395 CAP 19 questions
65 Wendy is about to perform qualitative risk analysis on the identified risks within her project. Which one of the following will NOT help Wendy to perform this project management activity? A . Stakeholder register B . Risk register C . Project scope statement D . Risk management plan
A
66 Which of the following roles is responsible for review and risk analysis of all contracts on a regular basis? A . The Supplier Manager B . The IT Service Continuity Manager C . The Service Catalogue Manager D . The Configuration Manager
A
100 Which of the following evidences are the collection of facts that, when considered together, can be used to infer a conclusion about the malicious activity/person? A . Circumstantial B . Incontrovertible C . Direct D . Corroborating
A
28 Gary is the project manager of his organization. He is managing a project that is similar to a project his organization completed recently. Gary has decided that he will use the information from the past project to help him and the project team to identify the risks that may be present in the project. Management agrees that this checklist approach is ideal and will save time in the project. Which of the following statement is most accurate about the limitations of the checklist analysis approach for Gary? A . The checklist analysis approach is fast but it is impossible to build and exhaustive checklist. B . The checklist analysis approach only uses qualitative analysis. C . The checklist analysis approach saves time, but can cost more. D . The checklist is also known as top down risk assessment
A
37 Which of the following is an entry in an object's discretionary access control list (DACL) that grants permissions to a user or group? A . Access control entry (ACE) B . Discretionary access control entry (DACE) C . Access control list (ACL) D . Security Identifier (SID)
A
4 Which of the following professionals is responsible for starting the Certification & Accreditation (C&A) process? A . Information system owner B . Authorizing Official C . Chief Risk Officer (CRO) D . Chief Information Officer (CIO)
A
44 Risks with low ratings of probability and impact are included on a for future monitoring. A . Watchlist B . Risk alarm C . Observation list D . Risk register
A
59 Which of the following is used to indicate that the software has met a defined quality level and is ready for mass distribution either by electronic means or by physical media? A . RTM B . CRO C . DAA D . ATM
A
63 Which of the following RMF phases is known as risk analysis? A . Phase 2 B . Phase 1 C . Phase 0 D . Phase 3
A
64 Jenny is the project manager of the NHJ Project for her company. She has identified several positive risk events within the project and she thinks these events can save the project time and money. You, a new team member wants to know that how many risk responses are available for a positive risk event. What will Jenny reply to you? A . Four B . Seven C . Acceptance is the only risk response for positive risk events. D . Three
A
67 You are the project manager for the NHH project. You are working with your project team to examine the project from four different defined perspectives to increase the breadth of identified risks by including internally generated risks. What risk identification approach are you using in this example? A . SWOT analysis B . Root cause analysis C . Assumptions analysis D . Influence diagramming techniques
A
78 You are the project manager for a construction project. The project includes a work that involves very high financial risks. You decide to insure processes so that any ill happening can be compensated. Which type of strategies have you used to deal with the risks involved with that particular work? A . Transfer B . Mitigate C . Accept D . Avoid
A
82 You are the project manager of the GHQ project for your company. You are working you're your project team to prepare for the qualitative risk analysis process. Mary, a project team member, does not understand why you need to complete qualitative risks analysis. You explain to Mary that qualitative risks analysis helps you determine which risks needs additional analysis. There are also some other benefits that qualitative risks analysis can do for the project. Which one of the following is NOT an accomplishment of the qualitative risk analysis process? A . Cost of the risk impact if the risk event occurs B . Corresponding impact on project objectives C . Time frame for a risk response D . Prioritization of identified risk events based on probability and impact
A
89 What component of the change management system is responsible for evaluating, testing, and documenting changes created to the project scope? A. Configuration Management System B. Project Management InformationSystem C . Scope Verification D . Integrated Change Control
A
93 Your organization has a project that is expected to last 20 months but the customer would really like the project completed in 18 months. You have worked on similar projects in the past and believe that you could fast track the project and reach the 18 month deadline. What increases when you fast track a project? A . Risks B . Costs C . Resources D . Communication
A
95 Tom is the project manager for his organization. In his project he has recently finished the risk response planning. He tells his manager that he will now need to update the cost and schedule baselines. Why would the risk response planning cause Tom the need to update the cost and schedule baselines? A. New or omitted work as part of a risk responsecan cause changes to the cost and/or schedule baseline. B . Risk responses protect the time and investment of the project. C . Baselines should not be updated, but refined through versions. D . Risk responses may take time and money to implement.
