CAP v2

Which of the following professionals plays the role of a monitor and takes part in the organization's configuration management process? A. Senior Agency Information Security Officer B. Authorizing Official C. Common Control Provider D. Chief Information Officer

C. Common Control Provider

Which of the following RMF phases is known as risk analysis? A. Phase 2 B. Phase 1 C. Phase 0 D. Phase 3

Correct Answer: A

Which of the following professionals is responsible for starting the Certification & Accreditation (C&A) process? A. Information system owner B. Authorizing Official C. Chief Risk Officer (CRO) D. Chief Information Officer (CIO)

Correct Answer: A

Which of the following recovery plans includes a monitoring process and triggers for initiating planned actions? A. Contingency plan B. Business continuity plan C. Disaster recovery plan D. Continuity of Operations Plan

Correct Answer: A

Which of the following refers to a process that is used for implementing information security? A. Certification and Accreditation(C&A) B. Information Assurance (IA) C. Five Pillars model D. Classic information security model

Correct Answer: A

Which of the following relations correctly describes total risk? A. Total Risk = Threats x Vulnerability x Asset Value B. Total Risk = Viruses x Vulnerability x Asset Value C. Total Risk = Threats x Exploit x Asset Value D. Total Risk = Viruses x Exploit x Asset Value

Correct Answer: A

Which of the following risk responses delineates that the project plan will not be changed to deal with the risk? A. Acceptance B. Mitigation C. Exploitation D. Transference

Correct Answer: A

Which of the following roles is responsible for review and risk analysis of all contracts on a regular basis? A. The Supplier Manager B. The IT Service Continuity Manager C. The Service Catalogue Manager D. The Configuration Manager

Correct Answer: A

Which of the following statements about System Access Control List (SACL) is true? A. It contains a list of any events that are set to audit for that particular object. B. It is a mechanism for reducing the need for globally unique IP addresses. C. It contains a list of both users and groups and whatever permissions they have. D. It exists for each and every permission entry assigned to any object.

Correct Answer: A

Which of the following statements correctly describes DIACAP residual risk? A. It is the remaining risk to the information system after risk palliation has occurred. B. It is a process of security authorization. C. It is the technical implementation of the security design. D. It is used to validate the information system.

Correct Answer: A

You and your project team have identified the project risks and now are analyzing the probability and impact of the risks. What type of analysis of the risks provides a quick and high-level review of each identified risk event? A. Qualitative risk analysis B. Seven risk responses C. Quantitative risk analysis D. A risk probability-impact matrix

Correct Answer: A

You are responsible for network and information security at a metropolitan police station. The most important concern is that unauthorized parties are not able to access data. What is this called? A. Confidentiality B. Encryption C. Integrity D. Availability

Correct Answer: A

You are the project manager for a construction project. The project includes a work that involves very high financial risks. You decide to insure processes so that any ill happening can be compensated. Which type of strategies have you used to deal with the risks involved with that particular work? A. Transfer B. Mitigate C. Accept D. Avoid

Correct Answer: A

You are the project manager for the NHH project. You are working with your project team to examine the project from four different defined perspectives to increase the breadth of identified risks by including internally generated risks. What risk identification approach are you using in this example? A. SWOT analysis B. Root cause analysis C. Assumptions analysis D. Influence diagramming techniques

Correct Answer: A

You are the project manager for your organization. You are working with your key stakeholders in the qualitative risk analysis process. You understand that there is certain bias towards the risk events in the project that you need to address, manage, and ideally reduce. What solution does the PMBOK recommend to reduce the influence of bias during qualitative risk analysis? A. Establish the definitions of the levels of probability and impact B. Isolate the stakeholders by project phases to determine their risk bias C. Involve all stakeholders to vote on the probability and impact of the risk events D. Provideiterations of risk analysis for true reflection of a risk probability and impact

Correct Answer: A

You are the project manager for your organization. You have determined that an activity is too dangerous to complete internally so you hire licensed contractor to complete the work. The contractor, however, may not complete the assigned work on time which could cause delays in subsequent work beginning. This is an example of what type of risk event? A. Secondary risk B. Transference C. Internal D. Pure risk

