CAP Exam - ISC2 CAP Certified Authorization Professional

NEW QUESTION 1
Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and systems?

• A. FITSAF
• B. FIPS
• C. TCSEC
• D. SSAA

Answer: D

NEW QUESTION 2
You work as a project manager for BlueWell Inc. You are working on a project and the management wants a rapid and cost-effective means for establishing priorities for planning risk responses in your project. Which risk management process can satisfy management's objective for your project?

• A. Qualitative risk analysis
• B. Quantitative analysis
• C. Historical information
• D. Rolling wave planning

Answer: A

NEW QUESTION 3
Which of the following individuals is responsible for ensuring the security posture of the organization's information system?

• A. Authorizing Official
• B. Chief Information Officer
• C. Security Control Assessor
• D. Common Control Provider

Answer: A

NEW QUESTION 4
What project management plan is most likely to direct the quantitative risk analysis process for a project in a matrix environment?

• A. Staffing management plan
• B. Risk analysis plan
• C. Human resource management plan
• D. Risk management plan

Answer: D

NEW QUESTION 5
You are the project manager of the NNH Project. In this project you have created a contingency response that the schedule performance index should be less than 0.93. The NHH Project has a budget at completion of $945,000 and is 45 percent complete though the project should be 49 percent complete. The project has spent $455,897 to reach the 45 percent complete milestone.
What is the project's schedule performance index?

• A. 1.06
• B. 0.93
• C. -$37,800
• D. 0.92

Answer: D

NEW QUESTION 6
You work as a project manager for BlueWell Inc. You with your team are using a method or a (technical) process that conceives the risks even if all theoretically possible safety measures would be applied. One of your team member wants to know that what is a residual risk. What will you reply to your team member?

• A. It is a risk that remains because no risk response is taken.
• B. It is a risk that remains after planned risk responses are taken.
• C. It is a risk that can not be addressed by a risk response.
• D. It is a risk that will remain no matter what type of risk response is offered.

Answer: B

NEW QUESTION 7
The phase 0 of Risk Management Framework (RMF) is known as strategic risk assessment planning. Which of the following processes take place in phase 0?
Each correct answer represents a complete solution. Choose all that apply.

• A. Review documentation and technical data.
• B. Apply classification criteria to rank data assets and related IT resources.
• C. Establish criteria that will be used to classify and rank data assets.
• D. Identify threats, vulnerabilities, and controls that will be evaluated.
• E. Establish criteria that will be used to evaluate threats, vulnerabilities, and controls.

Answer: BCDE

NEW QUESTION 8
Which of the following is a security policy implemented by an organization due to compliance, regulation, or other legal requirements?

• A. Advisory policy
• B. Informative policy
• C. System Security policy
• D. Regulatory policy

Answer: D

NEW QUESTION 9
Lisa is the project manager of the SQL project for her company. She has completed the risk response planning with her project team and is now ready to update the risk register to reflect the risk response. Which of the following statements best describes the level of detail Lisa should include with the risk responses she has created?

• A. The level of detail is set by historical information.
• B. The level of detail must define exactly the risk response for each identified risk.
• C. The level of detail is set of project risk governance.
• D. The level of detail should correspond with the priority ranking

Answer: D

NEW QUESTION 10
You are the project manager of the GHG project. You are preparing for the quantitative risk analysis process. You are using organizational process assets to help you complete the quantitative risk analysis process. Which one of the following is NOT a valid reason to utilize organizational process assets as a part of the quantitative risk analysis process?

• A. You will use organizational process assets for risk databases that may be available from industry sources.
• B. You will use organizational process assets for studies of similar projects by risk specialists.
• C. You will use organizational process assets to determine costs of all risks events within thecurrent project.
• D. You will use organizational process assets for information from prior similar projects.

Answer: C

NEW QUESTION 11
Frank is the project manager of the NHH Project. He is working with the project team to create a plan to document the procedures to manage risks throughout the project. This document will define how risks will be identified and quantified. It will also define how contingency plans will be implemented by the project team. What document is Frank and the NHH Project team creating in this scenario?

• A. Project management plan
• B. Resource management plan
• C. Risk management plan
• D. Project plan

Answer: C

NEW QUESTION 12
Which of the following groups represents the most likely source of an asset loss through the inappropriate use of computers?

• A. Hackers
• B. Visitors
• C. Customers
• D. Employees

Answer: D

NEW QUESTION 13
You work as a project manager for TechSoft Inc. You, the project team, and the key project stakeholders have completed a round of quantitative risk analysis. You now need to update the risk register with your findings so that you can communicate the risk results to the project stakeholders - including management. You will need to update all of the following information except for which one?

• A. Probability of achieving cost and time objectives
• B. Risk distributions within the project schedule
• C. Probabilistic analysis of the project
• D. Trends in quantitative risk analysis

Answer: B

NEW QUESTION 14
Which of the following terms related to risk management represents the estimated frequency at which a threat is expected to occur?

• A. Safeguard
• B. Single Loss Expectancy (SLE)
• C. Exposure Factor (EF)
• D. Annualized Rate of Occurrence (ARO)

Answer: D

NEW QUESTION 15
You are the project manager for a construction project. The project includes a work that involves very high financial risks. You decide to insure processes so that any ill happening can be compensated. Which type of strategies have you used to deal with the risks involved with that particular work?

• A. Transfer
• B. Mitigate
• C. Accept
• D. Avoid

Answer: A

NEW QUESTION 16
NIST SP 800-53A defines three types of interview depending on the level of assessment conducted. Which of the following NIST SP 800-53A interviews consists of informal and ad hoc interviews?

• A. Substantial
• B. Significant
• C. Abbreviated
• D. Comprehensive

Answer: C

NEW QUESTION 17
Which of the following components ensures that risks are examined for all new proposed change requests in the change control system?

• A. Risk monitoring and control
• B. Scope change control
• C. Configuration management
• D. Integrated change control

Answer: D

NEW QUESTION 18
Which of the following individuals is responsible for configuration management and control task?

• A. Commoncontrol provider
• B. Information system owner
• C. Authorizing official
• D. Chief information officer

Answer: B

NEW QUESTION 19
A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. Which of the following are required to be addressed in a well designed policy?
Each correct answer represents a part of the solution. Choose all that apply.

• A. Who is expected to exploit the vulnerability?
• B. What is being secured?
• C. Where is the vulnerability, threat, or risk?
• D. Who is expected to comply with the policy?

Answer: BCD

NEW QUESTION 20
......