A
79 Which of the following are included in Administrative Controls? Each correct answer represents a complete solution. Choose all that apply. A . Conducting security-awareness training B . Screening of personnel C . Monitoring for intrusion D . Implementing change control procedures E . Developing policy
A,B,D,E
16 According to U.S. Department of Defense (DoD) Instruction 8500.2, there are eight Information Assurance (IA) areas, and the controls are referred to as IA controls. Which of the following are among the eight areas of IA defined by DoD? Each correct answer represents a complete solution. Choose all that apply. A . VI Vulnerability and Incident Management B . DC Security Design & Configuration C . EC Enclave and Computing Environment D . Information systems acquisition, development, and maintenance
A,B,C
72 Which of the following objectives are defined by integrity in the C.I.A triad of information security systems? Each correct answer represents a part of the solution. Choose three. A . It preservesthe internal and external consistency of information. B . It prevents the unauthorized or unintentional modification of information by the authorized users. C . It prevents the modification of information by the unauthorized users. D . It prevents the intentional or unintentional unauthorized disclosure of a message's contents .
A,B,C
17 DIACAP applies to the acquisition, operation, and sustainment of any DoD system that collects, stores, transmits, or processes unclassified or classified information since December 1997. What phases are identified by DIACAP? Each correct answer represents a complete solution. Choose all that apply. A . Validation B . Re-Accreditation C . Verification D . System Definition E . Identification F . Accreditation
A,B,C,D
80 The Phase 2 of DITSCAP C&A is known as Verification. The goal of this phase is to obtain a fully integrated system for certification testing and accreditation. What are the process activities of this phase? Each correct answer represents a complete solution. Choose all that apply. A . Configuring refinement of the SSAA B . Assessment of the Analysis Results C . System development D . Certification analysis E . Registration
A,B,C,D
29 What are the subordinate tasks of the Initiate and Plan IA C&A phase of the DIACAP process? Each correct answer represents a complete solution. Choose all that apply. A . Develop DIACAP strategy. B . Assign IA controls. C . Assemble DIACAP team. D . Initiate IA implementation plan. E . Register system with DoD Component IA Program. F . Conduct validation activity.
A,B,C,D,E
45 Penetration testing (also called pen testing) is the practice of testing a computer system, network, or Web application to find vulnerabilities that an attacker could exploit. Which of the following areas can be exploited in a penetration test? Each correct answer represents a complete solution. Choose all that apply. A . Social engineering B . File and directory permissions C . Buffer overflows D . Kernel flaws E . Race conditions F . Information system architectures G . Trojan horses
A,B,C,D,E,G
84 Which of the following are the common roles with regard to data in an information classification program? Each correct answer represents a complete solution. Choose all that apply. A . Custodian B . User C . Security auditor D . Editor E . Owner
A,B,C,E
94 The IAM/CA makes certification accreditation recommendations to the DAA. The DAA issues accreditation determinations. Which of the following are the accreditation determinations issued by the DAA? Each correct answer represents a complete solution. Choose all that apply. A . IATO B . ATO C . IATT D . ATT E . DATO
A,B,C,E
12 System Authorization is the risk management process. System Authorization Plan (SAP) is a comprehensive and uniform approach to the System Authorization Process. What are the different phases of System Authorization Plan? Each correct answer represents a part of the solution. Choose all that apply. A . Post-Authorization B . Pre-certification C . Post-certification D . Certification E . Authorization
A,B,D,E
42 System Authorization is the risk management process. System Authorization Plan (SAP) is a comprehensive and uniform approach to the System Authorization Process. What are the different phases of System Authorization Plan? Each correct answer represents a part of the solution. Choose all that apply. A . Pre-certification B . Certification C . Post-certification D . Authorization E . Post-Authorization
A,B,D,E
