Topics

Explore all topics

Universities

uni logo
University of North Carolina at Chapel Hill
uni logo
University of Notre Dame
uni logo
Clemson University
Explore all Universities

Professors

Overall Quality
-/5
c c
Overall Quality
-/5
Billt Camp
Overall Quality
-/5
mathio g
Explore all Professors
Add Browser Extension
Start Free Trial
Need Help? Contact us
title
Textbook Solutions
Step-by-step solutions verified by experts
title
24/7 Homework Help
Complete assignments with the help of our community
title
Flashcards
Stimulate your visual memory & walk into test day with confidence
title
DocuAssist
Upload your study materials and we’ll help fill in the answers.
title
Campus Reps
Become a Campus Rep and earn up to 20% commission, plus weekly and monthly cash prizes.
title
My Courses
Add the courses you're enrolled in for tailored study material to meet your requirements
Explore all services
Add Browser Extension
Start Free Trial
Need Help? Contact us
back arrowfull exam logo
العربية
search
ai logoChat with AI
Servicesarrow
Textbook Solutions icon
Textbook Solutions
24/7 Homework Help icon
24/7 Homework Help
Flashcards icon
Flashcards
DocuAssist icon
DocuAssist
Campus Reps icon
Campus Reps
My Courses icon
My Courses
Mobile App icon
Mobile App
Explore All Services
Discoverarrow

Topics

Explore All Services

Universities

uni logo
University of North Carolina at Chapel Hill
uni logo
University of Notre Dame
uni logo
Clemson University
Explore all Universities

professors

/5
c c
/5
Billt Camp
/5
mathio g
Explore all Professors
Explore all topics
Discover more topics
HomeSchoolingAsk a question

Deck 1: Certified Authorization Professional

Full screen (f)
exit full mode
Question
In which type of access control do user ID and password system come under?

A) Administrative
B) Technical
C) Physical
D) Power
Use Space or
up arrow
down arrow
to flip the card.
Question
Which of the following parts of BS 7799 covers risk analysis and management?

A) Part 1
B) Part 3
C) Part 2
D) Part 4
Question
Which of the following are included in Technical Controls? Each correct answer represents a complete solution. Choose all that apply.

A) Implementing and maintaining access control mechanisms
B) Password and resource management
C) Configuration of the infrastructure
D) Identification and authentication methods
E) Conducting security-awareness training
F) Security devices
Question
Henry is the project manager of the QBG Project for his company. This project has a budget of $4,576,900 and is expected to last 18 months to complete. The CIO, a stakeholder in the project, has introduced a scope change request for additional deliverables as part of the project work. What component of the change control system would review the proposed changes' impact on the features and functions of the project's product?

A) Cost change control system
B) Scope change control system
C) Integrated change control
D) Configuration management system
Question
Mary is the project manager of the HGH Project for her company. She and her project team have agreed that if the vendor is late by more than ten days they will cancel the order and hire the NBG Company to fulfill the order. The NBG Company can guarantee orders within three days, but the costs of their products are significantly more expensive than the current vendor. What type of a response strategy is this?

A) External risk response
B) Internal risk management strategy
C) Contingent response strategy
D) Expert judgment
Question
Which of the following NIST Special Publication documents provides a guideline on questionnaires and checklists through which systems can be evaluated for compliance against specific control objectives?

A) NIST SP 800-53A
B) NIST SP 800-26
C) NIST SP 800-53
D) NIST SP 800-59
E) NIST SP 800-60
F) NIST SP 800-37
Question
The Phase 1 of DITSCAP C&A is known as Definition Phase. The goal of this phase is to define the C&A level of effort, identify the main C&A roles and responsibilities, and create an agreement on the method for implementing the security requirements. What are the process activities of this phase? Each correct answer represents a complete solution. Choose all that apply.

A) Registration
B) Document mission need
C) Negotiation
D) Initial Certification Analysis
Question
The only output of the perform qualitative risk analysis are risk register updates. When the project manager updates the risk register he will need to include several pieces of information including all of the following except for which one?

A) Trends in qualitative risk analysis
B) Risk probability-impact matrix
C) Watchlist of low-priority risks
D) Risks grouped by categories
Question
Shoulder surfing is a type of in-person attack in which the attacker gathers information about the premises of an organization. This attack is often performed by looking surreptitiously at the keyboard of an employee's computer while he is typing in his password at any access point such as a terminal/Web site. Which of the following is violated in a shoulder surfing attack?

