Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dpt65

CAP Questions and Answers

Question # 6

Which of the following processes is described in the statement below?

"It is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project."

A.

Perform Quantitative Risk Analysis

B.

Perform Qualitative Risk Analysis

C.

Monitor and Control Risks

D.

Identify Risks

Full Access
Question # 7

The National Information Assurance Certification and Accreditation Process (NIACAP) is the minimum standard process for the certification and accreditation of computer and telecommunications systems that handle U.S. national security information. Which of the following participants are required in a NIACAP security assessment?

Each correct answer represents a part of the solution. Choose all that apply.

A.

Information Assurance Manager

B.

Designated Approving Authority

C.

IS program manager

D.

User representative

E.

Certification agent

Full Access
Question # 8

The Identify Risk process determines the risks that affect the project and document their characteristics. Why should the project team members be involved in the Identify Risk process?

A.

They are the individuals that will have the best responses for identified risks events within the project.

B.

They are the individuals that are most affected by the risk events.

C.

They are the individuals that will need a sense of ownership and responsibility for the risk e vents.

D.

They are the individuals that will most likely cause and respond to the risk events.

Full Access
Question # 9

Harry is a project manager of a software development project. In the early stages of planning, he and the stakeholders operated with the belief that the software they were developing would work with their organization's current computer operating system. Now that the project team has started developing the software it has become apparent that the software will not work with nearly half of the organization's computer operating systems. The incorrect belief Harry had in the software compatibility is an example of what in project management?

A.

Issue

B.

Risk

C.

Constraint

D.

Assumption

Full Access
Question # 10

You are the project manager for your organization. You are working with your project team to complete the qualitative risk analysis process. The first tool and technique you are using requires that you assess the probability and what other characteristic of each identified risk in the project?

A.

Risk owner

B.

Risk category

C.

Impact

D.

Cost

Full Access
Question # 11

The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the most senior executive in an enterprise. What are the responsibilities of a Chief Information Officer?

Each correct answer represents a complete solution. Choose all that apply.

A.

Proposing the information technology needed by an enterprise to achieve its goals and then working within a budget to implement the plan

B.

Preserving high-level communications and working group relationships in an organization

C.

Establishing effective continuous monitoring program for the organization

D.

Facilitating the sharing of security risk-related information among authorizing officials

Full Access
Question # 12

Virginia is the project manager for her organization. She has hired a subject matter expert to interview the project stakeholders on certain identified risks within the project. The subject matter expert will assess the risk event with what specific goal in mind?

A.

To determine the bias of the risk event based on each person interviewed

B.

To determine the probability and cost of the risk event

C.

To determine the validity of each risk event

D.

To determine the level of probability and impact for each risk event

Full Access
Question # 13

You are the project manager for TTP project. You are in the Identify Risks process. You have to create the risk register. Which of the following are included in the risk register?

Each correct answer represents a complete solution. Choose two.

A.

List of potential responses

B.

List of identified risks

C.

List ofmitigation techniques

D.

List of key stakeholders

Full Access
Question # 14

Adrian is a project manager for a new project using a technology that has recently been released and there's relatively little information about the technology. Initial testing of the technology makes the use of it look promising, but there's still uncertainty as to the longevity and reliability of the technology. Adrian wants to consider the technology factors a risk for her project. Where should she document the risks associated with this technology so she can track the risk status and responses?

A.

Project charter

B.

Risk register

C.

Project scope statement

D.

Risk low-level watch list

Full Access
Question # 15

Which of the following relations correctly describes residual risk?

A.

Residual Risk = Threats x Vulnerability x Asset Gap x Control Gap

B.

Residual Risk = Threats x Exploit x Asset Value x Control Gap

C.

Residual Risk = Threats x Exploit x Asset Value x Control Gap

D.

Residual Risk = Threats x Vulnerability x Asset Value x Control Gap

Full Access
Question # 16

You are the project manager of the GHY project for your organization. You are working with your project team to begin identifying risks for the project. As part of your preparation for identifying the risks within the project you will need eleven inputs for the process. Which one of the following is NOT an input to the risk identification process?

A.

Cost management plan

B.

Quality management plan

C.

Procurement management plan

D.

Stakeholder register

Full Access
Question # 17

Joan is a project management consultant and she has been hired by a firm to help them identify risk events within the project. Joan would first like to examine the project documents including the plans, assumptions lists, project files, and contracts. What key thing will help Joan to discover risks within the review of the project documents?

A.

Lack of consistency between the plans and the project requirements and assumptions can bethe indicators of risk in the project.

B.

The project documents will help the project manager, or Joan, to identify what risk identification approach is best to pursue.

C.

