[Sep-2021] CAP Dumps Full Questions - ISC Certification Exam Study Guide
Exam Questions and Answers for CAP Study Guide
NEW QUESTION 145
In 2003, NIST developed a new Certification & Accreditation (C&A) guideline known as FIPS 199.
What levels of potential impact are defined by FIPS 199?
Each correct answer represents a complete solution. Choose all that apply.
- A. Medium
- B. High
- C. Low
- D. Moderate
Answer: A,B,C
Explanation:
Section: Volume D
Explanation
NEW QUESTION 146
In which of the following elements of security does the object retain its veracity and is intentionally modified by the authorized subjects?
- A. Availability
- B. Integrity
- C. Nonrepudiation
- D. Confidentiality
Answer: B
NEW QUESTION 147
Which of the following assessment methods is used to review, inspect, and analyze assessment objects?
- A. Examination
- B. Debugging
- C. Interview
- D. Testing
Answer: A
NEW QUESTION 148
Which of the following are the common roles with regard to data in an information classification program?
Each correct answer represents a complete solution. Choose all that apply.
- A. Owner
- B. Editor
- C. Custodian
- D. Security auditor
- E. User
Answer: A,C,D,E
Explanation:
Section: Volume A
NEW QUESTION 149
The Phase 4 of DITSCAP C&A is known as Post Accreditation. This phase starts after the system has been accredited in Phase 3. What are the process activities of this phase?
Each correct answer represents a complete solution. Choose all that apply.
- A. Compliance validation
- B. Security operations
- C. Change management
- D. Continue to review and refine the SSAA
- E. System operations
- F. Maintenance of the SSAA
Answer: A,B,C,E,F
NEW QUESTION 150
Which of the following assessment methodologies defines a six-step technical security evaluation?
- A. FITSAF
- B. DITSCAP
- C. FIPS 102
- D. OCTAVE
Answer: C
NEW QUESTION 151
Which of the following RMF phases identifies key threats and vulnerabilities that could compromise the confidentiality, integrity, and availability of the institutional critical assets?
- A. Phase 1
- B. Phase 0
- C. Phase 3
- D. Phase 2
Answer: A
Explanation:
Section: Volume D
NEW QUESTION 152
Which of the following individuals makes the final accreditation decision?
- A. CRO
- B. DAA
- C. ISSE
- D. ISSO
Answer: B
Explanation:
Section: Volume C
NEW QUESTION 153
Which of the following evidences are the collection of facts that, when considered together, can be used to infer a conclusion about the malicious activity/person?
- A. Direct
- B. Incontrovertible
- C. Corroborating
- D. Circumstantial
Answer: D
NEW QUESTION 154
David is the project manager of HGF project for his company. David, the project team, and several key stakeholders have completed risk identification and are ready to move into qualitative risk analysis. Tracy, a project team member, does not understand why they need to complete qualitative risk analysis. Which one of the following is the best explanation for completing qualitative risk analysis?
- A. It is a rapid and cost-effective means of establishing priorities for the plan risk responses and lays the foundation for quantitative analysis.
- B. Qualitative risk analysis helps segment the project risks, create a risk breakdown structure, and create fast and accurate risk responses.
- C. All risks must pass through quantitative risk analysis before qualitative risk analysis.
- D. It is a cost-effective means of establishing probability and impact for the project risks.
Answer: A
NEW QUESTION 155
The phase 3 of the Risk Management Framework (RMF) process is known as mitigation
planning.
Which of the following processes take place in phase 3?
Each correct answer represents a complete solution. Choose all that apply.
- A. Agree on a strategy to mitigate risks.
- B. Evaluate mitigation progress and plan next assessment.
- C. Identify threats, vulnerabilities, and controls that will be evaluated.
- D. Document and implement a mitigation plan.
Answer: A,B,D
NEW QUESTION 156
The Phase 1 of DITSCAP C&A is known as Definition Phase. The goal of this phase is to define the C&A level of effort, identify the main C&A roles and responsibilities, and create an agreement on the method for implementing the security requirements. What are the process activities of this phase?
Each correct answer represents a complete solution. Choose all that apply.
- A. Negotiation
- B. Document mission need
- C. Initial Certification Analysis
- D. Registration
Answer: A,B,D
NEW QUESTION 157
Which of the following roles is responsible for review and risk analysis of all contracts on a regular basis?
- A. The IT Service Continuity Manager
- B. The Service Catalogue Manager
- C. The Configuration Manager
- D. The Supplier Manager
Answer: D
Explanation:
Section: Volume A
Explanation
NEW QUESTION 158
The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the most senior executive in an enterprise. What are the responsibilities of a Chief Information Officer?
