ISC2 CAP Exam 2021 (4)
NO.384 Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and systems? A. SSAA B. FIPS C. FITSAF D. TCSEC
A. SSAA
NO.375 In which of the following elements of security does the object retain its veracity and is intentionally modified by the authorized subjects? A. Integrity B. Nonrepudiation C. Availability D. Confidentiality
A. Integrity
NO.303 Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. Which of the following statements are true about Certification and Accreditation?Each correct answer represents a complete solution. Choose two. A. Accreditation is the official management decision given by a senior agency official to authorize operation of an information system. B. Certification is a comprehensive assessment of the management, operational, and technical security controls inan information system. C. Accreditation is a comprehensive assessment of the management, operational, and technical security controls in an information system. D. Certification is the official management decision given by a senior agency official to authorize operation of an information system.
A. Accreditation is the official management decision given by a senior agency official to authorize operation of an information system. B. Certification is a comprehensive assessment of the management, operational, and technical security controls inan information system.
NO.336 The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statements are true about ISSO and ISSE?Each correct answer represents a complete solution. Choose all that apply. A. An ISSE provides advice on the impacts of system changes. B. An ISSE manages the security of the information system that is slated for Certification & Accreditation (C&A). C. An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A). D. An ISSO takes part in the development activities that are required to implement system changes. E. An ISSE provides advice on the continuous monitoring of the information system.
A. An ISSE provides advice on the impacts of system changes. C. An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A). E. An ISSE provides advice on the continuous monitoring of the information system.
NO.361 Billy is the project manager of the HAR Project and is in month six of the project. The project is scheduled to last for 18 months. Management asks Billy how often the project team is participating in risk reassessment in this project. What should Billy tell management if he's following the best practices for risk management? A. At every status meeting the project team project risk management is an agenda item. B. Project risk management happens at every milestone. C. Project risk management has been concluded with the project planning. D. Project risk management is scheduled for every monthin the 18-month project.
A. At every status meeting the project team project risk management is an agenda item.
NO.337 Bill is the project manager of the JKH Project. He and the project team have identified a risk event in the project with a high probability of occurrence and the risk event has a high cost impact on the project. Bill discusses the risk event with Virginia, the primary project customer, and she decides that the requirements surrounding the risk event should be removed from the project. The removal of the requirements does affect the project scope, but it can release the project from the high risk exposure. What risk response has been enacted in this project? A. Avoidance B. Acceptance C. Transference D. Mitigation
A. Avoidance
NO.334 The Phase 2 of DITSCAP C&A is known as Verification. The goal of this phase is to obtain a fully integrated system for certification testing and accreditation. What are the process activities of this phase?Each correct answer represents a complete solution. Choose all that apply. A. Configuring refinement of the SSAA B. Assessment of the Analysis Results C. System development D. Certification analysis E. Registration
A. Configuring refinement of the SSAA B. Assessment of the Analysis Results C. System development D. Certification analysis
NO.311 In which of the following phases do the system security plan update and the Plan of Action and Milestones (POAM) update take place? A. Continuous Monitoring Phase B. Accreditation Phase C. Preparation Phase D. DITSCAP Phase
A. Continuous Monitoring Phase
NO.369 In which of the following phases do the system security plan update and the Plan of Action and Milestones (POAM) update take place? A. Continuous Monitoring Phase B. Accreditation Phase C. Preparation Phase D. DITSCAP Phase
A. Continuous Monitoring Phase
NO.389 Your project team has identified a project risk that must be responded to. The risk has been recorded in the risk register and the project team has been discussing potential risk responses for the risk event. The event is not likely to happen for several months but the probability of the event is high. Which one of the following is a valid response to the identified risk event? A. Corrective action B. Technical performance measurement C. Risk audit D. Earned value management
A. Corrective action
NO.382 For which of the following reporting requirements are continuous monitoring documentation reports used? A. FISMA B. NIST C. HIPAA D. FBI
A. FISMA
NO.347 Jenny is the project manager of the NHJ Project for her company. She has identified several positive risk events within the project and she thinks these events can save the project time and money. You, a new team member wants to know that how many risk responses are available for a positive risk event. What will Jenny reply to you? A. Four B. Seven C. Acceptance is the only risk response for positive risk events. D. Three
A. Four
NO.356 Courtney is the project manager for her organization. She is working with the project team to complete the qualitative risk analysis for her project. During the analysis Courtney encourages the project team to begin the grouping of identified risks by common causes. What is the primary advantage to group risks by common causes during qualitative risk analysis? A. It can lead to developing effective risk responses. B. It can lead to the creation of risk categories unique to each project. C. It helps the project team realize the areas of the project most laden with risks. D. It saves time by collecting the related resources, such as project team members, to analyze the risk events.
