ISC-2 CAP Exam Questions and Correct Answers
Certification and Accreditation (C&A or CnA) is a process for implementing
information security.
Which of the following is the correct order of C&A phases in a DITSCAP assessment?
- ANSWER D. Definition, Verification, Validation, and Post Accreditation
Certification and Accreditation (C&A or CnA) is a process for implementing information
security. It is a systematic procedure for evaluating, describing, testing, and authorizing
systems prior to or after a system is in operation. Which of the following statements are
true about Certification and
Accreditation?
Each correct answer represents a complete solution. Choose two. - ANSWER A.
Accreditation is the official management decision given by a senior agency official to
authorize operation of an information system.
D. Certification is a comprehensive assessment of the management, operational,
and technical security controls in an information system.
Certification and Accreditation (C&A or CnA) is a process for implementing information
security. It is a systematic procedure for evaluating, describing, testing, and authorizing
systems prior to or after a system is in operation. Which of the following statements are
true about Certification and
Accreditation?
Each correct answer represents a complete solution. Choose two. - ANSWER A.
Accreditation is the official management decision given by a senior agency official to
authorize operation of an information system.
,D. Certification is a comprehensive assessment of the management, operational,
and technical security controls in an information system.
Which of the following requires all general support systems and major applications to
be fully certified and accredited before these systems and applications are put into
production?
Each correct answer represents a part of the solution. Choose all that apply. - ANSWER
C. FISMA
D. Office of Management and Budget (OMB)
The National Information Assurance Certification and Accreditation Process (NIACAP)
is the minimum standard process for the certification and accreditation of computer
and telecommunications systems that handle U.S. national security information. What
are the different types of NIACAP accreditation?
Each correct answer represents a complete solution. Choose all that apply. - ANSWER
B. Type accreditation
C. System accreditation
D. Site accreditation
According to U.S. Department of Defense (DoD) Instruction 8500.2, there are eight
Information Assurance (IA) areas, and the controls are referred to as IA controls.
Which of the following are among the eight areas of IA defined by DoD?
Each correct answer represents a complete solution. Choose all that apply. - ANSWER A.
VI Vulnerability and Incident Management
B. DC Security Design & Configuration
C. EC Enclave and Computing Environment
DIACAP applies to the acquisition, operation, and sustainment of any DoD system
that collects, stores, transmits, or processes unclassified or classified
,information since December 1997. What phases are identified by DIACAP?
Each correct answer represents a complete solution. Choose all that apply. - ANSWER A.
Validation
B. Re-Accreditation
C. Verification
D. System Definition
Which of the following is a subset discipline of Corporate Governance focused on
information security systems and their performance and risk management? -
ANSWER B. ISG
Ben is the project manager of the YHT Project for his company. Alice, one of his team
members, is confused about when project risks will happen in the project. Which one
of the following statements is the most accurate about when project risk happens? -
ANSWER D. Project risk is always in the future.
You are the project manager of the NKJ Project for your company. The project's
success or failure will have a significant impact on your organization's profitability for
the coming year. Management has asked you to identify the risk events and
communicate the event's probability and impact as early as possible in the project.
Management wants to avoid risk events and needs to analyze the cost-benefits of each
risk event in this project.
What term is assigned to the low-level of stakeholder tolerance in this project? -
ANSWER C. Risk utility function
Where can a project manager find risk-rating rules? - ANSWER B. Organizational process
assets
There are five inputs to the quantitative risk analysis process.
, Which one of the following is NOT an input to the perform quantitative risk
analysis process? - ANSWER D. Enterprise environmental factors
Your project has several risks that may cause serious financial impact should they
happen. You have studied the risk events and made some potential risk responses
for the risk events but management wants you to do more. They'd like for you to
create some type of a chart that identified the risk probability and impact with a
financial amount for each risk event.
What is the likely outcome of creating this type of chart? - ANSWER D. Contingency
reserve
Which of the following professionals is responsible for starting the Certification
& Accreditation (C&A) process? - ANSWER D. Information system owner
You are working as a project manager in your organization. You are nearing the final
stages of project execution and looking towards the final risk monitoring and
controlling activities.
For your project archives, which one of the following is an output of risk monitoring and
control? - ANSWER C. Requested changes
Which of the following DoD directives is referred to as the Defense
Automation Resources Management Manual? - ANSWER B. DoD 7950.1-M
The phase 3 of the Risk Management Framework (RMF) process is known as
mitigation planning.
Which of the following processes take place in phase 3?
Each correct answer represents a complete solution. Choose all that apply. - ANSWER B.
Document and implement a mitigation plan.
