CAP Certified Authorization Professional Practice Exam Set 2

You are the project manager for your organization. You have identified a risk event you're your organization could manage internally or externally. If you manage the event internally it will cost your project $578,000 and an additional $22,000 per month the solution is in use. A vendor can manage the risk event for you. The vendor will charge $550,000 and $24,500 per month that the solution is in use. How many months will you need to use the solution to pay for the internal solution in comparison to the vendor's solution?


Options are :

  • Approximately 13 months
  • Approximately 11 months
  • Approximately 15 months
  • Approximately 8 months

Answer : Approximately 11 months

CAP Certified Authorization Professional Practice Exam Set 6

Which of the following techniques are used after a security breach and are intended to limit the extent of any damage caused by the incident?


Options are :

  • Corrective controls
  • Safeguards
  • Preventive controls
  • Detective controls

Answer : Corrective controls

In which of the following testing methodologies do assessors use all available documentation and work under no constraints, and attempt to circumvent the security features of an information system?


Options are :

  • Paper test
  • Full operational test
  • Walk-through test
  • Penetration test

Answer : Penetration test

Adrian is the project manager of the NHP Project. In her project there are several work packages that deal with electrical wiring. Rather than to manage the risk internally she has decided to hire a vendor to complete all work packages that deal with the electrical wiring. By removing the risk internally to a licensed electrician Adrian feels more comfortable with project team being safe. What type of risk response has Adrian used in this example?


Options are :

  • Acceptance
  • Transference
  • Mitigation
  • Avoidance

Answer : Transference

CAP Certified Authorization Professional Practice Exam Set 9

The National Information Assurance Certification and Accreditation Process (NIACAP) is the minimum standard process for the certification and accreditation of computer and telecommunications systems that handle U.S. national security information. What are the different types of NIACAP accreditation? Each correct answer represents a complete solution. Choose all that apply.


Options are :

  • System accreditation
  • Site accreditation
  • Type accreditation
  • Secure accreditation

Answer : System accreditation Site accreditation Type accreditation

Which of the following DoD directives is referred to as the Defense Automation Resources Management Manual?


Options are :

  • DoD 5200.22-M
  • DoD 7950.1-M
  • DoD 8910.1
  • DoD 5200.1-R
  • DoDD 8000.1

Answer : DoD 7950.1-M

Neil works as a project manager for SoftTech Inc. He is working with Tom, the COO of his company, on several risks within the project. Tom understands that through qualitative analysis Neil has identified many risks in the project. Tom's concern, however, is that the priority list of these risk events are sorted in "high-risk," "moderate-risk," and "low-risk" as conditions apply within the project. Tom wants to know that is there any other objective on which Neil can make the priority list for project risks. What will be Neil's reply to Tom?


Options are :

  • Risks may be listed by priority separately for schedule, cost, and performance
  • Risks may be listed by the additional analysis and response
  • Risk may be listed by the responses inthe near-term
  • Risks may be listed by categories

Answer : Risks may be listed by priority separately for schedule, cost, and performance

CAP Certified Authorization Professional Practice Exam Set 4

Which of the following professionals is responsible for starting the Certification & Accreditation (C&A) process?


Options are :

  • Authorizing Official
  • Chief Information Officer (CIO)
  • Chief Risk Officer (CRO)
  • Information system owner

Answer : Information system owner

Which of the following is used to indicate that the software has met a defined quality level and is ready for mass distribution either by electronic means or by physical media?


Options are :

  • ATM
  • DAA
  • CRO
  • RTM

Answer : RTM

Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. Which of the following statements are true about Certification and Accreditation? Each correct answer represents a complete solution. Choose two.


Options are :

  • Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system.
  • Accreditation is the official management decision given by a senior agency official to authorize operation of an information system.
  • Certification is the official management decision given by a senior agency official to authorize operation of an information system.
  • Accreditation is a comprehensive assessment of the management, operational, and technical security controls in an information system.

Answer : Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system. Accreditation is the official management decision given by a senior agency official to authorize operation of an information system.

