Winter Sale - Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dpm65

Hot Vendors
Note! The CAP Exam is no longer available.

CAP CAP - Certified Authorization Professional Questions and Answers

Questions 4

Which of the following refers to the ability to ensure that the data is not modified or tampered with?

Options:

A.

Confidentiality

B.

Availability

C.

Integrity

D.

Non-repudiation

Buy Now
Questions 5

Eric is the project manager of the MTC project for his company. In this project a vendor has offered Eric a sizeable discount on all hardware if his order total for the project is more than $125,000. Right now, Eric is likely to spend $118,000 with vendor. If Eric spends $7,000 his cost savings for the project will be $12,500, but he cannot purchase hardware if he cannot implement the hardware immediately due to organizational policies. Eric consults with Amy and Allen, other project managers in the organization, and asks if she needs any hardware for their projects. Both Amy and Allen need hardware and they agree to purchase the hardware through Eric's relationship with the vendor. What positive risk response has happened in this instance?

Options:

A.

Transference

B.

Exploiting

C.

Sharing

D.

Enhancing

Buy Now
Questions 6

Joan is a project management consultant and she has been hired by a firm to help them identify risk events within the project. Joan would first like to examine the project documents including the plans, assumptions lists, project files, and contracts. What key thing will help Joan to discover risks within the review of the project documents?

Options:

A.

The project documents will help the project manager, or Joan, to identify what risk identification approach is best to pursue.

B.

Plans that have loose definitions of terms and disconnected approaches will reveal risks.

C.

Poorly written requirements will reveal inconsistencies in the project plans and documents.

D.

Lack of consistency between the plans and the project requirements and assumptions can be the indicators of risk in the project.

Buy Now
Questions 7

Which of the following statements about Discretionary Access Control List (DACL) is true?

Options:

A.

It is a rule list containing access control entries.

B.

It specifies whether an audit activity should be performed when an object attempts to access a resource.

C.

It is a unique number that identifies a user, group,and computer account.

D.

It is a list containing user accounts, groups, and computers that are allowed (or denied) access to the object.

Buy Now
Questions 8

Which of the following are the goals of risk management?

Each correct answer represents a complete solution. Choose three.

Options:

A.

Finding an economic balance between the impact of the risk and the cost of the counterme asure

B.

Identifying the risk

C.

Assessing the impact of potential threats

D.

Identifying the accused

Buy Now
Questions 9

Ben is the project manager of the YHT Project for his company. Alice, one of his team members, is confused about when project risks will happen in the project. Which one of the following statements is the most accurate about when project risk happens?

Options:

A.

Project risk can happen at any moment.

B.

Project risk is uncertain, so no one can predict when the event will happen.

C.

Project risk happens throughout the project execution.

D.

Project riskis always in the future.

Buy Now
Questions 10

You are the project manager for your organization. You have identified a risk event you’re your organization could manage internally or externally. If you manage the event internally it will cost your project $578,000 and an additional $12,000 per month the solution is in use. A vendor can manage the risk event for you. The vendor will charge $550,000 and $14,500 per month that the solution is in use. How many months will you need to use the solution to pay for the internal solution in comparison to the vendor's solution?

Options:

A.

Approximately 13 months

B.

Approximately 11 months

C.

Approximately 15 months

D.

Approximately 8 months

Buy Now
Questions 11

Which of the following processes is described in the statement below?

"It is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project."

Options:

A.

Perform Quantitative Risk Analysis

B.

Perform Qualitative Risk Analysis

C.

Monitor and Control Risks

D.

Identify Risks

Buy Now
Questions 12

Information Security management is a process of defining the security controls in order to protect information assets. What are the security management responsibilities?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Evaluating business objectives, security risks, user productivity, and functionality requirem ents

B.

Determining actual goals that are expected to be accomplished from a security program

C.

Defining steps to ensure that all the responsibilities are accounted for and properly address ed

D.

Determining objectives, scope, policies, priorities, standards, and strategies

Buy Now
Questions 13

Which of the following documents is described in the statement below?