Correct Answer: A

You are the project manager of a large construction project. Part of the project involves the wiring of the electricity in the building your project is creating. You and the project team determine the electrical work is too dangerous to perform yourself so you hire an electrician to perform the work for the project. This is an example of what type of risk response? A. Transference B. Mitigation C. Avoidance D. Acceptance

Correct Answer: A

Which of the following roles is used to ensure that the confidentiality, integrity, and availability of the services are maintained to the levels approved on the Service Level Agreement (SLA)? A. The Change Manager B. The IT Security Manager C. The Service Level Manager D. The Configuration Manager

Correct Answer: B

You are the project manager of the BlueStar project in your company. Your company is structured as a functional organization and you report to the functional manager that you are ready to move onto the qualitative risk analysis process. What will you need as inputs for the qualitative risk analysis of the project in this scenario? A. You will need the risk register, risk management plan, project scope statement, and any relevant organizational process assets. B. You will need the risk register, risk management plan, outputs of qualitative risk analysis, and any relevant organizational process assets. C. You will need the risk register, risk management plan, permission from the functional manager, and any relevant organizational process assets. D. Qualitative risk analysis does not happen through the project manager in a functional struc ture.

Correct Answer: A

You are the project manager of the GHQ project for your company. You are working you're your project team to prepare for the qualitative risk analysis process. Mary, a project team member, does not understand why you need to complete qualitative risks analysis. You explain to Mary that qualitative risks analysis helps you determine which risks needs additional analysis. There are also some other benefits that qualitative risks analysis can do for the project. Which one of the following is NOT an accomplishment of the qualitative risk analysis process? A. Cost of the risk impact if the risk event occurs B. Corresponding impact on project objectives C. Time frame for a risk response D. Prioritization of identified risk events based on probability and impact

Correct Answer: A

You are the project manager of the GHY project for your organization. You are about to start the qualitative risk analysis process for the project and you need to determine the roles and responsibilities for conducting risk management. Where can you find this information? A. Risk management plan B. Enterprise environmental factors C. Staffing management plan D. Risk register

Correct Answer: A

You are the project manager of the NNQ Project for your company and are working you're your project team to define contingency plans for the risks within your project. Mary, one of your project team members, asks what a contingency plan is. Which of the following statements best defines what a contingency response is? A. Some responses are designed for use only if certain events occur. B. Some responses have a cost and a time factor to consider for each risk event. C. Some responses must counteract pending risk events. D. Quantified risks should always have contingency responses.

Correct Answer: A

You work as a project manager for BlueWell Inc. You are working on a project and the management wants a rapid and cost-effective means for establishing priorities for planning risk responses in your project. Which risk management process can satisfy management's objective for your project? A. Qualitative risk analysis B. Quantitative analysis C. Historical information D. Rolling wave planning

Correct Answer: A

You work as a project manager for TechSoft Inc. You are working with the project stakeholders onthe qualitative risk analysis process in your project. You have used all the tools to the qualitative risk analysis process in your project. Which of the following techniques is NOT used as a tool in qualitative risk analysis process? A. Risk Reassessment B. Risk Categorization C. Risk Urgency Assessment D. Risk Data Quality Assessment

Correct Answer: A

Your organization has a project that is expected to last 20 months but the customer would really like the project completed in 18 months. You have worked on similar projects in the past and believe that you could fast track the project and reach the 18 month deadline. What increases when you fast track a project? A. Risks B. Costs C. Resources D. Communication

Correct Answer: A

Your organization has named you the project manager of the JKN Project. This project has a BAC of $1,500,000 and it is expected to last 18 months. Management has agreed that if the schedule baseline has a variance of more than five percent then you will need to crash the project. What happens when the project manager crashes a project? A. Project costs will increase. B. The amount of hours a resource can be used will diminish. C. The projectwill take longer to complete, but risks will diminish. D. Project risks will increase.