A. It can lead to developing effective risk responses.
NO.308 Which of the following statements about System Access Control List (SACL) is true? A. It contains a list of any events that are set to audit for that particular object. B. It is a mechanism for reducing the need for globally unique IP addresses. C. It contains a list of both users and groups and whatever permissions they have. D. It exists for each and every permission entry assigned to any object.
A. It contains a list of any events that are set to audit for that particular object.
NO.372 Which of the following objectives are defined by integrity in the C.I.A triad of information security systems?Each correct answer represents a part of the solution. Choose three. A. It preservesthe internal and external consistency of information. B. It prevents the unauthorized or unintentional modification of information by the authorized users. C. It prevents the modification of information by the unauthorized users. D. It prevents the intentional or unintentional unauthorized disclosure of a message's contents .
A. It preservesthe internal and external consistency of information. B. It prevents the unauthorized or unintentional modification of information by the authorized users. C. It prevents the modification of information by the unauthorized users.
NO.312 In which of the following Risk Management Framework (RMF) phases is strategic risk assessment planning performed? A. Phase 0 B. Phase 1 C. Phase 2 D. Phase 3
A. Phase 0
NO.355 Which of the following RMF phases is known as risk analysis? A. Phase 2 B. Phase 1 C. Phase 0 D. Phase 3
A. Phase 2
NO.305 System Authorization is the risk management process. System Authorization Plan (SAP) is a comprehensive and uniform approach to the System Authorization Process. What are the different phases of System Authorization Plan?Each correct answer represents a part of the solution. Choose all that apply. A. Pre-certification B. Certification C. Post-certification D. Authorization E. Post-Authorization
A. Pre-certification B. Certification D. Authorization E. Post-Authorization
NO.357 The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the most senior executive in an enterprise. What are the responsibilities of a Chief Information Officer?Each correct answer represents a complete solution. Choose all that apply. A. Preserving high-level communications and working group relationships in an organization B. Facilitating the sharing of security risk-related information among authorizing officials C. Establishing effective continuous monitoring program for the organization D. Proposing the information technology needed by an enterprise to achieve its goals and then working within a budget to implement the plan
A. Preserving high-level communications and working group relationships in an organization C. Establishing effective continuous monitoring program for the organization D. Proposing the information technology needed by an enterprise to achieve its goals and then working within a budget to implement the plan
NO.360 Which of the following statements reflect the 'Code of Ethics Canons' in the '(ISC)2 Code of Ethics'?Each correct answer represents a complete solution. Choose all that apply. A. Protect society, the commonwealth, and the infrastructure. B. Act honorably, honestly, justly, responsibly, and legally. C. Provide diligent and competent service to principals. D. Give guidance for resolving good versus good and bad versus baddilemmas.
A. Protect society, the commonwealth, and the infrastructure. B. Act honorably, honestly, justly, responsibly, and legally. C. Provide diligent and competent service to principals.