"It is developed along with all processes of the risk management. It contains the results of the qualitative risk analysis, quantitative risk analysis, and risk response planning."

Options:

A.

Risk register

B.

Risk management plan

C.

Project charter

D.

Quality management plan

Buy Now
Questions 14

Which of the following components ensures that risks are examined for all new proposed change requests in the change control system?

Options:

A.

Risk monitoring and control

B.

Scope change control

C.

Configuration management

D.

Integrated change control

Buy Now
Questions 15

Which of the following formulas was developed by FIPS 199 for categorization of an information system?

Options:

A.

SC information system = {(confidentiality, impact), (integrity, controls), (availability, risk)}

B.

SC information system = {(confidentiality, impact), (integrity, impact),(availability, impact)}

C.

SC information system = {(confidentiality, controls), (integrity, controls), (availability, controls )}

D.

SC information system = {(confidentiality, risk), (integrity, impact), (availability, controls)}

Buy Now
Questions 16

Which of the following is a standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system?

Options:

A.

TCSEC

B.

FIPS

C.

SSAA

D.

FITSAF

Buy Now
Questions 17

Which of the following processes is described in the statement below?

"It is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project."

Options:

A.

Perform Quantitative Risk Analysis

B.

Monitor and Control Risks

C.

Perform Qualitative Risk Analysis

D.

Identify Risks

Buy Now
Questions 18

Which of the following DITSCAP phases validates that the preceding work has produced an IS that operates in a specified computing environment?

Options:

A.

Phase 3

B.

Phase 2

C.

Phase 4

D.

Phase 1

Buy Now
Questions 19

Shoulder surfing is a type of in-person attack in which the attacker gathers information about the premises of an organization. This attack is often performed by looking surreptitiously at the keyboard of an employee's computer while he is typing in his password at any access point such as a terminal/Web site. Which of the following is violated in a shoulder surfing attack?

Options:

A.

Authenticity

B.

Confidentiality

C.

Availability

D.

Integrity

Buy Now
Questions 20

Which of the following system security policies is used to address specific issues of concern to the organization?

Options:

A.

Program policy

B.

Issue-specific policy

C.

Informative policy

D.

System-specific policy

Buy Now
Questions 21

There are seven risk responses for any project. Which one of the following is a valid risk response for a negative risk event?

Options:

A.

Exploit

B.

Share

C.

Enhance

D.

Acceptance

Buy Now
Questions 22

Lisa is the project manager of the SQL project for her company. She has completed the risk response planning with her project team and is now ready to update the risk register to reflect the risk response. Which of the following statements best describes the level of detail Lisa should include with the risk responses she has created?

Options:

A.

The level of detail is set by historical information.

B.

The level of detail must define exactly the risk response for each identified risk.

C.

The level of detail is set of project risk governance.

D.

The level of detail should correspond with the priority ranking

Buy Now
Questions 23

Which of the following documents were developed by NIST for conducting Certification & Accreditation (C&A)?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

NIST Special Publication 800-53A

B.

NIST Special Publication 800-37A

C.

NIST Special Publication 800-59

D.

NIST Special Publication 800-53

E.

NIST Special Publication 800-37

F.

NIST Special Publication 800-60

Buy Now
Questions 24

Amy is the project manager for her company. In her current project the organization has a very low tolerance for risk events that will affect the project schedule. Management has asked Amy to consider the affect of all the risks on the project schedule. What approach can Amy take to create a bias against risks that will affect the schedule of the project?

Options:

A.

She can have the project team pad their time estimates to alleviate delays in the project schedule.

B.

She can shift risk-laden activities that affect the project schedule from the critical path as much as possible.

C.

She can create an overall project rating scheme to reflect the bias towards risks that affect the project schedule.

D.

She can filter all risks based on their affect on schedule versus other project objectives.

Buy Now
Questions 25

The Phase 2 of DITSCAP C&A is known as Verification. The goal of this phase is to obtain a fully integrated system for certification testing and accreditation. What are the process activities of this phase?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

System development

B.

Certification analysis

C.

Registration

D.

Assessment of the Analysis Results

E.