68 Which of the following are included in Physical Controls? Each correct answer represents a complete solution. Choose all that apply. A . Locking systems and removing unnecessary floppy or CD-ROM drives B . Environmental controls C . Password and resource management D . Identification and authentication methods E . Monitoring for intrusion F . Controlling individual access into the facilityand different departments
A,B,E,F
2 The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the most senior executive in an enterprise. What are the responsibilities of a Chief Information Officer? Each correct answer represents a complete solution. Choose all that apply. A . Preserving high-level communications and working group relationships in an organization B . Facilitating the sharing of security risk-related information among authorizing officials C . Establishing effective continuous monitoring program for the organization D. Proposing the information technology needed by an enterprise to achieve its goals and then working within a budget to implement the plan
A,C,D
3 The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statements are true about ISSO and ISSE? Each correct answer represents a complete solution. Choose all that apply. A. An ISSE provides advice on the impacts of system changes. B. An ISSE manages the security of the information system that is slated for Certification & Accreditation (C&A). C. An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A). D . An ISSO takes part in the development activities that are required to implement system changes. E . An ISSE provides advice on the continuous monitoring of the information system.
A,C,E
13 Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. Which of the following statements are true about Certification and Accreditation? Each correct answer represents a complete solution. Choose two. A. Accreditation is the official management decision given by a senior agency official to authorize operation of an information system. B. Accreditation is a comprehensive assessment of the management, operational, and technical security controls in an information system. C. Certification is the official management decision given by a senior agency official to authorize operation of an information system. D. Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system.
A,D
26 Which of the following DoD directives is referred to as the Defense Automation Resources Management Manual? A . DoDD 8000.1 B . DoD 7950.1-M C . DoD 5200.22-M D . DoD 8910.1 E . DoD 5200.1-R
B
32 In which type of access control do user ID and password system come under? A . Administrative B . Technical C . Power D . Physical
B
33 You and your project team are identifying the risks that may exist within your project. Some of the risks are small risks that won't affect your project much if they happen. What should you do with these identified risk events? A . These risks can be accepted. B . These risks can be added to a low priority risk watch list. C . All risks must have a valid, documented risk response. D . These risks can be dismissed.
B
18 Which of the following is a subset discipline of Corporate Governance focused on information security systems and their performance and risk management? A . Lanham Act B . ISG C . Clinger-Cohen Act D . Computer Misuse Act
B
21 Where can a project manager find risk-rating rules? A . Risk probability and impact matrix B . Organizational process assets C . Enterprise environmental factors D . Risk management plan
B
35 Adrian is the project manager of the NHP Project. In her project there are several work packages that deal with electrical wiring. Rather than to manage the risk internally she has decided to hire a vendor to complete all work packages that deal with the electrical wiring. By removing the risk internally to a licensed electrician Adrian feels more comfortable with project team being safe. What type of risk response has Adrian used in this example? A . Mitigation B . Transference C . Avoidance D . Acceptance
B
38 You are the project manager for your organization. You have identified a risk event you're your organization could manage internally or externally. If you manage the event internally it will cost your project $578,000 and an additional $12,000 per month the solution is in use. A vendor can manage the risk event for you. The vendor will charge $550,000 and $14,500 per month that the solution is in use. How many months will you need to use the solution to pay for the internal solution in comparison to the vendor's solution? A . Approximately 13 months B . Approximately 11 months C . Approximately 15 months D . Approximately 8 months
B