NO.323 The Phase 1 of DITSCAP C&A is known as Definition Phase. The goal of this phase is to define the C&A level of effort, identify the main C&A roles and responsibilities, and create an agreement on the method for implementing the security requirements. What are the process activities of this phase? Each correct answer represents a complete solution. Choose all that apply. A. Registration B. Document mission need C. Negotiation D. Initial Certification Analysis
A. Registration B. Document mission need C. Negotiation
NO.349 You are the project manager for your company and a new change request has been approved for your project. This change request, however, has introduced several new risks to the project. You have communicated these risk events and the project stakeholders understand the possible effects these risks could have on your project. You elect to create a mitigation response for the identified risk events. Where will you record the mitigation response? A. Risk register B. Risk log C. Risk management plan D. Project management plan
A. Risk register
NO.313 You work as a project manager for BlueWell Inc. There has been a delay in your project work that is adversely affecting the project schedule. You decided, with your stakeholders' approval, to fast track the project work to get the project done faster. When you fast track the project which of the following are likely to increase? A. Risks B. Human resource needs C. Quality control concerns D. Costs
A. Risks
NO.377 Your organization has a project that is expected to last 20 months but the customer would really like the project completed in 18 months. You have worked on similar projects in the past and believe that you could fast track the project and reach the 18 month deadline. What increases when you fast track a project? A. Risks B. Costs C. Resources D. Communication
A. Risks
NO.354 Beth is the project manager of the BFG Project for her company. In this project Beth has decided to create a contingency response based on the performance of the project schedule. If the project schedule variance is greater than $10,000 the contingency plan will be implemented. What is the formula for the schedule variance? A. SV=EV-PV B. SV=EV/AC C. SV=PV-EV D. SV=EV/PV
A. SV=EV-PV
NO.366 Information Security management is a process of defining the security controls in order to protect information assets. The first action of a management program to implement information security is to have a security program in place. What are the objectives of a security program? Each correct answer represents a complete solution. Choose all that apply. A. Security organization B. System classification C. Information classification D. Security education
A. Security organization C. Information classification D. Security education
NO.314 You are the project manager of the NNQ Project for your company and are working with your project team to define contingency plans for the risks within your project. Mary, one of your project team members, asks what a contingency plan is. Which of the following statements best defines what a contingency response is? A. Some responses are designed for use only if certain events occur. B. Some responses have a cost and a time factor to consider for each risk event. C. Some responses must counteract pending risk events. D. Quantified risks should always have contingency responses.
A. Some responses are designed for use only if certain events occur.
NO.317 Wendy is about to perform qualitative risk analysis on the identified risks within her project. Which one of the following will NOT help Wendy to perform this project management activity? A. Stakeholder register B. Risk register C. Project scope statement D. Risk management plan
A. Stakeholder register
NO.319 Which of the following is a standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system? A. TCSEC B. FIPS C. SSAA D. FITSAF
A. TCSEC
NO.333 You are the project manager of a large construction project. Part of the project involves the wiring of the electricity in the building your project is creating. You and the project team determine the electrical work is too dangerous to perform yourself so you hire an electrician to perform the work for the project. This is an example of what type of risk response? A. Transference B. Mitigation C. Avoidance D. Acceptance
A. Transference
NO.329 Ned is the project manager of the HNN project for your company. Ned has asked you to help him complete some probability distributions for his project. What portion of the project will you most likely use for probability distributions? A. Uncertainty in values such as duration of schedule activities B. Bias towards risk in new resources C. Risk probabilityand impact matrixes D. Risk identification
A. Uncertainty in values such as duration of schedule activities
NO.350 You are the project manager of the BlueStar project in your company. Your company is structured as a functional organization and you report to the functional manager that you are ready to move onto the qualitative risk analysis process. What will you need as inputs for the qualitative risk analysis of the project in this scenario? A. You will need the risk register, risk management plan, project scope statement, and any relevant organizational process assets. B. You will need the risk register, risk management plan, outputs of qualitative risk analysis, and any relevant organizational process assets. C. You will need the risk register, risk management plan, permission from the functional manager, and any relevant organizational process assets. D. Qualitative risk analysis does not happen through the project manager in a functional struc ture.
A. You will need the risk register, risk management plan, project scope statement, and any relevant organizational process assets.