Correct Answer: A

Your project team has identified a project risk that must be responded to. The risk has been recorded in the risk register and the project team has been discussing potential risk responses for the risk event. The event is not likely to happen for several months but the probability of the event is high. Which one of the following is a valid response to the identified risk event? A. Corrective action B. Technical performance measurement C. Risk audit D. Earned value management

Correct Answer: A

You are the project manager for TTP project. You are in the Identify Risks process. You have to create the risk register. Which of the following are included in the risk register? Each correct answer represents a complete solution. Choose two. A. List of potential responses B. List of identified risks C. List ofmitigation techniques D. List of key stakeholders

Correct Answer: AB

Which of the following statements reflect the 'Code of Ethics Canons' in the '(ISC)2 Code of Ethics'? Each correct answer represents a complete solution. Choose all that apply. A. Protect society, the commonwealth, and the infrastructure. B. Act honorably, honestly, justly, responsibly, and legally. C. Provide diligent and competent service to principals. D. Give guidance for resolving good versus good and bad versus baddilemmas.

Correct Answer: ABC

Which of the following RMF phases identifies key threats and vulnerabilities that could compromise the confidentiality, integrity, and availability of the institutional critical assets? A. Phase 2 B. Phase 1 C. Phase 3 D. Phase 0

Correct Answer: B

Which of the following processes is a structured approach to transitioning individuals, teams, and organizations from a current state to a desired future state? A. Procurement management B. Change management C. Risk management D. Configuration management

Correct Answer: B

Which of the following processes is described in the statement below? "This is the process of numerically analyzing the effect of identified risks on overall project objectives." A. Identify Risks B. Perform Quantitative Risk Analysis C. Perform Qualitative Risk Analysis D. Monitor and Control Risks

Correct Answer: B

Which of the following processes provides a standard set of activities, general tasks, and a management structure to certify and accredit systems, which maintain the information assurance and the security posture of a system or site? A. DITSCAP B. NIACAP C. NSA-IAM D. ASSET

Correct Answer: B

Which of the following statements about role-based access control (RBAC) model is true? A. In this model, the permissions are uniquely assigned to each user account. B. In this model, a user can access resources according to his role in the organization. C. In this model, the same permission is assigned to each user account. D. In this model, the users canaccess resources according to their seniority.

Correct Answer: B

Which of the following statements about the availability concept of Information security management is true? A. It ensures that modifications are not made to data by unauthorized personnel or processes . B. It ensures reliable and timely access to resources. C. It determines actions and behaviors of a single individual within a system. D. It ensures that unauthorized modifications are not made to data by authorized personnel or processes.

Correct Answer: B

Which of the following statements best describes the difference between the role of a data owner and the role of a data custodian? A. The custodian implements the information classification scheme after the initial assignment by the operations manager. B. The datacustodian implements the information classification scheme after the initial assignment by the data owner. C. The data owner implements the information classification scheme after the initial assignment by the custodian. D. The custodian makes the initialinformation classification assignments, and the operations manager implements the scheme.

Correct Answer: B

Which of the following system security policies is used to address specific issues of concern to the organization? A. Program policy B. Issue-specific policy C. Informative policy D. System-specific policy

Correct Answer: B

Which one of the following is the only output for the qualitative risk analysis process? A. Project management plan B. Risk register updates C. Enterprise environmental factors D. Organizational process assets

Correct Answer: B

Which types of project tends to have more well-understood risks? A. State-of-art technologyprojects B. Recurrent projects C. Operational work projects D. First-of-its kind technology projects

Correct Answer: B

You and your project team are identifying the risks that may exist within your project. Some of the risks are small risks that won't affect your project much if they happen. What should you do with these identified risk events? A. These risks can be accepted. B. These risks can be added to a low priority risk watch list. C. All risks must have a valid, documented risk response. D. These risks can be dismissed.

