Download ISC2 CAP Exam Practice Questions: Risk Management and Security Controls and more Exams Business Fundamentals in PDF only on Docsity!
ISC2 CAP Exam 2021 (1)
NO.1 The IAM/CA makes certification accreditation recommendations to the DAA. The DAA issues accreditation determinations.Which of the following are the accreditation determinations issued by the DAA?Each correct answer represents a complete solution. Choose all that apply. A. IATO B. ATO C. IATT D. ATT E. DATO correct answer A. IATO B. ATO C. IATT E. DATO NO.2 In 2003, NIST developed a new Certification & Accreditation (C&A) guideline known as FIPS 199. What levels of potential impact are defined by FIPS 199?Each correct answer represents a complete solution. Choose all that apply. A. Low B. Moderate C. High D. Medium correct answer A. Low C. High D. Medium NO.3 The Phase 2 of DITSCAP C&A is known as Verification. The goal of this phase is to obtain a fully integrated system for certification testing and accreditation. What are the process activities of this phase?Each correct answer represents a complete solution. Choose all that apply. A. System development B. Certification analysis
C. Registration D. Assessment of the Analysis Results E. Configuring refinement of the SSAA correct answer A. System development B. Certification analysis D. Assessment of the Analysis Results E. Configuring refinement of the SSAA NO.4 You and your project team are just starting the risk identification activities for a project that is scheduled to last for 18 months. Your project team has already identified a long list ofrisks that need to be analyzed. How often should you and the project team do risk identification? A. At least once per month B. Identify risks is an iterative process. C. It depends on how many risks are initially identified. D. Several times until the project moves into execution correct answer B. Identify risks is an iterative process. NO.5 Joan is the project manager of the BTT project for her company. She has worked with her project to create risk responses for both positive and negative risk events within the project. As a result of this process Joan needs to update the project document updates. She has updated the assumptions log as a result of the findings and risk responses, but what other documentation will need to be updated as an output of risk response planning? A. Lessons learned B. Scope statement C. Risk Breakdown Structure D. Technical documentation correct answer D. Technical documentation NO.6 Which of the following are the tasks performed by the owner in the information classification schemes?Each correct answer represents a part of the solution. Choose three. A. To make original determination to decide what level of classification the information requires, which is based on the business requirements for the safety of the data. B. To perform data restoration from the backups whenever required.
A. Risk identification B. Qualitative risk analysis C. Risk response implementation D. Quantitative risk analysis correct answer D. Quantitative risk analysis NO.10 You are the project manager of the HJK Project for your organization. You and the project team have created risk responses for many of the risk events in the project. Where should you document the proposed responses and the current status of all identified risks? A. Risk management plan B. Stakeholder management strategy C. Risk register D. Lessons learned documentation correct answer C. Risk register NO.11 Which of the following documents is used to provide a standard approach to the assessment of NIST SP 800-53 security controls? A. NIST SP 800-53A B. NIST SP 800- C. NIST SP 800- D. NIST SP 800-37 correct answer A. NIST SP 800-53A NO.12 What are the responsibilities of a system owner?Each correct answer represents a complete solution. Choose all that apply. A. Integrates security considerations into application and system purchasing decisions and development projects. B. Ensures that the systems are properly assessed for vulnerabilities and must report any to the incident response team and data owner. C. Ensures that adequate security is being provided by the necessary controls, password management, remoteaccess controls, operating system configurations, and so on. D. Ensures that the necessary security controls are in place. correct answer A. Integrates security considerations into application and system purchasing decisions and development projects. B. Ensures that the systems are properly assessed for vulnerabilities and must report any to the incident response team and data owner.
C. Ensures that adequate security is being provided by the necessary controls, password management, remoteaccess controls, operating system configurations, and so on. NO.13 There are seven risks responses that a project manager can choose from. Which risk response is appropriate for both positive and negative risk events? A. Acceptance B. Mitigation C. Sharing D. Transference correct answer A. Acceptance NO.14 Eric is the project manager of the NQQ Project and has hired the ZAS Corporation to complete part of the project work for Eric's organization. Due to a change request the ZAS Corporation is no longer needed on the project even though they have completed nearly all of the project work. Is Eric's organization liable to pay the ZAS Corporation for the work they have completed so far on the project? A. No, the ZAS Corporation did not complete all of the work. B. Yes, the ZAS Corporation did not choose to terminate the contract work. C. It depends on what the outcome of a lawsuit will determine. D. It depends on what the terminationclause of the contract stipulates correct answer D. It depends on what the terminationclause of the contract stipulates NO.15 Which of the following is an entry in an object's discretionary access control list (DACL) that grants permissions to a user or group? A. Access control entry (ACE) B. Discretionary access control entry (DACE) C. Access control list (ACL) D. Security Identifier (SID) correct answer A. Access control entry (ACE) NO.16 Which of the following DITSCAP C&A phases takes place between the signing of the initial version of the SSAA and the formal accreditation of the system? A. Phase 3 B. Phase 1 C. Phase 2
NO.19 Kelly is the project manager of the BHH project for her organization. She is completing the risk identification process for this portion of her project. Which one of the following is the only thing that the risk identification process will create for Kelly? A. Project document updates B. Risk register updates C. Change requests D. Risk register correct answer D. Risk register NO.20 You are preparing to complete the quantitative risk analysis process with your project team and several subject matter experts. You gather the necessary inputs including the project's cost management plan. Why is it necessary to include the project's cost management plan in the preparation for the quantitative risk analysis process? A. The project's cost management plan can help you to determine what the total cost of the project is allowed to be.B. The project's cost management plan provides direction on how costs may be changed due to identified risks. C. The project's cost management plan provides control that may help determine the structure for quantitative analysis of the budget. D. The project's cost management plan is not an input to the quantitative risk analysis process. correct answer C. The project's cost management plan provides control that may help determine the structure for quantitative analysis of the budget. NO.21 You are the project manager of the NKJ Project for your company. The project's success or failure will have a significant impact on your organization's profitability for the coming year. Management has asked you to identify the risk events and communicate the event's probability and impact as early as possible in the project. Management wants to avoid risk events and needs to analyze the cost-benefits of each risk event in this project. What term is assigned to the low-level of stakeholder tolerance in this project? A. Risk avoidance B. Mitigation-ready project management C. Risk utility function D. Risk-reward mentality correct answer C. Risk utility function NO.22 Which of the following acts is used to recognize the importance of information security to the economic and national security interests of the United States?
A. Computer Fraud and Abuse Act B. FISMA C. Lanham Act D. Computer Misuse Act correct answer B. FISMA NO.23 Which of the following approaches can be used to build a security program? Each correct answer represents a complete solution. Choose all that apply. A. Bottom-Up Approach B. Right-Up Approach C. Top-Down Approach D. Left-Up Approach correct answer A. Bottom-Up Approach C. Top-Down Approach NO.24 Risks with low ratings of probability and impact are included on a ____ for future monitoring. A. Watchlist B. Risk alarm C. Observation list D. Risk register correct answer A. Watchlist NO.25 In 2003, NIST developed a new Certification & Accreditation (C&A) guideline known as FIPS 199. What levels of potential impact are defined by FIPS 199? Each correct answer represents a complete solution. Choose all that apply. A. Medium B. High C. Low D. Moderate correct answer A. Medium B. High C. Low
NO.30 Which of the following parts of BS 7799 covers risk analysis and management? A. Part 1 B. Part 3 C. Part 2 D. Part 4 correct answer B. Part 3 NO.31 Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and systems? A. FITSAF B. FIPS C. TCSEC D. SSAA correct answer D. SSAA NO.32 FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls are tested and reviewed? A. Level 1 B. Level 2 C. Level 4 D. Level 5 E. Level 3 correct answer C. Level 4 NO.33 Penetration testing (also called pen testing) is the practice of testing a computer system, network, or Web application to find vulnerabilities that an attacker could exploit. Which of the following areas can be exploited in a penetration test?Each correct answer represents a complete solution. Choose all that apply. A. Social engineering B. File and directory permissions C. Buffer overflows D. Kernel flaws
E. Race conditions F. Information system architectures G. Trojan horses correct answer A. Social engineering B. File and directory permissions C. Buffer overflows D. Kernel flaws E. Race conditions G. Trojan horses NO.34 Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and systems? A. FIPS B. TCSEC C. SSAA D. FITSAF correct answer C. SSAA NO.35 Which of the following statements is true about the continuous monitoring process? A. It takes place in the middle of system security accreditation. B. It takes place before and after system security accreditation. C. It takes place before the initial system security accreditation. D. It takes place after the initial system security accreditation. correct answer D. It takes place after the initial system security accreditation. NO.36 You work as a project manager for BlueWell Inc. You are currently working with the project stakeholders to identify risks in your project. You understand that the qualitative risk assessment and analysis can reflect the attitude of the project team and other stakeholders to risk. Effective assessment of risk requires management of the risk attitudes of the participants. What should you, the project manager, do with assessment of identified risks in consideration of the attitude and bias of the participants towards the project risk? A. Document the bias for the risk events and communicate the bias with management B. Evaluate and document the bias towards the risk events
NO.40 Which of the following processes is a structured approach to transitioning individuals, teams, and organizations from a current state to a desired future state? A. Configuration management B. Procurement management C. Change management D. Risk management correct answer C. Change management NO.41 FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls have been implemented? A. Level 2 B. Level 5 C. Level 4 D. Level 1 E. Level 3 correct answer E. Level 3 NO.42 The Phase 3 of DITSCAP C&A is known as Validation. The goal of Phase 3 is to validate that the preceding work has produced an IS that operates in a specified computing environment. What are the process activities of this phase?Each correct answer represents a complete solution. Choose all that apply. A. Perform certification evaluation of the integrated system B. System development C. Certification and accreditation decision D. Develop recommendation to the DAA E. Continue to review and refine the SSAA correct answer A. Perform certification evaluation of the integrated system C. Certification and accreditation decision D. Develop recommendation to the DAA E. Continue to review and refine the SSAA NO.43 Which of the following system security policies is used to address specific issues of concern to the organization?
A. Program policy B. Issue-specific policy C. Informative policy D. System-specific policy correct answer B. Issue-specific policy NO.44 Which of the following formulas was developed by FIPS 199 for categorization of an information system? A. SC information system = {(confidentiality, impact), (integrity, controls), (availability, risk)} B. SC information system = {(confidentiality, impact), (integrity, impact),(availability, impact)} C. SC information system = {(confidentiality, controls), (integrity, controls), (availability, controls )} D. SC information system = {(confidentiality, risk), (integrity, impact), (availability, controls)} correct answer B. SC information system = {(confidentiality, impact), (integrity, impact),(availability, impact)} NO.45 Which of the following are included in Physical Controls?Each correct answer represents a complete solution. Choose all that apply. A. Locking systems and removing unnecessary floppy or CD-ROM drives B. Environmental controls C. Password and resource management D. Identification and authentication methods E. Monitoring for intrusion F. Controlling individual access into the facility and different departments correct answer A. Locking systems and removing unnecessary floppy or CD-ROM drives B. Environmental controls E. Monitoring for intrusion F. Controlling individual access into the facility and different departments NO.46 In which of the following testing methodologies do assessors use all available documentation and work under no constraints, and attempt to circumvent the security features of an information system? A. Full operational test
A. Confidentiality B. Availability C. Integrity D. Non-repudiation correct answer C. Integrity NO.51 Which of the following C&A professionals plays the role of an advisor? A. Information System Security Engineer (ISSE) B. Chief Information Officer (CIO) C. Authorizing Official D. Information Owner correct answer A. Information System Security Engineer (ISSE) NO.52 Which of the following statements about Discretionary Access Control List (DACL) is true? A. It is a rule list containing access control entries. B. It specifies whether an audit activity should be performed when an object attempts to access a resource. C. It is a list containing user accounts, groups, and computers that are allowed (or denied) access to the object. D. It is a unique number that identifies a user, group, and computer account correct answer C. It is a list containing user accounts, groups, and computers that are allowed (or denied) access to the object. NO.53 You are the project manager of the CUL project in your organization. You and the project team are assessing the risk events and creating a probability and impact matrix for the identified risks. Which one of the following statements best describes the requirements for the data type used in qualitative risk analysis? A. A qualitative risk analysis requires fast and simple data to complete the analysis. B. A qualitative risk analysis requires accurate and unbiased data if it is to be credible. C. A qualitative risk analysis required unbiased stakeholders with biased risk tolerances. D. A qualitative risk analysis encourages biased data to reveal risk tolerances. correct answer B. A qualitative risk analysis requires accurate and unbiased data if it is to be credible. NO.54 Which of the following processes is described in the statement below?"This is the process of numerically analyzing the effect of identified risks on overall project objectives."
A. Identify Risks B. Perform Quantitative Risk Analysis C. Perform Qualitative Risk Analysis D. Monitor and Control Risks correct answer B. Perform Quantitative Risk Analysis NO.55 The Project Risk Management knowledge area focuses on which of the following processes? Each correct answer represents a complete solution. Choose all that apply. A. Potential Risk Monitoring B. Risk Management Planning C. Quantitative Risk Analysis D. Risk Monitoring and Control correct answer B. Risk Management Planning C. Quantitative Risk Analysis D. Risk Monitoring and Control NO.56 A security policy is an overall general statement produced by senior management that dictateswhat role security plays within the organization. What are the different types of policies? Each correct answer represents a complete solution. Choose all that apply. A. Systematic B. Informative C. Regulatory D. Advisory correct answer B. Informative C. Regulatory D. Advisory NO.57 The Project Risk Management knowledge area focuses on which of the following processes? Each correct answer represents a complete solution. Choose all that apply. A. Quantitative Risk Analysis B. Potential Risk Monitoring C. Risk Monitoring and Control D. Risk Management Planning correct answer A. Quantitative Risk Analysis
NO.61 Which of the following NIST Special Publication documents provides a guideline on network security testing? A. NIST SP 800- B. NIST SP 800-53A C. NIST SP 800- D. NIST SP 800- E. NIST SP 800- F. NIST SP 800-53 correct answer D. NIST SP 800- NO.62 Which of the following terms related to risk management represents the estimated frequency at which a threat is expected to occur? A. Safeguard B. Single Loss Expectancy (SLE) C. Exposure Factor (EF) D. Annualized Rate of Occurrence (ARO) correct answer D. Annualized Rate of Occurrence (ARO) NO.63 Your project uses a piece of equipment that if the temperature of the machine goes above 450 degree Fahrenheit the machine will overheat and have to be shut down for 48 hours. Should this machine overheat even once it will delay the project's end date. You work with your project to create a response that should the temperature of the machine reach 430, the machine will be paused for at least an hour to cool it down. The temperature of 430 is called what? A. Risk identification B. Risk response C. Risk trigger D. Risk event correct answer C. Risk trigger NO.64 NIST SP 800-53A defines three types of interview depending on the level of assessment conducted. Which of the following NIST SP 800-53A interviews consists of informal and ad hoc interviews? A. Substantial B. Significant
C. Abbreviated D. Comprehensive correct answer C. Abbreviated NO.65 Which of the following processes is described in the statement below?"It is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project." A. Perform Quantitative Risk Analysis B. Monitor and Control Risks C. Perform Qualitative Risk Analysis D. Identify Risks correct answer B. Monitor and Control Risks NO.66 Which of the following relations correctly describes total risk? A. Total Risk = Threats x Vulnerability x Asset Value B. Total Risk = Viruses x Vulnerability x Asset Value C. Total Risk = Threats x Exploit x Asset Value D. Total Risk = Viruses x Exploit x Asset Value correct answer A. Total Risk = Threats x Vulnerability x Asset Value NO.67 Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. Which of the following statements are true about Certification and Accreditation?Each correct answer represents a complete solution. Choose two. A. Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system. B. Accreditation is a comprehensive assessment of the management, operational, and technical security controls in an information system. C. Certification isthe official management decision given by a senior agency official to authorize operation of an information system. D. Accreditation is the official management decision given by a senior agency official to authorize operation of an information system. correct answer A. Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system. D. Accreditation is the official management decision given by a senior agency official to authorize operation of an information system.