NO.348 You are the project manager of the NNH Project. In this project you have created a contingency response that the schedule performance index should be less than 0.93. The NHH Project has a budget at completion of $945,000 and is 45 percent complete though the project should be 49 percent complete. The project has spent $455,897 to reach the 45 percent complete milestone. What is the project's schedule performance index? A. 1.06 B. 0.92 C. -$37,800 D. 0.93
B. 0.92
NO.332 Which of the following processes is a structured approach to transitioning individuals, teams, and organizations from a current state to a desired future state? A. Procurement management B. Change management C. Risk management D. Configuration management
B. Change management
NO.390 Which of the following recovery plans includes a monitoring process and triggers for initiating planned actions? A. Business continuity plan B. Contingency plan C. Continuity of Operations Plan D. Disaster recovery plan
B. Contingency plan
NO.392 You work as a project manager for BlueWell Inc. Your project is running late and you must respond to the risk. Which risk response can you choose that will also cause you to update the human resource management plan? A. Teamingagreements B. Crashing the project C. Transference D. Fast tracking the project
B. Crashing the project
NO.325 Which of the following individuals makes the final accreditation decision? A. ISSE B. DAA C. CRO D. ISSO
B. DAA
NO.379 Which of the following DoD directives is referred to as the Defense Automation Resources Management Manual? A. DoDD 8000.1 B. DoD 7950.1-M C. DoD 5200.22-M D. DoD 8910.1 E. DoD 5200.1-R
B. DoD 7950.1-M
NO.327 The phase 3 of the Risk Management Framework (RMF) process is known as mitigation planning.Which of the following processes take place in phase 3?Each correct answer represents a complete solution. Choose all that apply. A. Identify threats, vulnerabilities, and controls that will be evaluated. B. Document and implement a mitigation plan. C. Agree on a strategy to mitigate risks. D. Evaluate mitigation progress and plan next assessment.
B. Document and implement a mitigation plan. C. Agree on a strategy to mitigate risks. D. Evaluate mitigation progress and plan next assessment.
NO.326 Which of the following statements about role-based access control (RBAC) model is true? A. In this model, the permissions are uniquely assigned to each user account. B. In this model, a user can access resources according to his role in the organization. C. In this model, the same permission is assigned to each user account. D. In this model, the users canaccess resources according to their seniority.
B. In this model, a user can access resources according to his role in the organization.
NO.365 Which of the following individuals is responsible for configuration management and control task? A. Commoncontrol provider B. Information system owner C. Authorizing official D. Chief information officer
B. Information system owner
NO.359 Which of the following statements about the availability concept of Information security management is true? A. It ensures that modifications are not made to data by unauthorized personnel or processes . B. It ensures reliable and timely access to resources. C. It determines actions and behaviors of a single individual within a system. D. It ensures that unauthorized modifications are not made to data by authorized personnel or processes.
B. It ensures reliable and timely access to resources
NO.395 FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls have been implemented? A. Level 2 B. Level 3 C. Level 5 D. Level 4 E. Level 1
B. Level 3
NO.363 Fred is the project manager of the CPS project. He is working with his project team to prioritize the identified risks within the CPS project. He and the team are prioritizing risks for further analysis or action by assessing and combining the risks probability of occurrence and impact.What process is Fred completing? A. Risk identification B. Perform qualitative analysis C. Perform quantitative analysis D. Risk Breakdown Structure creation
B. Perform qualitative analysis
NO.351 In which of the following DIACAP phases is residual risk analyzed? A. Phase 2 B. Phase 4 C. Phase 5 D. Phase 3 E. Phase 1
B. Phase 4
NO.362 Walter is the project manager of a large construction project. He'll be working with several vendors on the project. Vendors will be providing materials and labor for several parts of the project. Some of the works in the project are very dangerous so Walter has implemented safety requirements for all of the vendors and his own project team. Stakeholders for the project have added new requirements, which have caused new risks in the project. A vendor has identified a new risk that could affect the project if it comes into fruition. Walter agrees with the vendor and has updated the risk register and created potential risk responses to mitigate the risk. What should Walter also update in this scenario considering the risk event? A. Project communications plan B. Project management plan C. Projectcontractual relationship with the vendor D. Project scope statement
B. Project management plan
NO.386 Which types of project tends to have more well-understood risks? A. State-of-art technologyprojects B. Recurrent projects C. Operational work projects D. First-of-its kind technology projects
B. Recurrent projects