Correct Answer: B

You and your project team are just starting the risk identification activities for a project that is scheduled to last for 18 months. Your project team has already identified a long list of risks that need to be analyzed. How often should you and the project team do risk identification? A. At least once per month B. Identify risks is an iterative process. C. It depends on how many risks are initially identified. D. Several times until the project moves into execution

Correct Answer: B

You are preparing to start the qualitative risk analysis process for your project. You will be relying on some organizational process assets to influence the process. Which one of the following is NOT a probable reason for relying on organizational process assets as an input for qualitative risk analysis? A. Information on prior, similar projects B. Review of vendor contracts to examine risks in past projects C. Risk databases that may be available from industry sources D. Studies of similar projects by risk specialists

Correct Answer: B

You are the project manager for your organization. You have identified a risk event you're your organization could manage internally or externally. If you manage the event internally it will cost your project $578,000 and an additional $12,000 per month the solution is in use. A vendor can manage the risk event for you. The vendor will charge $550,000 and $14,500 per month that the solution is in use. How many months will you need to use the solution to pay for the internal solution in comparison to the vendor's solution? A. Approximately 13 months B. Approximately 11 months C. Approximately 15 months D. Approximately 8 months

Correct Answer: B

You are the project manager of QSL project for your organization. You are working you're your project team and several key stakeholders to create a diagram that shows how various elements of a system interrelate and the mechanism of causation within the system. What diagramming technique are you using as a part of the risk identification process? A. Cause and effect diagrams B. System or process flowcharts C. Predecessor and successor diagramming D. Influence diagrams

Correct Answer: B

You are the project manager of the CUL project in your organization. You and the project team are assessing the risk events and creating a probability and impact matrix for the identified risks. Which one of the following statements best describes the requirements for the data type used in qualitative risk analysis? A. A qualitative risk analysis requires fast and simple data to complete the analysis. B. A qualitative risk analysis requires accurate and unbiased data if it is to be credible. C. A qualitative risk analysis required unbiased stakeholders with biased risk tolerances. D. A qualitative risk analysis encourages biased data to reveal risk tolerances.

Correct Answer: B

You are the project manager of the GGG project. You have completed the risk identification process for the initial phases of your project. As you begin to document the risk events in the risk register what additional information can you associate with the identified risk events? A. Risk schedule B. Risk potential responses C. Risk cost D. Risk owner

Correct Answer: B

You are the project manager of the GHY project for your organization. You are working with your project team to begin identifying risks for the project. As part of your preparation for identifying the risks within the project you will need eleven inputs for the process. Which one of the following is NOT an input to the risk identification process? A. Cost management plan B. Procurement management plan C. Stakeholder register D. Quality management plan

Correct Answer: B

You work as a project manager for SoftTech Inc. You are working with the project stakeholders to begin the qualitative risk analysis process. You will need all of the following as inputs to the qualitative risk analysis process except for which one? A. Risk management plan B. Risk register C. Stakeholder register D. Project scope statement

Correct Answer: C

You work as a project manager for BlueWell Inc. Management has asked you to work with the key project stakeholder to analyze the risk events you have identified in the project. They would like you to analyze the project risks with a goal of improving the project's performance as a whole. What approach can you use to achieve the goal of improving the project's performance through risk analysis with your project stakeholders? A. Involve subject matter experts in the risk analysis activities B. Focus on the high-priority risks through qualitative risk analysis C. Use qualitative risk analysis to quickly assess the probability and impact of risk events D. Involve the stakeholders for risk identification only in the phases where the project directlyaffects them

Correct Answer: B

You work as a project manager for BlueWell Inc. You are working with Nancy, the COO of your company, on several risks within the project. Nancy understands that through qualitative analysis you have identified 80 risks that have a low probability and low impact as the project is currently planned. Nancy's concern, however, is that the impact and probability of these risk events may change as conditions within the project may change. She would like to know where will you document and record these 80 risks that have low probability and low impact for future reference. What should you tell Nancy? A. Risk identification is an iterative process so any changes to the low probability and low impact risks will be reassessed throughout the project life cycle. B. Risks with low probability and low impact are recorded in a watchlist for future monitoring. C. All risks, regardless of their assessed impact and probability, are recorded in the risk log. D. All risks are recorded in the risk management plan

