CAP Online Practice Questions and Answers

Certification and Accreditation (CandA or CnA) is a process for implementing information security. Which of the following is the correct order of CandA phases in a DITSCAP assessment?

A. Definition, Validation, Verification, and Post Accreditation

B. Verification, Definition, Validation, and Post Accreditation

C. Verification, Validation, Definition, and Post Accreditation

D. Definition, Verification, Validation, and Post Accreditation

You are the project manager of the NKQ project for your organization. You have completed the quantitative risk analysis process for this portion of the project. What is the only output of the quantitative risk analysis process?

A. Probability of reaching project objectives

B. Risk contingency reserve

C. Risk response

D. Risk register updates

Which of the following formulas was developed by FIPS 199 for categorization of an information type?

A. SC information type = {(confidentiality, controls), (integrity, controls), (authentication, controls)}

B. SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}

C. SC information type = {(confidentiality, risk), (integrity, risk), (availability, risk)}

D. SC information type = {(Authentication, impact), (integrity, impact), (availability, impact)}

Joan is a project management consultant and she has been hired by a firm to help them identify risk events within the project. Joan would first like to examine the project documents including the plans, assumptions lists, project files, and contracts. What key thing will help Joan to discover risks within the review of the project documents?

A. The project documents will help the project manager, or Joan, to identify what risk identification approach is best to pursue.

B. Plans that have loose definitions of terms and disconnected approaches will reveal risks.

C. Poorly written requirements will reveal inconsistencies in the project plans and documents.

D. Lack of consistency between the plans and the project requirements and assumptions can be the indicators of risk in the project.

Adrian is a project manager for a new project using a technology that has recently been released and there's relatively little information about the technology. Initial testing of the technology makes the use of it look promising, but there's still uncertainty as to the longevity and reliability of the technology. Adrian wants to consider the technology factors a risk for her project. Where should she document the risks associated with this technology so she can track the risk status and responses?

A. Project charter

B. Risk register

C. Project scope statement

D. Risk low-level watch list

Your organization has named you the project manager of the JKN Project. This project has a BAC of $1,500,000 and it is expected to last 18 months. Management has agreed that if the schedule baseline has a variance of more than five percent then you will need to crash the project. What happens when the project manager crashes a project?

A. Project costs will increase.

B. The amount of hours a resource can be used will diminish.

C. The projectwill take longer to complete, but risks will diminish.

D. Project risks will increase.

Elizabeth is a project manager for her organization and she finds risk management to be very difficult for her to manage. She asks you, a lead project manager, at what stage in the project will risk management become easier. What answer best resolves the difficulty of risk management practices and the effort required?

A. Risk management only becomes easier the more often it is practiced.

B. Risk management is an iterative process and never becomes easier.

C. Risk management only becomes easier when the project moves into project execution.

D. Risk management only becomes easier when the project is closed.

Which of the following statements best describes the difference between the role of a data owner and the role of a data custodian?

A. The custodian implements the information classification scheme after the initial assignment by the operations manager.

B. The datacustodian implements the information classification scheme after the initial assignment by the data owner.

C. The data owner implements the information classification scheme after the initial assignment by the custodian.

D. The custodian makes the initialinformation classification assignments, and the operations manager implements the scheme.

Which of the following CandA professionals plays the role of an advisor?

A. Information System Security Engineer (ISSE)

B. Chief Information Officer (CIO)

C. Authorizing Official

D. Information Owner

A ________ points to a statement in a policy or procedure that helps determine a course of action.

A. Comment

B. Guideline

C. Procedure

D. Baseline