A) Authenticity
B) Confidentiality
C) Availability
D) Integrity
Question
Which of the following formulas was developed by FIPS 199 for categorization of an information system?

A) SCinformation system = {(confidentiality, impact), (integrity, controls), (availability, risk)}
B) SCinformation system = {(confidentiality, risk), (integrity, impact), (availability, controls)}
C) SCinformation system = {(confidentiality, impact), (integrity, impact), (availability, impact)}
D) SCinformation system = {(confidentiality, controls), (integrity, controls), (availability, controls )}
Question
Fred is the project manager of the PKL project. He is working with his project team to complete the quantitative risk analysis process as a part of risk management planning. Fred understands that once the quantitative risk analysis process is complete, the process will need to be completed again in at least two other times in the project. When will the quantitative risk analysis process need to be repeated?

A) Quantitative risk analysis process will be completed again after the plan risk response planning and as part of procurement.
B) Quantitative risk analysis process will be completed again after the cost management planning and as a part of monitoring and controlling.
C) Quantitative risk analysis process will be completed again after new risks are identified and as part of monitoring and controlling.
D) Quantitative risk analysis process will be completed again after the risk response planning and as a part of monitoring and controlling.
Question
Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. Which of the following statements are true about Certification and Accreditation? Each correct answer represents a complete solution. Choose two.

A) Accreditation is the official management decision given by a senior agency official to authorize operation of an information system.
B) Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system.
C) Accreditation is a comprehensive assessment of the management, operational, and technical security controls in an information system.
D) Certification is the official management decision given by a senior agency official to authorize operation of an information system.
Question
The Project Risk Management knowledge area focuses on which of the following processes? Each correct answer represents a complete solution. Choose all that apply.

A) Potential Risk Monitoring
B) Risk Management Planning
C) Quantitative Risk Analysis
D) Risk Monitoring and Control
Question
Which of the following individuals informs all C&A participants about life cycle actions, security requirements, and documented user needs?

A) IS program manager
B) Certification Agent
C) User representative
D) DAA
Question
Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. Which of the following statements are true about Certification and Accreditation? Each correct answer represents a complete solution. Choose two.

A) Accreditation is the official management decision given by a senior agency official to authorize operation of an information system.
B) Accreditation is a comprehensive assessment of the management, operational, and technical security controls in an information system.
C) Certification is the official management decision given by a senior agency official to authorize operation of an information system.
D) Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system.
Question
Which of the following administrative policy controls requires individuals or organizations to be engaged in good business practices relative to the organization's industry?

A) Segregation of duties
B) Separation of duties
C) Need to Know
D) Due care
Question
You and your project team are just starting the risk identification activities for a project that is scheduled to last for 18 months. Your project team has already identified a long list of risks that need to be analyzed. How often should you and the project team do risk identification?

A) At least once per month
B) Several times until the project moves into execution
C) It depends on how many risks are initially identified.
D) Identify risks is an iterative process.
Question
You are the project manager for your organization. You have identified a risk event you're your organization could manage internally or externally. If you manage the event internally it will cost your project $578,000 and an additional $12,000 per month the solution is in use. A vendor can manage the risk event for you. The vendor will charge $550,000 and $14,500 per month that the solution is in use. How many months will you need to use the solution to pay for the internal solution in comparison to the vendor's solution?

A) Approximately 13 months
B) Approximately 11 months
C) Approximately 15 months
D) Approximately 8 months
Question
You work as a project manager for BlueWell Inc. You are working with Nancy, the COO of your company, on several risks within the project. Nancy understands that through qualitative analysis you have identified 80 risks that have a low probability and low impact as the project is currently planned. Nancy's concern, however, is that the impact and probability of these risk events may change as conditions within the project may change. She would like to know where will you document and record these 80 risks that have low probability and low impact for future reference. What should you tell Nancy?

A) Risk identification is an iterative process so any changes to the low probability and low impact risks will be reassessed throughout the project life cycle.
B) Risks with low probability and low impact are recorded in a watchlist for future monitoring.
C) All risks, regardless of their assessed impact and probability, are recorded in the risk log.
D) All risks are recorded in the risk management plan
Question
In which of the following testing methodologies do assessors use all available documentation and work under no constraints, and attempt to circumvent the security features of an information system?