Plans that have loose definitions of terms and disconnected approaches will revealrisks.

D.

Poorly written requirements will reveal inconsistencies in the project plans and documents.

Full Access
Question # 18

John is the project manager of the NHQ Project for his company. His project has 75 stakeholders, some of which are external to the organization. John needs to make certain that he communicates about risk in the most appropriate method for the external stakeholders. Which project management plan will be the best guide for John to communicate to the external stakeholders?

A.

Communications Management Plan

B.

Risk Management Plan

C.

Project Management Plan

D.

Risk ResponsePlan

Full Access
Question # 19

Which of the following assessment methods is used to review, inspect, and analyze assessment objects?

A.

Testing

B.

Examination

C.

Interview

D.

Debugging

Full Access
Question # 20

You work as a project manager for BlueWell Inc. Your project is running late and you must respond to the risk. Which risk response can you choose that will also cause you to update the human resource management plan?

A.

Teamingagreements

B.

Crashing the project

C.

Transference

D.

Fast tracking the project

Full Access
Question # 21

Which of the following objectives are defined by integrity in the C.I.A triad of information security systems?

Each correct answer represents a part of the solution. Choose three.

A.

It preserves the internal and external consistency of information.

B.

It prevents the unauthorized or unintentional modification of information by the authorized users.

C.

It prevents the intentional or unintentional unauthorized disclosure of a message's contents .

D.

It prevents the modification of information by the unauthorized users.

Full Access
Question # 22

Which of the following NIST documents defines impact?

A.

NIST SP 800-53

B.

NIST SP 800-26

C.

NIST SP 800-30

D.

NIST SP 800-53A

Full Access
Question # 23

Which of the following formulas was developed by FIPS 199 for categorization of an information type?

A.

SC information type = {(confidentiality, controls), (integrity, controls), (authentication, controls)}

B.

SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}

C.

SC information type = {(confidentiality, risk), (integrity, risk), (availability, risk)}

D.

SC information type = {(Authentication, impact), (integrity, impact), (availability, impact)}

Full Access
Question # 24

Which of the following recovery plans includes specific strategies and actions to deal with specific variances to assumptions resulting in a particular security problem, emergency, or state of affairs?

A.

Continuity of Operations Plan

B.

Disaster recovery plan

C.

Contingency plan

D.

Business continuity plan

Full Access
Question # 25

Where can a project manager find risk-rating rules?

A.

Risk probability and impact matrix

B.

Organizational process assets

C.

Enterprise environmental factors

D.

Risk management plan

Full Access
Question # 26

Gary is the project manager of his organization. He is managing a project that is similar to a project his organization completed recently. Gary has decided that he will use the information from the past project to help him and the project team to identify the risks that may be present in the project. Management agrees that this checklist approach is ideal and will save time in the project. Which of the following statement is most accurate about the limitations of the checklist analysis approach for Gary?

A.

The checklist analysis approach is fast but it is impossible to build and exhaustive checklist.

B.

The checklist analysis approach only uses qualitative analysis.

C.

The checklist analysis approach saves time, but can cost more.

D.

The checklist is also known as top down risk assessment

Full Access
Question # 27

Mark works as a Network Administrator for NetTech Inc. He wants users to access only those resources that are required for them. Which of the following access control models will he use?

A.

Mandatory Access Control

B.

Role-Based Access Control

C.

Discretionary Access Control

D.

Policy Access Control

Full Access
Question # 28

You are the project manager for a construction project. The project includes a work that involves very high financial risks. You decide to insure processes so that any ill happening can be compensated. Which type of strategies have you used to deal with the risks involved with that particular work?

A.

Transfer

B.

Mitigate

C.

Accept

D.

Avoid

Full Access
Question # 29

James work as an IT systems personnel in SoftTech Inc. He performs the following tasks:

Runs regular backups and routine tests of the validity of the backup data.

Performs data restoration from the backups whenever required.

Maintains the retained records in accordance with the established information classification policy.

What is the role played by James in the organization?

A.

Manager

B.

User

C.

Owner

D.

Custodian

Full Access
Question # 30

Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and systems?

A.

FITSAF

B.

FIPS

C.

TCSEC

D.

SSAA

Full Access
Question # 31

Wendy is about to perform qualitative risk analysis on the identified risks within her project. Which one of the following will NOT help Wendy to perform this project management activity?

A.

Stakeholder register

B.

Risk register

C.

Project scope statement

D.

Risk management plan

Full Access
Question # 32

Which of the following is a subset discipline of Corporate Governance focused on information security systems and their performance and risk management?

A.

Lanham Act

B.

ISG

C.

Clinger-Cohen Act

D.