NO.367 You are preparing to start the qualitative risk analysis process for your project. You will be relying on some organizational process assets to influence the process. Which one of the following is NOT a probable reason for relying on organizational process assets as an input for qualitative risk analysis? A. Information on prior, similar projects B. Review of vendor contracts to examine risks in past projects C. Risk databases that may be available from industry sources D. Studies of similar projects by risk specialists
B. Review of vendor contracts to examine risks in past projects
NO.391 Which one of the following is the only output for the qualitative risk analysis process? A. Project management plan B. Risk register updates C. Enterprise environmental factors D. Organizational process assets
B. Risk register updates
NO.338 You work as a project manager for BlueWell Inc. You are working with Nancy, the COO of your company, on several risks within the project. Nancy understands that through qualitative analysis you have identified 80 risks that have a low probability and low impact as the project is currently planned. Nancy's concern, however, is that the impact and probability of these risk events may change as conditions within the project may change. She would like to know where will you document and record these 80 risks that have low probability and low impact for future reference. What should you tell Nancy? A. Risk identification is an iterative process so any changes to the low probability and low impact risks will be reassessed throughout the project life cycle. B. Risks with low probability and low impact are recorded in a watchlist for future monitoring. C. All risks, regardless of their assessed impact and probability, are recorded in the risk log. D. All risks are recorded in the risk management plan
B. Risks with low probability and low impact are recorded in a watchlist for future monitoring.
NO.373 Mark works as a Network Administrator for NetTech Inc. He wants users to access only those resources that are required for them. Which of the following access control models will he use? A. Mandatory Access Control B. Role-Based Access Control C. Discretionary Access Control D. Policy Access Control
B. Role-Based Access Control
NO.328 Which of the following is NOT an objective of the security program? A. Security organization B. Security plan C. Security education D. Information classification
B. Security plan
NO.383 Which of the following governance bodies provides management, operational and technical controls to satisfy security requirements? A. Chief Information Security Officer B. Senior Management C. Information Security Steering Committee D. Business Unit Manager
B. Senior Management
NO.310 Which of the following statements best describes the difference between the role of a data owner and the role of a data custodian? A. The custodian implements the information classification scheme after the initial assignment by the operations manager. B. The data custodian implements the information classification scheme after the initial assignment by the data owner. C. The data owner implements the information classification scheme after the initial assignment by the custodian. D. The custodian makes the initialinformation classification assignments, and the operations manager implements the scheme.
B. The data custodian implements the information classification scheme after the initial assignment by the data owner.
NO.353 Adrian is the project manager of the NHP Project. In her project there are several work packages that deal with electrical wiring. Rather than to manage the risk internally she has decided to hire a vendor to complete all work packages that deal with the electrical wiring. By removing the risk internally to a licensed electrician Adrian feels more comfortable with project team being safe.What type of risk response has Adrian used in this example? A. Mitigation B. Transference C. Avoidance D. Acceptance
B. Transference
NO.364 Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in. What are the different categories of penetration testing?Each correct answer represents a complete solution. Choose all that apply. A. Full-box B. Zero-knowledge test C. Full-knowledge test D. Open-box E. Partial-knowledge test F. Closed-box
B. Zero-knowledge test C. Full-knowledge test D. Open-box E. Partial-knowledge test F. Closed-box
NO.301 You are the program manager for your project. You are working with the project managers regarding the procurement processes for their projects. You have ruled out one particular contract type because it is considered too risky for the program. Which one of the following contract types is usually considered to be the most dangerous for the buyer? A. Cost plus incentive fee B. Time and materials C. Cost plus percentage of costs D. Fixed fee
C. Cost plus percentage of costs
NO.324 There are seven risk responses for any project. Which one of the following is a valid risk response for a negative risk event? A. Enhance B. Exploit C. Acceptance D. Share
C. Acceptance