C. Agree on a strategy to mitigate risks.
Certification and Accreditation (C&A or CnA) is a process for implementing
information security.
Which of the following is the correct order of C&A phases in a DITSCAP assessment?
- ANSWER D. Definition, Verification, Validation, and Post Accreditation
Certification and Accreditation (C&A or CnA) is a process for implementing information
security. It is a systematic procedure for evaluating, describing, testing, and authorizing
systems prior to or after a system is in operation. Which of the following statements are
true about Certification and
Accreditation?
Each correct answer represents a complete solution. Choose two. - ANSWER A.
Accreditation is the official management decision given by a senior agency official to
authorize operation of an information system.
D. Certification is a comprehensive assessment of the management, operational,
and technical security controls in an information system.
Certification and Accreditation (C&A or CnA) is a process for implementing information
security. It is a systematic procedure for evaluating, describing, testing, and authorizing
systems prior to or after a system is in operation. Which of the following statements are
true about Certification and
Accreditation?
Each correct answer represents a complete solution. Choose two. - ANSWER A.
Accreditation is the official management decision given by a senior agency official to
authorize operation of an information system.
,D. Certification is a comprehensive assessment of the management, operational,
and technical security controls in an information system.
Which of the following requires all general support systems and major applications to
be fully certified and accredited before these systems and applications are put into
production?
Each correct answer represents a part of the solution. Choose all that apply. - ANSWER
C. FISMA
D. Office of Management and Budget (OMB)
The National Information Assurance Certification and Accreditation Process (NIACAP)
is the minimum standard process for the certification and accreditation of computer
and telecommunications systems that handle U.S. national security information. What
are the different types of NIACAP accreditation?
Each correct answer represents a complete solution. Choose all that apply. - ANSWER
B. Type accreditation
C. System accreditation
D. Site accreditation
According to U.S. Department of Defense (DoD) Instruction 8500.2, there are eight
Information Assurance (IA) areas, and the controls are referred to as IA controls.
Which of the following are among the eight areas of IA defined by DoD?
Each correct answer represents a complete solution. Choose all that apply. - ANSWER A.
VI Vulnerability and Incident Management
B. DC Security Design & Configuration
C. EC Enclave and Computing Environment
DIACAP applies to the acquisition, operation, and sustainment of any DoD system
that collects, stores, transmits, or processes unclassified or classified
,information since December 1997. What phases are identified by DIACAP?
Each correct answer represents a complete solution. Choose all that apply. - ANSWER A.
Validation
B. Re-Accreditation
C. Verification
D. System Definition
Which of the following is a subset discipline of Corporate Governance focused on
information security systems and their performance and risk management? -
ANSWER B. ISG
Ben is the project manager of the YHT Project for his company. Alice, one of his team
members, is confused about when project risks will happen in the project. Which one
of the following statements is the most accurate about when project risk happens? -
ANSWER D. Project risk is always in the future.
You are the project manager of the NKJ Project for your company. The project's
success or failure will have a significant impact on your organization's profitability for
the coming year. Management has asked you to identify the risk events and
communicate the event's probability and impact as early as possible in the project.
Management wants to avoid risk events and needs to analyze the cost-benefits of each
risk event in this project.
What term is assigned to the low-level of stakeholder tolerance in this project? -
ANSWER C. Risk utility function
Where can a project manager find risk-rating rules? - ANSWER B. Organizational process
assets
There are five inputs to the quantitative risk analysis process.
, Which one of the following is NOT an input to the perform quantitative risk
analysis process? - ANSWER D. Enterprise environmental factors
Your project has several risks that may cause serious financial impact should they
happen. You have studied the risk events and made some potential risk responses
for the risk events but management wants you to do more. They'd like for you to
create some type of a chart that identified the risk probability and impact with a
financial amount for each risk event.
What is the likely outcome of creating this type of chart? - ANSWER D. Contingency
reserve
Which of the following professionals is responsible for starting the Certification
& Accreditation (C&A) process? - ANSWER D. Information system owner
You are working as a project manager in your organization. You are nearing the final
stages of project execution and looking towards the final risk monitoring and
controlling activities.
For your project archives, which one of the following is an output of risk monitoring and
control? - ANSWER C. Requested changes
Which of the following DoD directives is referred to as the Defense
Automation Resources Management Manual? - ANSWER B. DoD 7950.1-M
The phase 3 of the Risk Management Framework (RMF) process is known as
mitigation planning.
Which of the following processes take place in phase 3?
Each correct answer represents a complete solution. Choose all that apply. - ANSWER B.
Document and implement a mitigation plan.
C. Agree on a strategy to mitigate risks.