Correct Answer: B

You work as a project manager for BlueWell Inc. You with your team are using a method or a (technical) process that conceives the risks even if all theoretically possible safety measures would be applied. One of your team member wants to know that what is a residual risk. What will you reply to your team member? A. It is a risk that remains because no risk response is taken. B. It is a risk that remains after planned risk responses are taken. C. It is a risk that can not be addressed by a risk response. D. It is a risk that will remain no matter what type of risk response is offered.

Correct Answer: B

You work as a project manager for BlueWell Inc. Your project is running late and you must respond to the risk. Which risk response can you choose that will also cause you to update the human resource management plan? A. Teamingagreements B. Crashing the project C. Transference D. Fast tracking the project

Correct Answer: B

You work as a project manager for TechSoft Inc. You, the project team, and the key project stakeholders have completed a round of quantitative risk analysis. You now need to update the risk register with your findings so that you can communicate the risk results to the project stakeholders - including management. You will need to update all of the following information except for which one? A. Probability of achieving cost and time objectives B. Risk distributions within the project schedule C. Probabilistic analysis of the project D. Trends in quantitative risk analysis

Correct Answer: B

You work as the project manager for Bluewell Inc. There has been a delay in your project work that is adversely affecting the project schedule. You decide, with your stakeholders' approval, to fast track the project work to get the project done faster. When you fast track the project, what is likely to increase? A. Human resource needs B. Risks C. Costs D. Quality control concerns

Correct Answer: B

Which of the following statements are true about security risks? Each correct answer represents a complete solution. Choose three. A. They can be removed completely by taking proper actions. B. They can be analyzed and measured by the risk analysis process. C. They can be mitigated by reviewing and taking responsible actions based on possible risks. D. They are considered an indicator of threats coupled with vulnerability.

Correct Answer: BCD

Which of the following tasks are identified by the Plan of Action and Milestones document? Each correct answer represents a complete solution. Choose all that apply. A. The plans that need to be implemented B. The resources needed to accomplish the elements of the plan C. Any milestones that are needed in meeting the tasks D. The tasks that are required to be accomplished E. Scheduled completion dates for the milestones

Correct Answer: BCDE

Which of the following processes is described in the statement below? "It is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project." A. Perform Quantitative Risk Analysis B. Perform Qualitative Risk Analysis C. Monitor and Control Risks D. Identify Risks

Correct Answer: C

Which of the following professionals plays the role of a monitor and takes part in the organization's configuration management process? A. Senior Agency Information Security Officer B. Authorizing Official C. Common Control Provider D. Chief Information Officer

Correct Answer: C

Which of the following recovery plans includes specific strategies and actions to deal with specific variances to assumptions resulting in a particular security problem, emergency, or state of affairs? A. Continuity of Operations Plan B. Disaster recovery plan C. Contingency plan D. Business continuity plan

Correct Answer: C

Which of the following refers to the ability to ensure that the data is not modified or tampered with? A. Confidentiality B. Availability C. Integrity D. Non-repudiation

Correct Answer: C

Which of the following roles is also known as the accreditor? A. Chief Risk Officer B. Data owner C. Designated Approving Authority D. Chief Information Officer

Correct Answer: C

Which of the following statements about the authentication concept of information security management is true? A. It determines the actions and behaviors of a single individual within a system, and identifies that particular individual. B. It ensures that modifications are not made to data by unauthorized personnel or processes . C. It establishes the users' identity and ensures that the users are who they say they are. D. It ensures the reliable and timely access to resources.

Correct Answer: C

Which of the following statements is true about residual risks? A. It is a weakness or lack of safeguard that can be exploited by a threat. B. It can be considered as an indicator of threats coupled with vulnerability. C. It is the probabilistic risk after implementing all security measures. D. It is the probabilistic risk before implementing all security measures.