NO.320 Bill is the project manager of the JKH Project. He and the project team have identified a risk event in the project with a high probability of occurrence and the risk event has a high cost impact on the project. Bill discusses the risk event with Virginia, the primary project customer, and she decides that the requirements surrounding the risk event should be removed from the project. The removal of the requirements does affect the project scope, but it can release the project from the high risk exposure. What risk response has been enacted in this project? A. Acceptance B. Mitigation C. Avoidance D. Transference
C. Avoidance
NO.315 What course of action can be taken by a party if the current negotiations fail and an agreement cannot be reached? A. PON B. ZOPA C. BATNA D. Bias
C. BATNA ( Best alternative to a negotiated agreement )
NO.358 James work as an IT systems personnel in SoftTech Inc. He performs the following tasks: Runs regular backups and routine tests of the validity of the backup data.Performs data restoration from the backups whenever required.Maintains the retained records in accordance with the established information classification policy. What is the role played by James in the organization? A. Manager B. Owner C. Custodian D. User
C. Custodian
NO.352 Which of the following requires all general support systems and major applications to be fully certified and accredited before these systems and applications are put into production?Each correct answer represents a part of the solution. Choose all that apply. A. NIST B. FIPS C. FISMA D. Office of Management and Budget (OMB)
C. FISMA D. Office of Management and Budget (OMB)
NO.307 Which of the following individuals is responsible for the final accreditation decision? A. Certification Agent B. User Representative C. Information System Owner D. Risk Executive
C. Information System Owner
NO.309 Gary is the project manager for his organization. He is working with the project stakeholders on the project requirements and how risks may affect their project. One of the stakeholders is confused about what constitutes risks in the project. Which of the following is the most accurate definition of a project risk? A. It is an uncertain event that can affect the project costs. B. It is an uncertain event or condition within the project execution. C. It is an uncertain event that can affect at least one project objective. D. It is an unknown event that can affect the project scope.
C. It is an uncertain event that can affect at least one project objective.
NO.387 Which of the following statements is true about residual risks? A. It is a weakness or lack of safeguard that can be exploited by a threat. B. It can be considered as an indicator of threats coupled with vulnerability. C. It is the probabilistic risk after implementing all security measures. D. It is the probabilistic risk before implementing all security measures.
C. It is the probabilistic risk after implementing all security measures.
NO.304 Which of the following NIST documents defines impact? A. NIST SP 800-53 B. NIST SP 800-26 C. NIST SP 800-30 D. NIST SP 800-53A
C. NIST SP 800-30
NO.394 In which of the following testing methodologies do assessors use all available documentation and work under no constraints, and attempt to circumvent the security features of an information system? A. Full operational test B. Walk-through test C. Penetration test D. Paper test
C. Penetration test
NO.321 In which of the following DITSCAP phases is the SSAA developed? A. Phase 4 B. Phase 2 C. Phase 1 D. Phase 3
C. Phase 1
NO.368 Which of the following phases begins with a review of the SSAA in the DITSCAP accreditation? A. Phase 1 B. Phase 4 C. Phase 3 D. Phase 2
C. Phase 3
NO.381 Which one of the following is the only output for the qualitative risk analysis process? A. Enterprise environmental factors B. Project management plan C. Risk register updates D. Organizational process assets
C. Risk register updates
NO.341 Which of the following formulas was developed by FIPS 199 for categorization of an information system? A. SCinformation system = {(confidentiality, impact), (integrity, controls), (availability, risk)} B. SCinformation system = {(confidentiality, risk), (integrity, impact), (availability, controls)} C. SCinformation system = {(confidentiality, impact), (integrity, impact), (availability, impact)} D. SCinformation system = {(confidentiality, controls), (integrity, controls), (availability, controls )}
C. SCinformation system = {(confidentiality, impact), (integrity, impact), (availability, impact)}
NO.378 You are the project manager of the HJK project for your organization. You and the project team have created risk responses for many of the risk events in the project. A teaming agreement is an example of what risk response? A. Acceptance B. Mitigation C. Sharing D. Transference
C. Sharing
NO.374 Amy is the project manager for her company. In her current project the organization has a very low tolerance for risk events that will affect the project schedule. Management has asked Amy to consider the affect of all the risks on the project schedule. What approach can Amy take to create a bias against risks that will affect the schedule of the project? A. She can have the project team pad their time estimates to alleviate delays in the project schedule. B. She can shift risk-laden activities that affect the project schedule from the critical path as much as possible. C. She can create an overall project rating scheme to reflect the bias towards risks that affect the project schedule. D. She can filter all risks based on their affect on schedule versus other project objectives.
