-Up Approach

B.

Right-Up Approach

C.

Top-Down Approach

D.

Left-Up Approach

Buy Now
Questions 46

Sam is the project manager of a construction project in south Florida. This area of the United

States is prone to hurricanes during certain parts of the year. As part of the project plan Sam and the project team acknowledge the possibility of hurricanes and the damage the hurricane could have on the project's deliverables, the schedule of the project, and the overall cost of the project.

Once Sam and the project stakeholders acknowledge the risk of the hurricane they go on planning the project as if the risk is not likely to happen. What type of risk response is Sam using?

Options:

A.

Mitigation

B.

Avoidance

C.

Passive acceptance

D.

Active acceptance

Buy Now
Questions 47

Gary is the project manager for his project. He and the project team have completed the qualitative risk analysis process and are about to enter the quantitative risk analysis process when Mary, the project sponsor, wants to know what quantitative risk analysis will review. Which of the following statements best defines what quantitative risk analysis will review?

Options:

A.

The quantitative risk analysis seeks to determine the true cost of each identified risk event and the probability of each risk event to determine the risk exposure.

B.

The quantitative risk analysis process will review risk events for their probability and impact on the project objectives.

C.

The quantitative risk analysis reviews the results of risk identification and prepares the project for risk response management.

D.

The quantitative risk analysis process will analyze the effect of risk events that may substantially impact the project's competing demands.

Buy Now
Questions 48

Penetration testing (also called pen testing) is the practice of testing a computer system, network, or Web application to find vulnerabilities that an attacker could exploit. Which of the following areas can be exploited in a penetration test?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Social engineering

B.

File and directory permissions

C.

Buffer overflows

D.

Kernel flaws

E.

Race conditions

F.

Information system architectures

G.

Trojan horses

Buy Now
Questions 49

During qualitative risk analysis you want to define the risk urgency assessment. All of the following are indicators of risk priority except for which one?

Options:

A.

Risk rating

B.

Warning signs

C.

Cost of the project

D.

Symptoms

Buy Now
Questions 50

You work as the project manager for Bluewell Inc. You are working on NGQQ Projectyou’re your company. You have completed the risk analysis processes for the risk events. You and the project team have created risk responses for most of the identified project risks. Which of the following risk response planning techniques will you use to shift the impact of a threat to a third party, together with the responses?

Options:

A.

Risk acceptance

B.

Risk avoidance

C.

Risk transference

D.

Risk mitigation

Buy Now
Questions 51

Which of the following is used to indicate that the software has met a defined quality level and is ready for mass distribution either by electronic means or by physical media?

Options:

A.

RTM

B.

CRO

C.

DAA

D.

ATM

Buy Now
Questions 52

Which of the following evidences are the collection of facts that, when considered together, can be used to infer a conclusion about the malicious activity/person?

Options:

A.

Circumstantial

B.

Incontrovertible

C.

Direct

D.

Corroborating

Buy Now
Questions 53

System Authorization is the risk management process. System Authorization Plan (SAP) is a comprehensive and uniform approach to the System Authorization Process. What are the different phases of System Authorization Plan?

Each correct answer represents a part of the solution. Choose all that apply.

Options:

A.

Post-Authorization

B.

Pre-certification

C.

Post-certification

D.

Certification

E.

Authorization

Buy Now
Questions 54

The National Information Assurance Certification and Accreditation Process (NIACAP) is the minimum standard process for the certification and accreditation of computer and telecommunications systems that handle U.S. national security information. What are the different types of NIACAP accreditation?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Secure accreditation

B.

Type accreditation

C.

System accreditation

D.

Site accreditation

Buy Now
Questions 55

In which of the following phases of the DITSCAP process does Security Test and Evaluation (ST&E) occur?

Options:

A.

Phase 2

B.

Phase 3

C.

Phase 1

D.

Phase 4

Buy Now
Questions 56

To help review or design security controls, they can be classified by several criteria. One of these criteria is based on nature. According to this criteria, which of the following controls consists of incident response processes, management oversight, security awareness, and training?

Options:

A.

Technical control

B.

Physical control

C.

Procedural control

D.

Compliance control

Buy Now
Questions 57

Which of the following are the common roles with regard to data in an information classification program?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Custodian

B.

User

C.

Security auditor

D.

Editor

E.

Owner

Buy Now
Questions 58

You are the project manager for GHY Project and are working to create a risk response for a negative risk. You and the project team have identified the risk that the project may not complete on time, as required by the management, due to the creation of the user guide for the software you're creating. You have elected to hire an external writer in order to satisfy the requirements and to alleviate the risk event. What type of risk response have you elected to use in this instance?

Options:

A.

Sharing

B.

Avoidance

C.

Transference

D.

Exploiting

Buy Now
Questions 59

Management wants you to create a visual diagram of what resources will be utilized in the project deliverables. What type of a chart is management asking you to create?

Options:

A.

Work breakdown structure

B.

Resource breakdown structure

C.

RACI chart

D.

Roles and responsibility matrix

Buy Now
Exam Code: CAP
Exam Name: CAP – Certified Authorization Professional
Last Update: Apr 27, 2023
Questions: 395