Correct Answer: C

You are preparing to complete the quantitative risk analysis process with your project team and several subject matter experts. You gather the necessary inputs including the project's cost management plan. Why is it necessary to include the project's cost management plan in the preparation for the quantitative risk analysis process? A. The project's cost management plan can help you to determine what the total cost of the project is allowed to be. B. The project's cost management plan provides direction on how costs may be changed due to identified risks. C. The project's cost management plan provides control that may help determine the structure for quantitative analysis of the budget. D. The project's cost management plan is not an input to the quantitative risk analysis process .

Correct Answer: C

You are the program manager for your project. You are working with the project managers regarding the procurement processes for their projects. You have ruled out one particular contract type because it is considered too risky for the program. Which one of the following contract types is usually considered to be the most dangerous for the buyer? A. Cost plus incentive fee B. Time and materials C. Cost plus percentage of costs D. Fixed fee

Correct Answer: C

You are the project manager for GHY Project and are working to create a risk response for a negative risk. You and the project team have identified the risk that the project may not complete on time, as required by the management, due to the creation of the user guide for the software you're creating. You have elected to hire an external writer in order to satisfy the requirements and to alleviate the risk event. What type of risk response have you elected to use in this instance? A. Sharing B. Avoidance C. Transference D. Exploiting

Correct Answer: C

You are the project manager for a construction project. The project involves casting of a column in a very narrow space. Because of lack of space, casting it is highly dangerous. High technical skill will be required for casting that column. You decide to hire a local expert team for casting that column. Which of the following types of risk response are you following? A. Mitigation 2 B. Avoidance C. Transference D. Acceptance

Correct Answer: C

You are the project manager for your organization. You are working with your project team to complete the qualitative risk analysis process. The first tool and technique you are using requires that you assess the probability and what other characteristic of each identified risk in the project? A. Risk owner B. Risk category C. Impact D. Cost

Correct Answer: C

You are the project manager of the GGH Project in your company. Your company is structured as a functional organization and you report to the functional manager that you are ready to move onto the quantitative risk analysis process. What things will you need as inputs for the quantitative risk analysis of the project in this scenario? A. You will need the risk register, risk management plan, permission from the functional manager, and any relevant organizational process assets. B. You will need the risk register, risk management plan, outputs of qualitative risk analysis, and any relevant organizational process assets. C. You will need the risk register, risk management plan, cost management plan, schedule management plan, and any relevant organizational process assets. D. Quantitative risk analysis does not happen through the project manager in a functional stru cture.

Correct Answer: C

You are the project manager of the GHG project. You are preparing for the quantitative risk analysis process. You are using organizational process assets to help you complete the quantitative risk analysis process. Which one of the following is NOT a valid reason to utilize organizational process assets as a part of the quantitative risk analysis process? A. You will use organizational process assets for risk databases that may be available from industry sources. B. You will use organizational process assets for studies of similar projects by risk specialists. C. You will use organizational process assets to determine costs of all risks events within thecurrent project. D. You will use organizational process assets for information from prior similar projects.

Correct Answer: C

You are the project manager of the HJK Project for your organization. You and the project team have created risk responses for many of the risk events in the project. Where should you document the proposed responses and the current status of all identified risks? A. Risk management plan B. Stakeholder management strategy C. Risk register D. Lessons learned documentation

Correct Answer: C

You are the project manager of the HJK project for your organization. You and the project team have created risk responses for many of the risk events in the project. A teaming agreement is an example of what risk response? A. Acceptance B. Mitigation C. Sharing D. Transference

Correct Answer: C

You are the project manager of the NKJ Project for your company. The project's success or failure will have a significant impact on your organization's profitability for the coming year. Management has asked you to identify the risk events and communicate the event's probability and impact as early as possible in the project. Management wants to avoid risk events and needs to analyze the cost-benefits of each risk event in this project. What term is assigned to the low-level of stakeholder tolerance in this project? A. Risk avoidance B. Mitigation-ready project management C. Risk utility function D. Risk-reward mentality