C. She can create an overall project rating scheme to reflect the bias towards risks that affect the project schedule.
NO.340 You work as a project manager for SoftTech Inc. You are working with the project stakeholders to begin the qualitative risk analysis process. You will need all of the following as inputs to the qualitative risk analysis process except for which one? A. Risk management plan B. Risk register C. Stakeholder register D. Project scope statement
C. Stakeholder register
NO.330 There are seven risk responses for any project. Which one of the following is a valid risk response for a negative risk event? A. Exploit B. Share C. Enhance D. Acceptance
D. Acceptance
NO.376 You are the project manager of the GHY Project for your company. You have completed the risk response planning with your project team. You now need to update the WBS. Why would the project manager need to update the WBS after the risk response planning process? Choose the best answer. A. Because of risks associated with work packages B. Because of work that was omitted during the WBS creation C. Because of risk responses that are now activities D. Because of new work generated by the risk responses
D. Because of new work generated by the risk responses
NO.371 Which of the following professionals plays the role of a monitor and takes part in the organization's configuration management process? A. Senior Agency Information Security Officer B. Authorizing Official C. Chief Information Officer D. Common Control Provider
D. Common Control Provider
NO.345 Shoulder surfing is a type of in-person attack in which the attacker gathers information about the premises of an organization. This attack is often performed by looking surreptitiously at the keyboard of an employee's computer while he is typing in his password at any access point such as a terminal/Web site. Which of the following is violated in a shoulder surfing attack? A. Authenticity B. Integrity C. Availability D. Confidentiality
D. Confidentiality
NO.342 Which of the following recovery plans includes specific strategies and actions to deal with specific variances to assumptions resulting in a particular security problem, emergency, or state of affairs? A. Business continuity plan B. Continuity of Operations Plan C. Disaster recovery plan D. Contingency plan
D. Contingency plan
NO.335 James work as an IT systems personnel in SoftTech Inc. He performs the following tasks: Runs regular backups and routine tests of the validity of the backup data.Performs data restoration from the backups whenever required.Maintains the retained records in accordance with the established information classification policy. What is the role played by James in the organization? A. Manager B. User C. Owner D. Custodian
D. Custodian
NO.370 Which of the following groups represents the most likely source of an asset loss through the inappropriate use of computers? A. Hackers B. Visitors C. Customers D. Employees
D. Employees
NO.346 You and your project team are just starting the risk identification activities for a project that is scheduled to last for 18 months. Your project team has already identified a long list of risks that need to be analyzed. How often should you and the project team do risk identification? A. At least once per month B. Several times until the project moves into execution C. It depends on how many risks are initially identified. D. Identify risks is an iterative process.
D. Identify risks is an iterative process.
NO.306 Joan is a project management consultant and she has been hired by a firm to help them identify risk events within the project. Joan would first like to examine the project documents including the plans, assumptions lists, project files, and contracts. What key thing will help Joan to discover risks within the review of the project documents? A. The project documents will help the project manager, or Joan, to identify what risk identification approach is best to pursue. B. Plans that have loose definitions of terms and disconnected approaches will reveal risks. C. Poorly written requirements will reveal inconsistencies in the project plans and documents. D. Lack of consistency between the plans and the project requirements and assumptions can be the indicators of risk in the project.
D. Lack of consistency between the plans and the project requirements and assumptions can be the indicators of risk in the project.