CAP Certified Authorization Professional Practice Exam Set 4

Gary is the project manager for his project. He and the project team have completed the qualitative risk analysis process and are about to enter the quantitative risk analysis process when Mary, the project sponsor, wants to know what quantitative risk analysis will review. Which of the following statements best defines what quantitative risk analysis will review?


Options are :

  • The quantitative risk analysis seeks to determine the true cost of each identified risk event and the probability of each risk event to determine the risk exposure.
  • The quantitative risk analysis reviews the results of risk identification and prepares the project for risk response management.
  • The quantitative risk analysis process will analyze the effect of risk events that may substantially impact the project's competing demands.
  • The quantitative risk analysis process will review risk events for their probability and impact on the project objectives.

Answer : The quantitative risk analysis process will analyze the effect of risk events that may substantially impact the project's competing demands.

DIACAP applies to the acquisition, operation, and sustainment of any DoD system that collects, stores, transmits, or processes unclassified or classified information since December 1997. What phases are identified by DIACAP? Each correct answer represents a complete solution. Choose all that apply.


Options are :

  • System Definition
  • Identification
  • Accreditation
  • Verification
  • Re-Accreditation
  • Validation

Answer : System Definition Verification Re-Accreditation Validation

According to U.S. Department of Defense (DoD) Instruction 8500.2, there are eight Information Assurance (IA) areas, and the controls are referred to as IA controls. Which of the following are among the eight areas of IA defined by DoD? Each correct answer represents a complete solution. Choose all that apply.


Options are :

  • Information systems acquisition, development, and maintenance
  • VI Vulnerability and Incident Management
  • DC Security Design & Configuration
  • EC Enclave and Computing Environment

Answer : VI Vulnerability and Incident Management DC Security Design & Configuration EC Enclave and Computing Environment

CAP Certified Authorization Professional Practice Exam Set 10

In which of the following phases of the DITSCAP process does Security Test and Evaluation (ST&E) occur?


Options are :

  • Phase 4
  • Phase 3
  • Phase 2
  • Phase 1

Answer : Phase 3

The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statements are true about ISSO and ISSE? Each correct answer represents a complete solution. Choose all that apply.


Options are :

  • An ISSE provides advice on the continuous monitoring of the information system.
  • An ISSE manages the security of the information system that is slated for Certification & Accreditation (C&A).
  • An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A).
  • An ISSO takes part in the development activities that are required to implement system changes.
  • An ISSE provides advice on the impacts of system changes.

Answer : An ISSE provides advice on the continuous monitoring of the information system. An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A). An ISSE provides advice on the impacts of system changes.

Mark works as a Network Administrator for NetTech Inc. He wants users to access only those resources that are required for them. Which of the following access control models will he use?


Options are :

  • Policy Access Control
  • Mandatory Access Control
  • Discretionary Access Control
  • Role-Based Access Control

Answer : Role-Based Access Control

CAP Certified Information Audit Process Practice Exam Set 1

DIACAP applies to the acquisition, operation, and sustainment of any DoD system that collects, stores, transmits, or processes unclassified or classified information since December 1997. What phases are identified by DIACAP? Each correct answer represents a complete solution. Choose all that apply


Options are :

  • Re-Accreditation
  • Validation
  • System Definition
  • Accreditation
  • Verification
  • Identification

Answer : Re-Accreditation Validation System Definition Verification

Which of the following roles is also known as the accreditor?


Options are :

  • Designated Approving Authority
  • Data owner
  • Chief Risk Officer
  • Chief Information Officer

Answer : Designated Approving Authority

Your project uses a piece of equipment that if the temperature of the machine goes above 450 degree Fahrenheit the machine will overheat and have to be shut down for 48 hours. Should this machine overheat even once it will delay the project's end date. You work with your project to create a response that should the temperature of the machine reach 430, the machine will be paused for at least an hour to cool it down. The temperature of 430 is called what?


Options are :

  • Risk response
  • Risk identification
  • Risk event
  • Risk trigger

Answer : Risk trigger

CAP Certified Authorization Professional Practice Exam Set 1

Which of the following refers to the ability to ensure that the data is not modified or tampered with?