40 Management wants you to create a visual diagram of what resources will be utilized in the project deliverables. What type of a chart is management asking you to create? A . Work breakdown structure B . Resource breakdown structure C . RACI chart D . Roles and responsibility matrix
B
41 You are preparing to start the qualitative risk analysis process for your project. You will be relying on some organizational process assets to influence the process. Which one of the following is NOT a probable reason for relying on organizational process assets as an input for qualitative risk analysis? A . Information on prior, similar projects B . Review of vendor contracts to examine risks in past projects C . Risk databases that may be available from industry sources D . Studies of similar projects by risk specialists
B
48 Which of the following DITSCAP phases validates that the preceding work has produced an IS that operates in a specified computing environment? A . Phase 4 B . Phase 3 C . Phase 2 D . Phase 1
B
5 Which of the following assessment methodologies defines a six-step technical security evaluation? A . FITSAF B . FIPS 102 C . OCTAVE D . DITSCAP
B
51 In which of the following phases of the DITSCAP process does Security Test and Evaluation (ST&E) occur? A . Phase 2 B . Phase 3 C . Phase 1 D . Phase 4
B
55 You are the project manager of the NNH Project. In this project you have created a contingency response that the schedule performance index should be less than 0.93. The NHH Project has a budget at completion of $945,000 and is 45 percent complete though the project should be 49 percent complete. The project has spent $455,897 to reach the 45 percent complete milestone. What is the project's schedule performance index? A . 1.06 B . 0.92 C . -$37,800 D . 0.93
B
56 A Web-based credit card company had collected financial and personal details of Mark before issuing him a credit card. The company has now provided Mark's financial and personal details to another company. Which of the following Internet laws has the credit card issuing company violated? A . Security law B . Privacy law C . Copyright law D . Trademark law
B
60 Amy is the project manager for her company. In her current project the organization has a very low tolerance for risk events that will affect the project schedule. Management has asked Amy to consider the affect of all the risks on the project schedule. What approach can Amy take to create a bias against risks that will affect the schedule of the project? A. She can have the project team pad their time estimates to alleviate delays in the project schedule. B. She can create an overall project rating scheme to reflect the bias towards risks that affect the project schedule. C. She can filter all risks based on their affect on schedule versus other project objectives. D. She can shift risk-laden activities that affect the project schedule from the critical path as much as possible.
B
61 Which of the following processes is a structured approach to transitioning individuals, teams, and organizations from a current state to a desired future state? A . Procurement management B . Change management C . Risk management D . Configuration management
B
7 Mark works as a Network Administrator for NetTech Inc. He wants users to access only those resources that are required for them. Which of the following access control models will he use? A . Mandatory Access Control B . Role-Based Access Control C . Discretionary Access Control D . Policy Access Control
B
70 Which one of the following is the only output for the qualitative risk analysis process? A . Project management plan B . Risk register updates C . Enterprise environmental factors D . Organizational process assets
B
73 You and your project team are just starting the risk identification activities for a project that is scheduled to last for 18 months. Your project team has already identified a long list of risks that need to be analyzed. How often should you and the project team do risk identification? A . At least once per month B . Identify risks is an iterative process. C . It depends on how many risks are initially identified. D . Several times until the project moves into execution
B
90 A project team member has just identified a new project risk. The risk event is determined to have significant impact but a low probability in the project. Should the risk event happen it'll cause the project to be delayed by three weeks, which will cause new risk in the project. What should the project manager do with the risk event? A . Add the identified risk to a quality control management control chart. B . Add the identified risk to the risk register. C . Add the identified risk to the issues log. D . Add the identified risk to the low-level risk watchlist.