Correct Answer: C

You are working as a project manager in your organization. You are nearing the final stages of project execution and looking towards the final risk monitoring and controlling activities. For your project archives, which one of the following is an output of risk monitoring and control? A. Quantitative risk analysis B. Qualitative risk analysis C. Requested changes D. Risk audits

Correct Answer: C

You work as a project manager for BlueWell Inc. There has been a delay in your project work that is adversely affecting the project schedule. You decided, with your stakeholders' approval, to fast track the project work to get the project done faster. When you fast track the project which of the following are likely to increase? A. Quality control concerns B. Costs C. Risks D. Human resource needs

Correct Answer: C

You work as a project manager for BlueWell Inc. You are preparing to plan risk responses for your project with your team. How many risk response types are available for a negative risk event in the project? A. Seven B. Three C. Four D. One

Correct Answer: C

You work as the project manager for Bluewell Inc. You are working on NGQQ Projectyou're your company. You have completed the risk analysis processes for the risk events. You and the project team have created risk responses for most of the identified project risks. Which of the following risk response planning techniques will you use to shift the impact of a threat to a third party, together with the responses? A. Risk acceptance B. Risk avoidance C. Risk transference D. Risk mitigation

Correct Answer: C

Your project uses a piece of equipment that if the temperature of the machine goes above 450 degree Fahrenheit the machine will overheat and have to be shut down for 48 hours. Should this machine overheat even once it will delay the project's end date. You work with your project to create a response that should the temperature of the machine reach 430, the machine will be paused for at least an hour to cool it down. The temperature of 430 is called what? A. Risk identification B. Risk response C. Risk trigger D. Risk event

Correct Answer: C

Which of the following requires all general support systems and major applications to be fully certified and accredited before these systems and applications are put into production? Each correct answer represents a part of the solution. Choose all that apply. A. NIST B. FIPS C. FISMA D. Office of Management and Budget (OMB)

Correct Answer: CD

Which of the following processes is used to protect the data based on its secrecy, sensitivity, or confidentiality? A. Change Control B. Data Hiding C. Configuration Management D. Data Classification

Correct Answer: D

Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and systems? A. FITSAF B. FIPS C. TCSEC D. SSAA

Correct Answer: D

Which of the following relations correctly describes residual risk? A. Residual Risk = Threats x Vulnerability x Asset Gap x Control Gap B. Residual Risk = Threats x Exploit x Asset Value x Control Gap C. Residual Risk = Threats x Exploit x Asset Value x Control Gap D. Residual Risk = Threats x Vulnerability x Asset Value x Control Gap

Correct Answer: D

Which of the following statements about Discretionary Access Control List (DACL) is true? A. It is a rule list containing access control entries. B. It specifies whether an audit activity should be performed when an object attempts to access a resource. C. It is a unique number that identifies a user, group,and computer account. D. It is a list containing user accounts, groups, and computers that are allowed (or denied) access to the object.

Correct Answer: D

Which of the following statements is true about the continuous monitoring process? A. It takes place in the middle of system security accreditation. B. It takes place before and after system security accreditation. C. It takes place before the initial system security accreditation. D. It takes place after the initial system security accreditation.

Correct Answer: D

Which of the following techniques are used after a security breach and are intended to limit the extent of any damage caused by the incident? A. Safeguards B. Preventive controls C. Detective controls D. Corrective controls

Correct Answer: D

Which of the following terms related to risk management represents the estimated frequency at which a threat is expected to occur? A. Safeguard B. Single Loss Expectancy (SLE) C. Exposure Factor (EF) D. Annualized Rate of Occurrence (ARO)

Correct Answer: D

Who is responsible for the stakeholder expectations management in a high-profile, high-risk project? A. Project management office B. Project sponsor C. Project risk assessment officer D. Project manager

Correct Answer: D

You are the project manager for your company and a new change request has been approved for your project. This change request, however, has introduced several new risks to the project. You have communicated these risk events and the project stakeholders understand the possible effects these risks could have on your project. You elect to create a mitigation response for the identified risk events. Where will you record the mitigation response? A. Project management plan B. Risk management plan C. Risk log D. Risk register