Each correct answer represents a complete solution. Choose all that apply.
- A. Establishing effective continuous monitoring program for the organization
- B. Facilitating the sharing of security risk-related information among authorizing officials
- C. Proposing the information technology needed by an enterprise to achieve its goals and then working within a budget to implement the plan
- D. Preserving high-level communications and working group relationships in an organization
Answer: A,C,D
NEW QUESTION 159
You are responsible for network and information security at a metropolitan police station. The most important concern is that unauthorized parties are not able to access data. What is this called?
- A. Integrity
- B. Availability
- C. Encryption
- D. Confidentiality
Answer: D
Explanation:
Section: Volume C
NEW QUESTION 160
System Authorization is the risk management process. System Authorization Plan (SAP) is a comprehensive and uniform approach to the System Authorization Process. What are the different phases of System Authorization Plan?
Each correct answer represents a part of the solution. Choose all that apply.
- A. Authorization
- B. Pre-certification
- C. Post-Authorization
- D. Post-certification
- E. Certification
Answer: A,B,C,E
NEW QUESTION 161
An organization monitors the hard disks of its employees' computers from time to time. Which policy does this pertain to?
- A. User password policy
- B. Privacy policy
- C. Network security policy
- D. Backup policy
Answer: B
Explanation:
Section: Volume C
NEW QUESTION 162
You are preparing to start the qualitative risk analysis process for your project. You will be relying on some organizational process assets to influence the process. Which one of the following is NOT a probable reason for relying on organizational process assets as an input for qualitative risk analysis?
- A. Risk databases that may be available from industry sources
- B. Studies of similar projects by risk specialists
- C. Information on prior, similar projects
- D. Review of vendor contracts to examine risks in past projects
Answer: D
NEW QUESTION 163
Penetration testing (also called pen testing) is the practice of testing a computer system, network, or Web application to find vulnerabilities that an attacker could exploit. Which of the following areas can be exploited in a penetration test?
Each correct answer represents a complete solution. Choose all that apply.
- A. Social engineering
- B. Kernel flaws
- C. Race conditions
- D. File and directory permissions
- E. Trojan horses
- F. Buffer overflows
- G. Information system architectures
Answer: A,B,C,D,E,F
Explanation:
Section: Volume B
Explanation
NEW QUESTION 164
Which of the following formulas was developed by FIPS 199 for categorization of an information system?
- A. SCinformation system = {(confidentiality, controls), (integrity, controls), (availability, controls )}
- B. SCinformation system = {(confidentiality, impact), (integrity, controls), (availability, risk)}
- C. SCinformation system = {(confidentiality, impact), (integrity, impact), (availability, impact)}
- D. SCinformation system = {(confidentiality, risk), (integrity, impact), (availability, controls)}
Answer: C
NEW QUESTION 165
The risk transference is referred to the transfer of risks to a third party, usually for a fee, it creates a contractual-relationship for the third party to manage the risk on behalf of the performing organization. Which one of the following is NOT an example of the transference risk response?
- A. Performance bonds
- B. Use of insurance
- C. Life cycle costing
- D. Warranties
Answer: C
NEW QUESTION 166
Which of the following professionals plays the role of a monitor and takes part in the organization's configuration management process?
- A. Senior Agency Information Security Officer
- B. Common Control Provider
- C. Authorizing Official
- D. Chief Information Officer
Answer: B
Explanation:
Section: Volume C
NEW QUESTION 167
Which of the following individuals is responsible for the final accreditation decision?
- A. Certification Agent
- B. Information System Owner
- C. User Representative
- D. Risk Executive
Answer: B
Explanation:
Section: Volume D
Explanation/Reference:
NEW QUESTION 168
Which of the following statements about role-based access control (RBAC) model is true?
- A. In this model, the users canaccess resources according to their seniority.
- B. In this model, the permissions are uniquely assigned to each user account.
- C. In this model, the same permission is assigned to each user account.
- D. In this model, a user can access resources according to his role in the organization.
Answer: D
NEW QUESTION 169
Which of the following DoD directives defines DITSCAP as the standard C&A process for the Department of Defense?
- A. DoD 8910.1
- B. DoD 5200.22-M
- C. DoD 8000.1
- D. DoD 5200.40
Answer: D
Explanation:
Section: Volume C
NEW QUESTION 170
......
CAP - Certified Authorization Professional Free Update With 100% Exam Passing Guarantee: https://www.actual4test.com/CAP_examcollection.html
Real Exam Questions & Answers - ISC CAP Dump is Ready: https://drive.google.com/open?id=1tQzU82YafUdkvNF9hdu9EqzXddYqaMA8