Configuring refinement of the SSAA

Buy Now
Questions 26

According to U.S. Department of Defense (DoD) Instruction 8500.2, there are eight Information

Assurance (IA) areas, and the controls are referred to as IA controls. Which of the following are among the eight areas of IA defined by DoD?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

DC Security Design & Configuration

B.

VI Vulnerability and Incident Management

C.

EC Enclave and Computing Environment

D.

Information systems acquisition, development, and maintenance

Buy Now
Questions 27

Walter is the project manager of a large construction project. He'll be working with several vendors on the project. Vendors will be providing materials and labor for several parts of the project. Some of the works in the project are very dangerous so Walter has implemented safety requirements for all of the vendors and his own project team. Stakeholders for the project have added new requirements, which have caused new risks in the project. A vendor has identified a new risk that could affect the project if it comes into fruition. Walter agrees with the vendor and has updated the risk register and created potential risk responses to mitigate the risk. What should Walter also update in this scenario considering the risk event?

Options:

A.

Project management plan

B.

Project contractual relationship with the vendor

C.

Project communications plan

D.

Project scope statement

Buy Now
Questions 28

You work as a project manager for BlueWell Inc. You with your team are using a method or a (technical) process that conceives the risks even if all theoretically possible safety measures would be applied. One of your team member wants to know that what is a residual risk. What will you reply to your team member?

Options:

A.

It is a risk that remains because no risk response is taken.

B.

It is a risk that remains after planned risk responses are taken.

C.

It is a risk that can not be addressed by a risk response.

D.

It is a risk that will remain no matter what type of risk response is offered.

Buy Now
Questions 29

You are the project manager for a construction project. The project involves casting of a column in a very narrow space. Because of lack of space, casting it is highly dangerous. High technical skill will be required for casting that column. You decide to hire a local expert team for casting that column. Which of the following types of risk response are you following?

Options:

A.

Mitigation

B.

Avoidance

C.

Transference

D.

Acceptance

Buy Now
Questions 30

Which of the following is NOT a phase of the security certification and accreditation process?

Options:

A.

Initiation

B.

Security certification

C.

Operation

D.

Maintenance

Buy Now
Questions 31

You are the project manager of the NNQ Project for your company and are working you’re your project team to define contingency plans for the risks within your project. Mary, one of your project team members, asks what a contingency plan is. Which of the following statements best defines what a contingency response is?

Options:

A.

Some responses are designed for use only if certain events occur.

B.

Some responses have a cost and a time factor to consider for each risk event.

C.

Some responses must counteract pending risk events.

D.

Quantified risks should always have contingency responses.

Buy Now
Questions 32

In which of the following phases does the SSAA maintenance take place?

Options:

A.

Phase 4

B.

Phase 2

C.

Phase 1

D.

Phase 3

Buy Now
Questions 33

You are the project manager of the GHG project. You are preparing for the quantitative risk analysis process. You are using organizational process assets to help you complete the quantitative risk analysis process. Which one of the following is NOT a valid reason to utilize organizational process assets as a part of the quantitative risk analysis process?

Options:

A.

You will use organizational process assets for studies of similar projects by risk specialists.

B.

You will use organizational process assets to determine costs of all risks events within the current project.

C.

You will use organizational process assets for information from prior similar projects.

D.

You will use organizational process assets for risk databases that may be available from industry sources.

Buy Now
Questions 34

Which of the following are the tasks performed by the owner in the information classification schemes?

Each correct answer represents a part of the solution. Choose three.

Options:

A.

To make original determination to decide what level of classification the information requires, which is based on the business requirements for the safety of the data.

B.

To perform data restoration from the backups whenever required.

C.

To review the classification assignments from time to time and make alterations as the business requirements alter.

D.

To delegate the responsibility of the data safeguard duties to the custodian.

Buy Now
Questions 35

In 2003, NIST developed a new Certification & Accreditation (C&A) guideline known as FIPS 199.

What levels of potential impact are defined by FIPS 199?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Medium

B.

High

C.

Low

D.

Moderate

Buy Now
Questions 36

Which of the following acts is used to recognize the importance of information security to the economic and national security interests of the United States?