B
92 Which of the following governance bodies provides management, operational and technical controls to satisfy security requirements? A . Chief Information Security Officer B . Senior Management C . Information Security Steering Committee D . Business Unit Manager
B
15 The National Information Assurance Certification and Accreditation Process (NIACAP) is the minimum standard process for the certification and accreditation of computer and telecommunications systems that handle U.S. national security information. What are the different types of NIACAP accreditation? Each correct answer represents a complete solution. Choose all that apply. A . Secure accreditation B . Type accreditation C . System accreditation D . Site accreditation
B,C,D
27 The phase 3 of the Risk Management Framework (RMF) process is known as mitigation planning. Which of the following processes take place in phase 3? Each correct answer represents a complete solution. Choose all that apply. A . Identify threats, vulnerabilities, and controls that will be evaluated. B . Document and implement a mitigation plan. C . Agree on a strategy to mitigate risks. D . Evaluate mitigation progress and plan next assessment.
B,C,D
86 An Authorizing Official plays the role of an approver. What are the responsibilities of an Authorizing Official? Each correct answer represents a complete solution. Choose all that apply. A . Establishing and implementing the organization's continuous monitoring program B . Determining the requirement of reauthorization and reauthorizing information systems when required C . Reviewing security status reports and critical security documents D . Ascertaining the security posture of the organization's information system
B,C,D
91 Which of the following concepts represent the three fundamental principles of information security? Each correct answer represents a complete solution. Choose three. A . Privacy B . Integrity C . Availability D . Confidentiality
B,C,D
30 Information risk management (IRM) is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level. What are the different categories of risk? Each correct answer represents a complete solution. Choose all that apply. A . System interaction B . Human interaction C . Equipment malfunction D . Inside and outside attacks E . Social status F . Physical damage
B,C,D,E,F
1 Which of the following professionals plays the role of a monitor and takes part in the organization's configuration management process? A . Senior Agency Information Security Officer B . Authorizing Official C . Common Control Provider D . Chief Information Officer
C
10 FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls have been implemented? A . Level 4 B . Level 1 C . Level 3 D . Level 5 E . Level 2
C
20 You are the project manager of the NKJ Project for your company. The project's success or failure will have a significant impact on your organization's profitability for the coming year. Management has asked you to identify the risk events and communicate the event's probability and impact as early as possible in the project. Management wants to avoid risk events and needs to analyze the cost-benefits of each risk event in this project. What term is assigned to the low-level of stakeholder tolerance in this project? A . Risk avoidance B . Mitigation-ready project management C . Risk utility function D . Risk-reward mentality
C
25 You are working as a project manager in your organization. You are nearing the final stages of project execution and looking towards the final risk monitoring and controlling activities. For your project archives, which one of the following is an output of risk monitoring and control? A . Quantitative risk analysis B . Qualitative risk analysis C . Requested changes D . Risk audits
C
34 Your project uses a piece of equipment that if the temperature of the machine goes above 450 degree Fahrenheit the machine will overheat and have to be shut down for 48 hours. Should this machine overheat even once it will delay the project's end date. You work with your project to create a response that should the temperature of the machine reach 430, the machine will be paused for at least an hour to cool it down. The temperature of 430 is called what? A . Risk identification B . Risk response C . Risk trigger D . Risk event
C
39 Which of the following refers to the ability to ensure that the data is not modified or tampered with? A . Confidentiality B . Availability C . Integrity D . Non-repudiation
C
46 Frank is the project manager of the NHH Project. He is working with the project team to create a plan to document the procedures to manage risks throughout the project. This document will define how risks will be identified and quantified. It will also define how contingency plans will be implemented by the project team. What document is Frank and the NHH Project team creating in this scenario? A . Project management plan B . Resource management plan C . Risk management plan D . Project plan
C
47 In which of the following testing methodologies do assessors use all available documentation and work under no constraints, and attempt to circumvent the security features of an information system? A . Full operational test B . Walk-through test C . Penetration test D . Paper test
C
50 Which of the following roles is also known as the accreditor? A . Chief Risk Officer B . Data owner C . Designated Approving Authority D . Chief Information Officer
C
57 Which of the following is a 1996 United States federal law, designed to improve the way the federal government acquires, uses, and disposes information technology? A . Computer Misuse Act B . Lanham Act C . Clinger-CohenAct D . Paperwork Reduction Act
C
71 You are the project manager of the GHG project. You are preparing for the quantitative risk analysis process. You are using organizational process assets to help you complete the quantitative risk analysis process. Which one of the following is NOT a valid reason to utilize organizational process assets as a part of the quantitative risk analysis process? A. You will use organizational process assets for risk databases that may be available from industry sources. B. You will use organizational process assets for studies of similar projects by risk specialists. C. You will use organizational process assets to determine costs of all risks events within thecurrent project. D. You will use organizational process assets for information from prior similar projects.