Correct Answer: D

You are the project manager for your organization. You are preparing for the quantitative risk analysis. Mark, a project team member, wants to know why you need to do quantitative risk analysis when you just completed qualitative risk analysis. Which one of the following statements best defines what quantitative risk analysis is? A. Quantitative risk analysis is the planning and quantification of risk responses based on probability and impact of each risk event. B. Quantitative risk analysis is the process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact. C. Quantitative risk analysis is the review of the risk events with the high probability and the highest impact on the project objectives. D. Quantitative risk analysis is the process of numerically analyzing the effect of identified risks on overall project objectives. 0

Correct Answer: D

You are the project manager of the GHY Project for your company. You have completed the risk response planning with your project team. You now need to update the WBS. Why would the project manager need to update the WBS after the risk response planning process? Choose the best answer. A. Because of risks associated with work packages B. Because of work that was omitted during the WBS creation C. Because of risk responses that are now activities D. Because of new work generated by the risk responses

Correct Answer: D

You are the project manager of the NHH project for your company. You have completed the first round of risk management planning and have created four outputs of the risk response planning process. Which one of the following is NOT an output of the risk response planning? A. Risk-related contract decisions B. Project document updates C. Risk register updates D. Organizational process assets updates

Correct Answer: D

You are the project manager of the NKQ project for your organization. You have completed the quantitative risk analysis process for this portion of the project. What is the only output of the quantitative risk analysis process? A. Probability of reaching project objectives B. Risk contingency reserve C. Risk response D. Risk register updates

Correct Answer: D

You are the project manager of the NNN project for your company. You and the project team are working together to plan the risk responses for the project. You feel that the team has successfully completed the risk response planning and now you must initiate what risk process it is. Which of the following risk processes is repeated after the plan risk responses to determine if the overall project risk has been satisfactorily decreased? A. Risk identification B. Qualitative risk analysis C. Risk response implementation D. Quantitative risk analysis

Correct Answer: D

You work as a project manager for BlueWell Inc. You are about to complete the quantitative risk analysis process for your project. You can use three available tools and techniques to complete this process. Which one of the following is NOT a tool or technique that is appropriate for the quantitative risk analysis process? A. Quantitative risk analysis andmodeling techniques B. Data gathering and representation techniques C. Expert judgment D. Organizational process assets

Correct Answer: D

You work as a project manager for BlueWell Inc. You are currently working with the project stakeholders to identify risks in your project. You understand that the qualitative risk assessment and analysis can reflect the attitude of the project team and other stakeholders to risk. Effective assessment of risk requires management of the risk attitudes of the participants. What should you, the project manager, do with assessment of identified risks in consideration of the attitude and bias of the participants towards the project risk? A. Document the bias for the risk events and communicate the bias with management B. Evaluate and document the bias towards the risk events C. Evaluate the bias through SWOT for true analysis of the risk events D. Evaluate the bias towards the risk events and correct the assessment accordingly

Correct Answer: D

You work as a project manager for BlueWell Inc. You are working with your team members on the risk responses in the project. Which risk response will likely cause a project to use the procurement processes? A. Acceptance B. Mitigation C. Exploiting D. Sharing

Correct Answer: D

Your project has several risks that may cause serious financial impact should they happen. You have studied the risk events and made some potential risk responses for the risk events but management wants you to do more. They'd like for you to create some type of a chart that identified the risk probability and impact with a financial amount for each risk event. What is the likely outcome of creating this type of chart? A. Risk response plan B. Quantitative analysis C. Risk response D. Contingency reserve

Correct Answer: D

Your project is an agricultural-based project that deals with plant irrigation systems. You have discovered a byproduct in your project that your organization could use to make a profityou're your organization seizes this opportunity it would be an example of what risk response? A. Opportunistic B. Positive C. Enhancing D. Exploiting

Correct Answer: D