NO.318 Which of the following NIST documents defines impact? A. NIST SP 800-26 B. NIST SP 800-53A C. NIST SP 800-53 D. NIST SP 800-30
D. NIST SP 800-30
NO.343 Which of the following NIST documents includes components for penetration testing? A. NIST SP 800-53 B. NIST SP 800-26 C. NIST SP 800-37 D. NIST SP 800-30
D. NIST SP 800-30
NO.316 In which of the following phases does the SSAA maintenance take place? A. Phase 3 B. Phase 2 C. Phase 1 D. Phase 4
D. Phase 4
NO.344 An organization monitors the hard disks of its employees' computers from time to time. Which policy does this pertain to? A. Network security policy B. User password policy C. Backup policy D. Privacy policy
D. Privacy policy
NO.380 You are the project manager for your organization. You are preparing for the quantitative risk analysis. Mark, a project team member, wants to know why you need to do quantitative risk analysis when you just completed qualitative risk analysis. Which one of the following statements best defines what quantitative risk analysis is? A. Quantitative risk analysis is the planning and quantification of risk responses based on probability and impact of each risk event. B. Quantitative risk analysis is the process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact. C. Quantitative risk analysis is the review of the risk events with the high probability and the highest impact on the project objectives. D. Quantitative risk analysis is the process of numerically analyzing the effect of identified risks on overall project objectives.
D. Quantitative risk analysis is the process of numerically analyzing the effect of identified risks on overall project objectives.
NO.393 Fred is the project manager of the PKL project. He is working with his project team to complete the quantitative risk analysis process as a part of risk management planning. Fred understands that once the quantitative risk analysis process is complete, the process will need to be completed again in at least two other times in the project. When will the quantitative risk analysis process need to be repeated? A. Quantitative risk analysisprocess will be completed again after the plan risk response planning and as part of procurement. B. Quantitative risk analysis process will be completed again after the cost managementplanning and as a part of monitoring and controlling. C. Quantitativerisk analysis process will be completed again after new risks are identified and as part of monitoring and controlling. D. Quantitative risk analysis process will be completed again after the risk response planning and as a part of monitoring and controlling.
D. Quantitative risk analysis process will be completed again after the risk response planning and as a part of monitoring and controlling.
NO.385 Which of the following relations correctly describes residual risk? A. Residual Risk = Threats x Vulnerability x Asset Gap x Control Gap B. Residual Risk = Threats x Exploit x Asset Value x Control Gap C. Residual Risk = Threats x Exploit x Asset Value x Control Gap D. Residual Risk = Threats x Vulnerability x Asset Value x Control Gap
D. Residual Risk = Threats x Vulnerability x Asset Value x Control Gap
NO.322 What project management plan is most likely to direct the quantitative risk analysis process for a project in a matrix environment? A. Staffing management plan B. Risk analysis plan C. Human resource management plan D. Risk management plan
D. Risk management plan
NO.388 You work as a project manager for BlueWell Inc. You are working with your team members on the risk responses in the project. Which risk response will likely cause a project to use the procurement processes? A. Acceptance B. Mitigation C. Exploiting D. Sharing
D. Sharing
NO.331 Jenny is the project manager for the NBT projects. She is working with the project team and several subject matter experts to perform the quantitative risk analysis process. During this process she and the project team uncover several risks events that were not previously identified.What should Jenny do with these risk events? A. The events should be determined if they need to be accepted or responded to. B. The events should be entered into qualitative risk analysis. C. The events should continue on with quantitative risk analysis. D. The events should be entered into the risk register.
D. The events should be entered into the risk register.
NO.339 A part of a project deals with the hardware work. As a project manager, you have decided to hire a company to deal with all hardware work on the project. Which type of risk response is this? A. Avoidance B. Mitigation C. Exploit D. Transference
D. Transference
NO.302 Which of the following DoD directives is referred to as the Defense Automation Resources Management Manual? A. DoD 5200.22-M B. DoD 5200.1-R C. DoD 8910.1 D. DoDD 8000.1 E. DoD 7950.1-M
E. DoD 7950.1-M