C
74 Eric is the project manager of the MTC project for his company. In this project a vendor has offered Eric a sizeable discount on all hardware if his order total for the project is more than $125,000. Right now, Eric is likely to spend $118,000 with vendor. If Eric spends $7,000 his cost savings for the project will be $12,500, but he cannot purchase hardware if he cannot implement the hardware immediately due to organizational policies. Eric consults with Amy and Allen, other project managers in the organization, and asks if she needs any hardware for their projects. Both Amy and Allen need hardware and they agree to purchase the hardware through Eric's relationship with the vendor. What positive risk response has happened in this instance? A . Transference B . Exploiting C . Sharing D . Enhancing
C
75 You work as a project manager for BlueWell Inc. You are preparing to plan risk responses for your project with your team. How many risk response types are available for a negative risk event in the project? A . Seven B . Three C . Four D . One
C
76 Sam is the project manager of a construction project in south Florida. This area of the United States is prone to hurricanes during certain parts of the year. As part of the project plan Sam and the project team acknowledge the possibility of hurricanes and the damage the hurricane could have on the project's deliverables, the schedule of the project, and the overall cost of the project. Once Sam and the project stakeholders acknowledge the risk of the hurricane they go on planning the project as if the risk is not likely to happen. What type of risk response is Sam using? A . Mitigation B . Avoidance C . Passive acceptance D . Active acceptance
C
81 You are the project manager for GHY Project and are working to create a risk response for a negative risk. You and the project team have identified the risk that the project may not complete on time, as required by the management, due to the creation of the user guide for the software you're creating. You have elected to hire an external writer in order to satisfy the requirements and to alleviate the risk event. What type of risk response have you elected to use in this instance? A . Sharing B . Avoidance C . Transference D . Exploiting
C
85 To help review or design security controls, they can be classified by several criteria. One of these criteria is based on nature. According to this criteria, which of the following controls consists of incident response processes, management oversight, security awareness, and training? A . Technical control B . Physical control C . Procedural control D . Compliance control
C
87 Jeff, a key stakeholder in your project, wants to know how the risk exposure for the risk events is calculated during quantitative risk analysis. He is worried about the risk exposure which is too low for the events surrounding his project requirements. How is the risk exposure calculated? A . The probability of a risk event plus the impact of a risk event determines the true risk expo sure. B . The risk exposure of a risk event is determined by historical information. C . The probability of a risk event times the impact of a risk event determines the true risk exposure. D . The probability and impact of a risk event are gauged based on research and in-depth analysis.