Computer Misuse Act

Full Access
Question # 33

In which of the following phases of the DITSCAP process does Security Test and Evaluation (ST&E) occur?

A.

Phase 2

B.

Phase 3

C.

Phase 1

D.

Phase 4

Full Access
Question # 34

Fred is the project manager of the PKL project. He is working with his project team to complete the quantitative risk analysis process as a part of risk management planning. Fred understands that once the quantitative risk analysis process is complete, the process will need to be completed again in at least two other times in the project. When will the quantitative risk analysis process need to be repeated?

A.

Quantitative risk analysisprocess will be completed again after the plan risk response planning and as part of procurement.

B.

Quantitative risk analysis process will be completed again after the cost managementplanning and as a part of monitoring and controlling.

C.

Quantitativerisk analysis process will be completed again after new risks are identified and as part of monitoring and controlling.

D.

Quantitative risk analysis process will be completed again after the risk response planning and as a part of monitoring and controlling.

Full Access
Question # 35

Which of the following is used to indicate that the software has met a defined quality level and is ready for mass distribution either by electronic means or by physical media?

A.

RTM

B.

CRO

C.

DAA

D.

ATM

Full Access
Question # 36

You are preparing to start the qualitative risk analysis process for your project. You will be relying on some organizational process assets to influence the process. Which one of the following is NOT a probable reason for relying on organizational process assets as an input for qualitative risk analysis?

A.

Information on prior, similar projects

B.

Review of vendor contracts to examine risks in past projects

C.

Risk databases that may be available from industry sources

D.

Studies of similar projects by risk specialists

Full Access
Question # 37

Penetration testing (also called pen testing) is the practice of testing a computer system, network, or Web application to find vulnerabilities that an attacker could exploit. Which of the following areas can be exploited in a penetration test?

Each correct answer represents a complete solution. Choose all that apply.

A.

Social engineering

B.

File and directory permissions

C.

Buffer overflows

D.

Kernel flaws

E.

Race conditions

F.

Information system architectures

G.

Trojan horses

Full Access
Question # 38

You are the project manager of the NKQ project for your organization. You have completed the quantitative risk analysis process for this portion of the project. What is the only output of the quantitative risk analysis process?

A.

Probability of reaching project objectives

B.

Risk contingency reserve

C.

Risk response

D.

Risk register updates

Full Access
Question # 39

Risks with low ratings of probability and impact are included on a ____ for future monitoring.

A.

Watchlist

B.

Risk alarm

C.

Observation list

D.

Risk register

Full Access
Question # 40

In 2003, NIST developed a new Certification & Accreditation (C&A) guideline known as FIPS 199.

What levels of potential impact are defined by FIPS 199?

Each correct answer represents a complete solution. Choose all that apply.

A.

Low

B.

Moderate

C.

High

D.

Medium

Full Access
Question # 41

You work as a project manager for BlueWell Inc. You with your team are using a method or a (technical) process that conceives the risks even if all theoretically possible safety measures would be applied. One of your team member wants to know that what is a residual risk. What will you reply to your team member?

A.

It is a risk that remains because no risk response is taken.

B.

It is a risk that remains after planned risk responses are taken.

C.

It is a risk that can not be addressed by a risk response.

D.

It is a risk that will remain no matter what type of risk response is offered.

Full Access
Question # 42

Which of the following is used throughout the entire C&A process?

A.

DAA

B.

DITSCAP

C.

SSAA

D.

DIACAP

Full Access
Question # 43

Which of the following statements about Discretionary Access Control List (DACL) is true?

A.

It is a rule list containing access control entries.

B.

It specifies whether an audit activity should be performed when an object attempts to access a resource.

C.

It is a list containing user accounts, groups, and computers that are allowed (or denied) access to the object.

D.

It is a unique number that identifies a user, group, and computer account

Full Access
Question # 44

Eric is the project manager of the NQQ Project and has hired the ZAS Corporation to complete part of the project work for Eric's organization. Due to a change request the ZAS Corporation is no longer needed on the project even though they have completed nearly all of the project work. Is Eric's organization liable to pay the ZAS Corporation for the work they have completed so far on the project?

A.

No, the ZAS Corporation did not complete all of the work.

B.

Yes, the ZAS Corporation did not choose to terminate the contract work.

C.

It depends on what the outcome of a lawsuit will determine.

D.

It depends on what the terminationclause of the contract stipulates

Full Access
Question # 45

Which of the following acts promote a risk-based policy for cost effective security?

Each correct answer represents a part of the solution. Choose all that apply.

A.

Clinger-Cohen Act

B.

Lanham Act

C.

Computer Misuse Act

D.

