CAP Online Practice Questions and Answers

Which of the following assessment methodologies defines a six-step technical security evaluation?

A. FITSAF

B. FIPS 102

C. OCTAVE

D. DITSCAP

Gary is the project manager of his organization. He is managing a project that is similar to a project his organization completed recently. Gary has decided that he will use the information from the past project to help him and the project team to identify the risks that may be present in the project. Management agrees that this checklist approach is ideal and will save time in the project. Which of the following statement is most accurate about the limitations of the checklist analysis approach for Gary?

A. The checklist analysis approach is fast but it is impossible to build and exhaustive checklist.

B. The checklist analysis approach only uses qualitative analysis.

C. The checklist analysis approach saves time, but can cost more.

D. The checklist is also known as top down risk assessment

Thomas is a key stakeholder in your project. Thomas has requested several changes to the project scope for the project you are managing. Upon review of the proposed changes, you have discovered that these new requirements are laden with risks and you recommend to the change control board that the changes be excluded from the project scope. The change control board agrees with you. What component of the change control system communicates the approval or denial of a proposed change request?

A. Configuration management system

B. Change log

C. Scope change control system

D. Integrated change control

FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls have been implemented?

A. Level 2

B. Level 3

C. Level 5

D. Level 4

E. Level 1

You are the project manager for your company and a new change request has been approved for your project. This change request, however, has introduced several new risks to the project. You have communicated these risk events and the project stakeholders understand the possible effects these risks could have on your project. You elect to create a mitigation response for the identified risk events. Where will you record the mitigation response?

A. Risk register

B. Risk log

C. Risk management plan

D. Project management plan

Which of the following documents is used to provide a standard approach to the assessment of NIST SP 800-53 security controls?

A. NIST SP 800-37

B. NIST SP 800-41

C. NIST SP 800-53A

D. NIST SP 800-66

Which of the following refers to a process that is used for implementing information security?

A. Certification and Accreditation(CandA)

B. Information Assurance (IA)

C. Five Pillars model

D. Classic information security model

Which of the following is not a part of Identify Risks process?

A. Decision tree diagram

B. Cause and effect diagram

C. Influence diagram

D. System or process flow chart

Which of the following individuals is responsible for configuration management and control task?

A. Commoncontrol provider

B. Information system owner

C. Authorizing official

D. Chief information officer

Which one of the following is the only output for the qualitative risk analysis process?

A. Enterprise environmental factors

B. Project management plan

C. Risk register updates

D. Organizational process assets