Options are :

  • Integrity
  • Confidentiality
  • Availability
  • Non-repudiation

Answer : Integrity

Which of the following DITSCAP phases validates that the preceding work has produced an IS that operates in a specified computing environment?


Options are :

  • Phase 1
  • Phase 2
  • Phase 4
  • Phase 3

Answer : Phase 3

Where can a project manager find risk-rating rules?


Options are :

  • Risk probability and impact matrix
  • Enterprise environmental factors
  • Organizational process asset
  • Risk management plan

Answer : Organizational process asset

CAP Certified Information Audit Process Practice Exam Set 1

You are preparing to start the qualitative risk analysis process for your project. You will be relying on some organizational process assets to influence the process. Which one of the following is NOT a probable reason for relying on organizational process assets as an input for qualitative risk analysis?


Options are :

  • Review of vendor contracts to examine risks in past projects
  • Studies of similar projects by risk specialists
  • Information on prior, similar projects
  • Risk databases that may be available from industry sources

Answer : Review of vendor contracts to examine risks in past projects

James work as an IT systems personnel in SoftTech Inc. He performs the following tasks: Runs regular backups and routine tests of the validity of the backup data. Performs data restoration from the backups whenever required. Maintains the retained records in accordance with the established information classification policy. What is the role played by James in the organization?


Options are :

  • Owner
  • Manager
  • User
  • Custodian

Answer : Custodian

Certification and Accreditation (C&A or CnA) is a process for implementing information security. Which of the following is the correct order of C&A phases in a DITSCAP assessment?


Options are :

  • Verification, Validation, Definition, and Post Accreditation
  • Verification, Definition, Validation, and Post Accreditation
  • Definition, Verification, Validation, and Post Accreditation
  • Definition, Validation, Verification, and Post Accreditation

Answer : Definition, Verification, Validation, and Post Accreditation

CAP Certified Information Audit Process Practice Exam Set 1

System Authorization is the risk management process. System Authorization Plan (SAP) is a comprehensive and uniform approach to the System Authorization Process. What are the different phases of System Authorization Plan? Each correct answer represents a part of the solution. Choose all that apply.


Options are :

  • Post-Authorization
  • Post-certification
  • Certification
  • Authorization
  • Pre-certification

Answer : Post-Authorization Certification Authorization Pre-certification

You and your project team are identifying the risks that may exist within your project. Some of the risks are small risks that won't affect your project much if they happen. What should you do with these identified risk events?


Options are :

  • These risks can be accepted.
  • These risks can be dismissed.
  • These risks can be added to a low priority risk watch list.
  • All risks must have a valid, documented risk response

Answer : These risks can be added to a low priority risk watch list.

Frank is the project manager of the NHH Project. He is working with the project team to create a plan to document the procedures to manage risks throughout the project. This document will define how risks will be identified and quantified. It will also define how contingency plans will be implemented by the project team. What document is Frank and the NHH Project team creating in this scenario?


Options are :

  • Project management plan
  • Project plan
  • Risk management plan
  • Resource management plan

Answer : Risk management plan

CAP Certified Authorization Professional Practice Exam Set 3

In which type of access control do user ID and password system come under?


Options are :

  • Physical
  • Administrative
  • Power
  • Technical

Answer : Technical

Gary is the project manager of his organization. He is managing a project that is similar to a project his organization completed recently. Gary has decided that he will use the information from the past project to help him and the project team to identify the risks that may be present in the project. Management agrees that this checklist approach is ideal and will save time in the project. Which of the following statement is most accurate about the limitations of the checklist analysis approach for Gary?


Options are :

  • The checklist analysis approach saves time, but can cost more.
  • The checklist is also known as top down risk assessment
  • The checklist analysis approach only uses qualitative analysis.
  • The checklist analysis approach is fast but it is impossible to build and exhaustive checklist

Answer : The checklist analysis approach is fast but it is impossible to build and exhaustive checklist

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions