ISC2 CAP Exam Dumps

Which of the following statements correctly describes DIACAP residual risk?

A. It is the remaining risk to the information system after risk palliation has occurred.
B. It is a process of security authorization.
C. It is the technical implementation of the security design.
D. It is used to validate the information system.

Answer: A

Which of the following is a standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system?

A. TCSEC 
B. FIPS
 C. SSAA 
D. FITSAF

Answer: A

A security policy is an overall generalstatement produced by senior management that dictates what role security plays within the organization. What are the different types of policies? Each correct answer represents a complete solution. Choose all that apply.  

A. Systematic
B. Regulatory
C. Advisory
D. Informative

Answer: B,C,D

Which of the following processes is a structured approach to transitioning individuals, teams, and organizations from a current state to a desired future state?

A. Configuration management
B. Procurement management
C. Change management
D. Risk management

Answer: C

Which of the following is used to indicatethat the software has met a defined quality level and is ready for mass distribution either by electronic means or by physical media?

A. DAA
 B. RTM 
C. ATM 
D. CRO 

Answer: B

Which of the following statements aboutDiscretionary Access Control List (DACL)is true?  

A. It is a rule list containing access control entries.  
B. It specifies whether an audit activity should be performed when an object attempts to access a resource. 
C. It is a list containing user accounts, groups, and computers that are allowed (or denied) access to the object.
D. It is a unique number that identifies a user, group, and computer account  

Answer: C

During qualitative risk analysis you want to define the risk urgency assessment. All of the following are indicators of risk priority except for which one?

A. Symptoms
B. Cost of the project
C. Warning signs
D. Risk rating

Answer: B

During which of the following processes,probability and impact matrixis prepared? 

A. Plan Risk Responses
B. Perform Quantitative Risk Analysis
C. Perform Qualitative Risk Analysis
D. Monitoring and Control Risks

Answer: C

Walter is the project manager of a large construction project. He'll be working with several vendors on the project. Vendors will be providing materials and labor for several parts of the project. Some of the works in the project are very dangerous so Walter has implemented safety requirements for all of the vendors and his own project team. Stakeholders for theproject have added new requirements, which have caused new risks in the project. A vendor has identified a new risk that could affect the project if it comes into fruition. Walter agrees with the vendor and has updated the risk register and created potential risk responses to mitigate the risk. What should Walter also update in this scenario considering the risk event?

A. Project contractual relationship with the vendor
B. Project communications plan
C. Project management plan
D. Project scope statement

Answer: C

Which of the following is NOT an objective of the security program? 

A. Security organization  
B. Security plan  
C. Security education  
D. Information classification  

Answer: B

In 2003, NIST developed a new Certification & Accreditation (C&A) guideline known as FIPS 199. What levels of potential impact are defined by FIPS 199? Each correct answer represents a complete solution. Choose all that apply.

A. Low 
B. Moderate 
C. High 
D. Medium 

Answer: A,C,D?

An authentication method uses smart cards as well as usernames and passwordsfor authentication. Which of the following authentication methods is being referred to?

A. Anonymous 
B. Multi-factor 
C. Biometrics
 D. Mutual 

Answer: B

You work as a project manager for BlueWell Inc. There has been a delay in your project work that is adversely affecting the project schedule. You decided, with your stakeholders' approval, to fast track the project work to get the project done faster. When you fast track the project which of the following are likely to increase?

A. Risks
B. Human resource needs
C. Quality control concerns
D. Costs

Answer: A

Which of the following RMF phases is known as risk analysis? 

A. Phase 0
B. Phase 1
C. Phase 2
D. Phase 3

Answer: C

Which one of the following is the only output for the qualitative risk analysis process? 

A. Enterprise environmental factors  
B. Project management plan  
C. Risk register updates  

Answer: C

The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statements are true about ISSO and ISSE? Each correct answer represents a complete solution. Choose all that apply.

A. An ISSE manages the security of the information system that is slated for Certification & Accreditation (C&A). 
B. An ISSO takes part in the development activities that are required to implement system ch anges.
C. An ISSE provides advice on the continuous monitoring of the information system.  
D. An ISSE provides advice on the impacts of system changes.  
E. An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A). 

Answer: C,D,E

Harry is a project manager of a software development project. In the early stages of planning, he and the stakeholders operated with the belief that the software they were developing would work with their organization's current computer operating system. Now that the project team has started developing the software it has become apparent that the software will not work with nearly half of the organization's computer operating systems. The incorrect belief Harry had in the software compatibility is an example of what in project management?

A. Assumption
B. Issue
C. Risk
D. Constraint

Answer: A

Which of the following DITSCAP phases validates that the preceding work has produced an IS that operates in a specified computing environment?

A. Phase 3
B. Phase 2
C. Phase 4
D. Phase 1

Answer: A

Which of the following processes is described in the statement below? "It is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project." 

A. Perform Quantitative Risk Analysis
B. Monitor and Control Risks
C. Perform Qualitative Risk Analysis
D. Identify Risks

Answer: B

There are seven risk responses for any project. Which one of the following is a valid risk response for a negative risk event?

A. Enhance  
B. Exploit  
C. Acceptance  
D. Share  

Answer: C

In which type of access control do user ID and password system come under? 

A. Administrative
B. Technical
C. Physical
D. Power

Answer: B

Eric is the project manager of the NQQ Project and has hired the ZAS Corporation to complete part of the project work for Eric's organization. Due to a change request the ZAS Corporation is no longer needed on the project even though they have completed nearly all of the project work. Is Eric's organization liable to pay the ZAS Corporation for the work they have completed so far on the project?

A. No, the ZAS Corporation did not complete all of the work.
B. Yes, the ZAS Corporation did not choose to terminate the contract work.
C. It depends on what the outcome of a lawsuit will determine.
D. It depends on what the terminationclause of the contract stipulates

Answer: D

Shoulder surfing is a type of in-person attack in which the attacker gathers information about the premises of an organization. This attack is often performed by looking surreptitiously at the keyboard of an employee's computer while he is typing in his password at any access point such as a terminal/Web site. Which of the following isviolated in a shoulder surfing attack?

A. Authenticity
B. Integrity
C. Availability
D. Confidentiality

Answer: D

Management wants you to create a visual diagram of what resources will be utilized in the project deliverables. What type of a chart is management asking you to create?

A. Work breakdown structure
B. Roles and responsibility matrix
C. Resource breakdown structure
D. RACI chart

Answer: C

Which of the following DoD directives is referred to as theDefense Automation Resources Management Manual?

A. DoD 5200.22-M
B. DoD 5200.1-R
C. DoD 8910.1
D. DoDD 8000.1
E. DoD 7950.1-M

Answer: E

Tom is the project manager for his organization. In his project he has recently finished the risk response planning. He tells his manager that he will now need to update the cost and schedule baselines. Why would the risk response planning cause Tom the need to update the cost and schedule baselines?

A. New or omitted work as part of a risk response can cause changes to the cost and/or schedule baseline. 
B. Risk responses protect the time and investment of the project.
C. Risk responses may take time and money to implement.
D. Baselines should not be updated, but refined through versions.

Answer: A

Which of the following guidance documents is useful in determining the impact level of a particular threat on agency systems?

A. NIST SP 800-41
B. NIST SP 800-37
C. FIPS 199
D. NIST SP 800-14

Answer: C

Which of the following documents is used to provide a standard approach to the assessment of NIST SP 800-53 security controls?

A. NIST SP 800-53A
B. NIST SP 800-66
C. NIST SP 800-41
D. NIST SP 800-37

Answer: A