Options:

A.

Computer Fraud and Abuse Act

B.

FISMA

C.

Lanham Act

D.

Computer Misuse Act

Buy Now
Questions 37

Which of the following roles is used to ensure that the confidentiality, integrity, and availability of the services are maintained to the levels approved on the Service Level Agreement (SLA)?

Options:

A.

The Change Manager

B.

The IT Security Manager

C.

The Service Level Manager

D.

The Configuration Manager

Buy Now
Questions 38

Which of the following statements about System Access Control List (SACL) is true?

Options:

A.

It contains a list of any events that are set to audit for that particular object.

B.

It is a mechanism for reducing the need for globally unique IP addresses.

C.

It contains a list of both users and groups and whatever permissions they have.

D.

It exists for each and every permission entry assigned to any object.

Buy Now
Questions 39

There are seven risk responses for any project. Which one of the following is a valid risk response for a negative risk event?

Options:

A.

Enhance

B.

Exploit

C.

Acceptance

D.

Share

Buy Now
Questions 40

Which of the following statements are true about security risks?

Each correct answer represents a complete solution. Choose three.

Options:

A.

They can be removed completely by taking proper actions.

B.

They can be analyzed and measured by the risk analysis process.

C.

They can be mitigated by reviewing and taking responsible actions based on possible risks.

D.

They are considered an indicator of threats coupled with vulnerability.

Buy Now
Questions 41

Which of the following requires all general support systems and major applications to be fully certified and accredited before these systems and applications are put into production?

Each correct answer represents a part of the solution. Choose all that apply.

Options:

A.

NIST

B.

FIPS

C.

Office of Management and Budget (OMB)

D.

FISMA

Buy Now
Questions 42

You are the project manager of the CUL project in your organization. You and the project team are assessing the risk events and creating a probability and impact matrix for the identified risks.

Which one of the following statements best describes the requirements for the data type used in qualitative risk analysis?

Options:

A.

A qualitative risk analysis requires fast and simple data to complete the analysis.

B.

A qualitative risk analysis requires accurate and unbiased data if it is to be credible.

C.

A qualitative risk analysis required unbiased stakeholders with biased risk tolerances.

D.

A qualitative risk analysis encourages biased data to reveal risk tolerances.

Buy Now
Questions 43

Which of the following individuals is responsible for preparing and submitting security status reports to the organizations?

Options:

A.

Chief Information Officer

B.

Senior Agency Information Security Officer

C.

Common Control Provider

D.

Authorizing Official

Buy Now
Questions 44

You are responsible for network and information security at a metropolitan police station. The most important concern is that unauthorized parties are not able to access data. What is this called?

Options:

A.

Confidentiality

B.

Encryption

C.

Integrity

D.

Availability

Buy Now
Questions 45

What does OCTAVE stand for?

Options:

A.

Operationally Computer Threat, Asset, and Vulnerability Evaluation

B.

Operationally Critical Threat, Asset, and Vulnerability Evaluation

C.

Operationally Computer Threat, Asset, and Vulnerability Elimination

D.

Operationally Critical Threat, Asset, and Vulnerability Elimination

Buy Now
Questions 46

Which of the following recovery plans includes a monitoring process and triggers for initiating planned actions?

Options:

A.

Business continuity plan

B.

Contingency plan

C.

Continuity of Operations Plan

D.

Disaster recovery plan

Buy Now
Questions 47

Which of the following statements about role-based access control (RBAC) model is true?

Options:

A.

In this model, the permissions are uniquely assigned to each user account.

B.

In this model, a user can access resources according to his role in the organization.

C.

In this model, the same permission is assigned to each user account.

D.

In this model, the users canaccess resources according to their seniority.

Buy Now
Questions 48

In which of the following DITSCAP phases is the SSAA developed?

Options:

A.

Phase 4

B.

Phase 2

C.

Phase 1

D.

Phase 3

Buy Now
Questions 49

Which of the following parts of BS 7799 covers risk analysis and management?

Options:

A.

Part 1

B.

Part 3

C.

Part 2

D.