Paperwork Reduction Act (PRA)

Full Access
Question # 46

Which of the following persons is responsible for testing and verifying whether the security policy is properly implemented, and the derived security solutions are adequate or not?

A.

Auditor

B.

User

C.

Data custodian

D.

Data owner

Full Access
Question # 47

In which of the following DITSCAP phases is the SSAA developed?

A.

Phase 2

B.

Phase 4

C.

Phase 1

D.

Phase 3

Full Access
Question # 48

Which of the following is used to indicate that the software has met a defined quality level and is ready for mass distribution either by electronic means or by physical media?

A.

DAA

B.

RTM

C.

ATM

D.

CRO

Full Access
Question # 49

Which of the following recovery plans includes a monitoring process and triggers for initiating planned actions?

A.

Business continuity plan

B.

Contingency plan

C.

Continuity of Operations Plan

D.

Disaster recovery plan

Full Access
Question # 50

In what portion of a project are risk and opportunities greatest and require intense planning and anticipation of risk events?

A.

Planning

B.

Executing

C.

Closing

D.

Initiating

Full Access
Question # 51

Which of the following guidance documents is useful in determining the impact level of a particular threat on agency systems?

A.

NIST SP 800-41

B.

NIST SP 800-37

C.

FIPS 199

D.

NIST SP 800-14

Full Access
Question # 52

You are the project manager for a construction project. The project involves casting of a column in a very narrow space. Because of lack of space, casting it is highly dangerous. High technical skill will be required for casting that column. You decide to hire a local expert team for casting that column. Which of the following types of risk response are you following?

A.

Mitigation

B.

Avoidance

C.

Transference

D.

Acceptance

Full Access
Question # 53

Which of the following NIST C&A documents is the guideline for identifying an information system as a National Security System?

A.

NIST SP800-53

B.

NIST SP 800-59

C.

NIST SP 800-37

D.

NIST SP 800-53A

Full Access
Question # 54

Which of the following NIST publications defines impact?

A.

NIST SP 800-41

B.

NIST SP 800-37

C.

NIST SP 800-30

D.

NIST SP 800-53

Full Access
Question # 55

Which of the following formulas was developed by FIPS 199 for categorization of an information system?

A.

SC information system = {(confidentiality, impact), (integrity, controls), (availability, risk)}

B.

SC information system = {(confidentiality, impact), (integrity, impact),(availability, impact)}

C.

SC information system = {(confidentiality, controls), (integrity, controls), (availability, controls )}

D.

SC information system = {(confidentiality, risk), (integrity, impact), (availability, controls)}

Full Access
Question # 56

Which of the following is an Information Assurance (IA) model that protects and defends information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation?

A.

Parkerian Hexad

B.

Capability Maturity Model (CMM)

C.

Classic information security model

D.

Five Pillars model

Full Access
Question # 57

Mary is the project manager of the HGH Project for her company. She and her project team have agreed that if the vendor is late by more than ten days they will cancel the order and hire the NBG Company to fulfill the order. The NBG Company can guarantee orders within three days, but the costs of their products are significantly more expensive than the current vendor. What type of a response strategy is this?

A.

External risk response

B.

Internal risk management strategy

C.

Contingent response strategy

D.

Expert judgment

Full Access
Question # 58

Billy is the project manager of the HAR Project and is in month six of the project. The project is scheduled to last for 18 months. Management asks Billy how often the project team is participating in risk reassessment in this project. What should Billy tell management if he's following the best practices for risk management?

A.

At every status meeting the project team project risk management is an agenda item.

B.

Project risk management happens at every milestone.

C.

Project risk management has been concluded with the project planning.

D.

Project risk management is scheduled for every monthin the 18-month project.

Full Access
Question # 59

Nancy is the project manager of the NHH project. She and the project team have identified a significant risk in the project during the qualitative risk analysis process. Bob is familiar with the technology that the risk is affecting and proposes to Nancy a solution to the risk event. Nancy tells Bob that she has noted his response, but the risk really needs to pass through the quantitative risk analysis process before creating responses. Bob disagrees and ensures Nancy that his response is most appropriate for the identified risk. Who is correct in this scenario?

A.

Bob is correct. Bob is familiar with the technology and the risk event so his response should be implemented.

B.

Nancy is correct. Because Nancy is the project manager she can determine the correct procedures for risk analysis and risk responses. In addition, she has noted the risk response that Bob recommends.

C.

Nancy is correct. All risks of significant probability and impact should pass the quantitative risk analysis process before risk responses are created.

D.

Bob is correct. Not all riskevents have to pass the quantitative risk analysis process to develop effective risk responses.

Full Access