C
88 You work as a project manager for SoftTech Inc. You are working with the project stakeholders to begin the qualitative risk analysis process. You will need all of the following as inputs to the qualitative risk analysis process except for which one? A . Risk management plan B . Risk register C . Stakeholder register D . Project scope statement
C
9 James work as an IT systems personnel in SoftTech Inc. He performs the following tasks: Runs regular backups and routine tests of the validity of the backup data. Performs data restoration from the backups whenever required. Maintains the retained records in accordance with the established information classification policy. What is the role played by James in the organization? A . Manager B . Owner C . Custodian D . User
C
96 During qualitative risk analysis you want to define the risk urgency assessment. All of the following are indicators of risk priority except for which one? A . Risk rating B . Warning signs C . Cost of the project D . Symptoms
C
98 You work as the project manager for Bluewell Inc. You are working on NGQQ Projectyou're your company. You have completed the risk analysis processes for the risk events. You and the project team have created risk responses for most of the identified project risks. Which of the following risk response planning techniques will you use to shift the impact of a threat to a third party, together with the responses? A . Risk acceptance B . Risk avoidance C . Risk transference D . Risk mitigation
C
14 Which of the following requires all general support systems and major applications to be fully certified and accredited before these systems and applications are put into production? Each correct answer represents a part of the solution. Choose all that apply. A . NIST B . FIPS C . FISMA D . Office of Management and Budget (OMB)
C,D
6 DIACAP applies to the acquisition, operation, and sustainment of any DoD system that collects, stores, transmits, or processes unclassified or classified information since December 1997. What phases are identified by DIACAP? Each correct answer represents a complete solution. Choose all that apply. A . Accreditation B . Identification C . System Definition D . Verification E . Validation F . Re-Accreditation
C,D,E,F
11 Certification and Accreditation (C&A or CnA) is a process for implementing information security. Which of the following is the correct order of C&A phases in a DITSCAP assessment? A . Definition, Validation, Verification, and Post Accreditation B . Verification, Definition, Validation, and Post Accreditation C . Verification, Validation, Definition, and Post Accreditation D . Definition, Verification, Validation, and Post Accreditation
D
19 Ben is the project manager of the YHT Project for his company. Alice, one of his team members, is confused about when project risks will happen in the project. Which one of the following statements is the most accurate about when project risk happens? A . Project risk can happen at any moment. B . Project risk is uncertain, so no one can predict when the event will happen. C . Project risk happens throughout the project execution. D . Project riskis always in the future.
D
22 There are five inputs to the quantitative risk analysis process. Which one of the following is NOT an input to the perform quantitative risk analysis process? A . Risk register B . Cost management plan C . Risk management plan D . Enterprise environmental factors
D
23 Your project has several risks that may cause serious financial impact should they happen. You have studied the risk events and made some potential risk responses for the risk events but management wants you to do more. They'd like for you to create some type of a chart that identified the risk probability and impact with a financial amount for each risk event. What is the likely outcome of creating this type of chart? A . Risk response plan B . Quantitative analysis C . Risk response D . Contingency reserve
D
24 Which of the following professionals is responsible for starting the Certification & Accreditation (C&A) process? A . Authorizing Official B . Chief Risk Officer (CRO) C . Chief Information Officer (CIO) D . Information system owner
D
31 Neil works as a project manager for SoftTech Inc. He is working with Tom, the COO of his company, on several risks within the project. Tom understands that through qualitative analysis Neil has identified many risks in the project. Tom's concern, however, is that the priority list of these risk events are sorted in "high-risk," "moderate-risk," and "low-risk" as conditions apply within the project. Tom wants to know that is there any other objective on which Neil can make the priority list for project risks. What will be Neil's reply to Tom? A . Risk may be listed by the responses inthe near-term B . Risks may be listed by categories C . Risks may be listed by the additional analysis and response D . Risks may be listed by priority separately for schedule, cost, and performance
D
36 James work as an IT systems personnel in SoftTech Inc. He performs the following tasks: Runs regular backups and routine tests of the validity of the backup data. Performs data restoration from the backups whenever required. Maintains the retained records in accordance with the established information classification policy. What is the role played by James in the organization? A . Manager B . User C . Owner D . Custodian
D
43 A part of a project deals with the hardware work. As a project manager, you have decided to hire a company to deal with all hardware work on the project. Which type of risk response is this? A . Avoidance B . Mitigation C . Exploit D . Transference