Part 4

Buy Now
Questions 50

You and your project team are just starting the risk identification activities for a project that is scheduled to last for 18 months. Your project team has already identified a long list of risks that need to be analyzed. How often should you and the project team do risk identification?

Options:

A.

At least once per month

B.

Several times until the project moves into execution

C.

It depends on how many risks are initially identified.

D.

Identify risks is an iterative process.

Buy Now
Questions 51

Which of the following is NOT a type of penetration test?

Options:

A.

Cursory test

B.

Partial-knowledge test

C.

Zero-knowledge test

D.

Full knowledge test

Buy Now
Questions 52

Which one of the following is the only output for the qualitative risk analysis process?

Options:

A.

Project management plan

B.

Risk register updates

C.

Enterprise environmental factors

D.

Organizational process assets

Buy Now
Questions 53

Gary is the project manager for his project. He and the project team have completed the qualitative risk analysis process and are about to enter the quantitative risk analysis process when Mary, the project sponsor, wants to know what quantitative risk analysis will review. Which of the following statements best defines what quantitative risk analysis will review?

Options:

A.

The quantitative risk analysis seeks to determine the true cost of each identified risk event and the probability of each risk event to determine the risk exposure.

B.

The quantitative risk analysis process will review risk events for their probability and impact on the project objectives.

C.

The quantitative risk analysis reviews the results of risk identification and prepares the project for risk response management.

D.

The quantitative risk analysis process will analyze the effect of risk events that may substantially impact the project's competing demands.

Buy Now
Questions 54

You work as a project manager for BlueWell Inc. You are currently working with the project stakeholders to identify risks in your project. You understand that the qualitative risk assessment and analysis can reflect the attitude of the project team and other stakeholders to risk. Effective assessment of risk requires management of the risk attitudes of the participants. What should you, the project manager, do with assessment of identified risks in consideration of the attitude and bias of the participants towards the project risk?

Options:

A.

Document the bias for the risk events and communicate the bias with management

B.

Evaluate and document the bias towards the risk events

C.

Evaluate the bias through SWOT for true analysis of the risk events

D.

Evaluate the bias towards the risk events and correct the assessment accordingly

Buy Now
Questions 55

The National Information Assurance Certification and Accreditation Process (NIACAP) is the minimum standard process for the certification and accreditation of computer and telecommunications systems that handle U.S. national security information. What are the different types of NIACAP accreditation?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Secure accreditation

B.

Type accreditation

C.

System accreditation

D.

Site accreditation

Buy Now
Questions 56

You are the project manager of the GHG project. You are preparing for the quantitative risk analysis process. You are using organizational process assets to help you complete the quantitative risk analysis process. Which one of the following is NOT a valid reason to utilize organizational process assets as a part of the quantitative risk analysis process?

Options:

A.

You will use organizational process assets for risk databases that may be available from industry sources.

B.

You will use organizational process assets for studies of similar projects by risk specialists.

C.

You will use organizational process assets to determine costs of all risks events within thecurrent project.

D.

You will use organizational process assets for information from prior similar projects.

Buy Now
Questions 57

Where can a project manager find risk-rating rules?

Options:

A.

Risk probability and impact matrix

B.

Organizational process assets

C.

Enterprise environmental factors

D.

Risk management plan

Buy Now
Questions 58

Which of the following evidences are the collection of facts that, when considered together, can be used to infer a conclusion about the malicious activity/person?

Options:

A.

Circumstantial

B.

Incontrovertible

C.

Direct

D.

Corroborating

Buy Now
Questions 59

Which of the following are the common roles with regard to data in an information classification program?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Custodian

B.

User

C.

Security auditor

D.

Editor

E.

Owner

Buy Now
Exam Code: CAP
Exam Name: CAP - Certified Authorization Professional
Last Update: Nov 27, 2023
Questions: 395
dumpsmate guaranteed to pass
24/7 Customer Support

DumpsMate's team of experts is always available to respond your queries on exam preparation. Get professional answers on any topic of the certification syllabus. Our experts will thoroughly satisfy you.

Site Secure

mcafee secure

TESTED 21 Nov 2024