CAP Exam - ISC2 CAP Certified Authorization Professional

NEW QUESTION 1
The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statements are true about ISSO and ISSE?
Each correct answer represents a complete solution. Choose all that apply.

• A. An ISSO manages the security of the information system that is slated for Certification &Accreditation (C&A).
• B. An ISSE manages the security of the information system that is slated for Certification & Accreditation (C&A).
• C. An ISSE provides advice on the continuous monitoring of the information system.
• D. An ISSO takes part in the development activities that are required to implement system ch anges.
• E. An ISSE provides advice on the impacts of system changes.

Answer: ACE

NEW QUESTION 2
The Phase 2 of DITSCAP C&A is known as Verification. The goal of this phase is to obtain a fully integrated system for certification testing and accreditation. What are the process activities of this phase?
Each correct answer represents a complete solution. Choose all that apply.

• A. System development
• B. Certification analysis
• C. Registration
• D. Assessment of the Analysis Results
• E. Configuring refinement of the SSAA

Answer: ABDE

NEW QUESTION 3
There are seven risks responses that a project manager can choose from. Which risk response is appropriate for both positive and negative risk events?

• A. Acceptance
• B. Mitigation
• C. Sharing
• D. Transference

Answer: A

NEW QUESTION 4
The Phase 2 of DITSCAP C&A is known as Verification. The goal of this phase is to obtain a fully integrated system for certification testing and accreditation. What are the process activities of this phase?
Each correct answer represents a complete solution. Choose all that apply.

• A. Configuring refinement of the SSAA
• B. Assessment of the Analysis Results
• C. System development
• D. Certification analysis
• E. Registration

Answer: ABCD

NEW QUESTION 5
You are preparing to complete the quantitative risk analysis process with your project team and several subject matter experts. You gather the necessary inputs including the project's cost management plan. Why is it necessary to include the project's cost management plan in the preparation for the quantitative risk analysis process?

• A. The project's cost management plan can help you to determine what the total cost of the project is allowed to be.
• B. The project's cost management plan provides direction on how costs may be changed due to identified risks.
• C. The project's cost management plan provides control that may help determine the structure for quantitative analysis of the budget.
• D. The project's cost management plan is not an input to the quantitative risk analysis process .

Answer: C

NEW QUESTION 6
Which of the following is NOT a type of penetration test?

• A. Cursory test
• B. Partial-knowledge test
• C. Zero-knowledge test
• D. Full knowledge test

Answer: A

NEW QUESTION 7
You are the project manager of the HJK Project for your organization. You and the project team have created risk responses for many of the risk events in the project. Where should you document the proposed responses and the current status of all identified risks?

• A. Risk management plan
• B. Stakeholder management strategy
• C. Risk register
• D. Lessons learned documentation

Answer: C

NEW QUESTION 8
Which of the following is used throughout the entire C&A process?

• A. DAA
• B. DITSCAP
• C. SSAA
• D. DIACAP

Answer: C

NEW QUESTION 9
Which of the following individuals makes the final accreditation decision?

• A. ISSE
• B. DAA
• C. CRO
• D. ISSO

Answer: B

NEW QUESTION 10
Which of the following access control models uses a predefined set of access privileges for an object of a system?

• A. Discretionary Access Control
• B. Mandatory Access Control
• C. Policy Access Control
• D. Role-Based Access Control

Answer: B

NEW QUESTION 11
Which one of the following is the only output for the qualitative risk analysis process?

• A. Enterprise environmental factors
• B. Project management plan
• C. Risk register updates
• D. Organizational process assets

Answer: C

NEW QUESTION 12
You and your project team are identifying the risks that may exist within your project. Some of the risks are small risks that won't affect your project much if they happen. What should you do with these identified risk events?

• A. These risks can be accepted.
• B. These risks can be added to a low priority risk watch list.
• C. All risks must have a valid, documented risk response.
• D. These risks can be dismissed.

Answer: B

NEW QUESTION 13
Your project team has identified a project risk that must be responded to. The risk has been recorded in the risk register and the project team has been discussing potential risk responses for the risk event. The event is not likely to happen for several months but the probability of the event is high. Which one of the following is a valid response to the identified risk event?

• A. Corrective action
• B. Technical performance measurement
• C. Risk audit
• D. Earned value management

Answer: A

NEW QUESTION 14
Eric is the project manager of the MTC project for his company. In this project a vendor has offered Eric a sizeable discount on all hardware if his order total for the project is more than $125,000. Right now, Eric is likely to spend $118,000 with vendor. If Eric spends $7,000 his cost savings for the project will be $12,500, but he cannot purchase hardware if he cannot implement the hardware immediately due to organizational policies. Eric consults with Amy and Allen, other project managers in the organization, and asks if she needs any hardware for their projects. Both Amy and Allen need hardware and they agree to purchase the hardware through Eric's relationship with the vendor. What positive risk response has happened in this instance?

• A. Transference
• B. Exploiting
• C. Sharing
• D. Enhancing

Answer: C

NEW QUESTION 15
Harry is a project manager of a software development project. In the early stages of planning, he and the stakeholders operated with the belief that the software they were developing would work with their organization's current computer operating system. Now that the project team has started developing the software it has become apparent that the software will not work with nearly half of the organization's computer operating systems. The incorrect belief Harry had in the software compatibility is an example of what in project management?

• A. Issue
• B. Risk
• C. Constraint
• D. Assumption

Answer: D

NEW QUESTION 16
Which of the following NIST C&A documents is the guideline for identifying an information system as a National Security System?

• A. NIST SP800-53
• B. NIST SP 800-59
• C. NIST SP 800-37
• D. NIST SP 800-53A

Answer: B

NEW QUESTION 17
Which of the following are the objectives of the security certification documentation task?
Each correct answer represents a complete solution. Choose all that apply.

• A. To prepare the Plan of Action and Milestones (POAM) based on the security assessment
• B. To provide the certification findings and recommendations to the information system owner
• C. To assemble the final security accreditation package and then submit it to the authorizing o fficial
• D. To update the system security plan based on the results of the security assessment

Answer: ABCD

NEW QUESTION 18
What is the objective of the Security Accreditation Decision task?

• A. To determine whether the agency-level risk is acceptable or not.
• B. To make an accreditation decision
• C. To accredit the information system
• D. To approve revisions of NIACAP

Answer: A

NEW QUESTION 19
In which type of access control do user ID and password system come under?

• A. Administrative
• B. Technical
• C. Physical
• D. Power

Answer: B

NEW QUESTION 20
......