D
49 Which of the following techniques are used after a security breach and are intended to limit the extent of any damage caused by the incident? A . Safeguards B . Preventive controls C . Detective controls D . Corrective controls
D
52 You are the project manager of the NHH project for your company. You have completed the first round of risk management planning and have created four outputs of the risk response planning process. Which one of the following is NOT an output of the risk response planning? A . Risk-related contract decisions B . Project document updates C . Risk register updates D . Organizational process assets updates
D
53 Thomas is a key stakeholder in your project. Thomas has requested several changes to the project scope for the project you are managing. Upon review of the proposed changes, you have discovered that these new requirements are laden with risks and you recommend to the change control board that the changes be excluded from the project scope. The change control board agrees with you. What component of the change control system communicates the approval or denial of a proposed change request? A . Configuration management system B . Change log C . Scope change control system D . Integrated change control
D
54 Which of the following assessment methodologies defines a six-step technical security evaluation? A . OCTAVE B . FITSAF C . DITSCAP D . FIPS 102
D
58 Gary is the project manager for his project. He and the project team have completed the qualitative risk analysis process and are about to enter the quantitative risk analysis process when Mary, the project sponsor, wants to know what quantitative risk analysis will review. Which of the following statements best defines what quantitative risk analysis will review? A. The quantitative risk analysis seeks to determine the true cost of each identified risk event and the probability of each risk event to determine the risk exposure. B. The quantitative risk analysis process will review risk events for their probability and impact on the project objectives. C. The quantitative risk analysis reviews the results of risk identification and prepares the project for risk response management. D. The quantitative risk analysis process will analyze the effect of risk events that may substantially impact the project's competing demands.
D
62 You are the project manager for your company and a new change request has been approved for your project. This change request, however, has introduced several new risks to the project. You have communicated these risk events and the project stakeholders understand the possible effects these risks could have on your project. You elect to create a mitigation response for the identified risk events. Where will you record the mitigation response? A . Project management plan B . Risk management plan C . Risk log D . Risk register
D
69 Which of the following NIST Special Publication documents provides a guideline on network security testing? A . NIST SP 800-60 B . NIST SP 800-53A C . NIST SP 800-37 D . NIST SP 800-42 E . NIST SP 800-59 F . NIST SP 800-53
D
77 Fred is the project manager of the PKL project. He is working with his project team to complete the quantitative risk analysis process as a part of risk management planning. Fred understands that once the quantitative risk analysis process is complete, the process will need to be completed again in at least two other times in the project. When will the quantitative risk analysis process need to be repeated? A. Quantitative risk analysisprocess will be completed again after the plan risk response planning and as part of procurement. B. Quantitative risk analysis process will be completed again after the cost managementplanning and as a part of monitoring and controlling. C. Quantitativerisk analysis process will be completed again after new risks are identified and as part of monitoring and controlling. D. Quantitative risk analysis process will be completed again after the risk response planning and as a part of monitoring and controlling.
D
8 Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and systems? A . FITSAF B . FIPS C . TCSEC D . SSAA
D
83 Mark works as a Network Administrator for NetTech Inc. He wants users to access only those resources that are required for them. Which of the following access control models will he use? A . Discretionary Access Control B . Mandatory Access Control C . Policy Access Control D . Role-Based Access Control
D
97 You are the project manager of the NKQ project for your organization. You have completed the quantitative risk analysis process for this portion of the project. What is the only output of the quantitative risk analysis process? A . Probability of reaching project objectives B . Risk contingency reserve C . Risk response D . Risk register updates
D
99 You work as a project manager for BlueWell Inc. You are currently working with the project stakeholders to identify risks in your project. You understand that the qualitative risk assessment and analysis can reflect the attitude of the project team and other stakeholders to risk. Effective assessment of risk requires management of the risk attitudes of the participants. What should you, the project manager, do with assessment of identified risks in consideration of the attitude and bias of the participants towards the project risk? A . Document the bias for the risk events and communicate the bias with management B . Evaluate and document the bias towards the risk events C . Evaluate the bias through SWOT for true analysis of the risk events D . Evaluate the bias towards the risk events and correct the assessment accordingly
D