A) Full operational test
B) Penetration test
C) Paper test
D) Walk-through test
Question
In which of the following Risk Management Framework (RMF) phases is strategic risk assessment planning performed?

A) Phase 0
B) Phase 1
C) Phase 2
D) Phase 3
Question
Which of the following individuals is responsible for configuration management and control task?

A) Common control provider
B) Information system owner
C) Authorizing official
D) Chief information officer
Question
Which of the following is NOT a type of penetration test?

A) Cursory test
B) Partial-knowledge test
C) Zero-knowledge test
D) Full knowledge test
Question
Sammy is the project manager for her organization. She would like to rate each risk based on its probability and affect on time, cost, and scope. Harry, a project team member, has never done this before and thinks Sammy is wrong to attempt this approach. Harry says that an accumulative risk score should be created, not three separate risk scores. Who is correct in this scenario?

A) Sammy is correct, because organizations can create risk scores for each objective of the project.
B) Harry is correct, because the risk probability and impact considers all objectives of the project.
C) Harry is correct, the risk probability and impact matrix is the only approach to risk assessment.
D) Sammy is correct, because she is the project manager.
Question
What does RTM stand for?

A) Resource Testing Method
B) Replaced Traceability Matrix
C) Requirements Traceability Matrix
D) Resource Tracking Matrix
Question
Which of the following are the tasks performed by the owner in the information classification schemes? Each correct answer represents a part of the solution. Choose three.

A) To make original determination to decide what level of classification the information requires, which is based on the business requirements for the safety of the data.
B) To perform data restoration from the backups whenever required.
C) To review the classification assignments from time to time and make alterations as the business requirements alter.
D) To delegate the responsibility of the data safeguard duties to the custodian.
Question
The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statements are true about ISSO and ISSE? Each correct answer represents a complete solution. Choose all that apply.

A) An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A).
B) An ISSE manages the security of the information system that is slated for Certification & Accreditation (C&A).
C) An ISSE provides advice on the continuous monitoring of the information system.
D) An ISSO takes part in the development activities that are required to implement system ch anges.
E) An ISSE provides advice on the impacts of system changes.
Question
Which of the following individuals is responsible for the final accreditation decision?

A) Certification Agent
B) User Representative
C) Information System Owner
D) Risk Executive
Question
Which of the following professionals plays the role of a monitor and takes part in the organization's configuration management process?

A) Senior Agency Information Security Officer
B) Authorizing Official
C) Chief Information Officer
D) Common Control Provider
Question
Which of the following assessment methodologies defines a six-step technical security evaluation?

A) OCTAVE
B) FITSAF
C) DITSCAP
D) FIPS 102
Question
Certification and Accreditation (C&A or CnA) is a process for implementing information security. Which of the following is the correct order of C&A phases in a DITSCAP assessment?

A) Definition, Validation, Verification, and Post Accreditation
B) Verification, Definition, Validation, and Post Accreditation
C) Definition, Verification, Validation, and Post Accreditation
D) Verification, Validation, Definition, and Post Accreditation
Question
In which of the following phases do the system security plan update and the Plan of Action and Milestones (POAM) update take place?

A) Continuous Monitoring Phase
B) Accreditation Phase
C) Preparation Phase
D) DITSCAP Phase
Question
FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls are tested and reviewed?

A) Level 1
B) Level 2
C) Level 4
D) Level 5
E) Level 3
Question
You are the project manager of the NHQ project for your company. Management has told you that you must implement an agreed upon contingency response if the Cost Performance Index in your project is less than 0.90. Consider that your project has a budget at completion of $250,000 and is 60 percent complete. You are scheduled to be however, 75 percent complete, and you have spent $165,000 to date. What is the Cost Performance Index for this project to determine if the contingency response should happen?

A) 0.88
B) 0.80
C) -$37,500
D) 0.91
Question
You are the program manager for your project. You are working with the project managers regarding the procurement processes for their projects. You have ruled out one particular contract type because it is considered too risky for the program. Which one of the following contract types is usually considered to be the most dangerous for the buyer?

A) Cost plus incentive fee
B) Time and materials
C) Cost plus percentage of costs
D) Fixed fee
Question
Which of the following roles is used to ensure that the confidentiality, integrity, and availability of the services are maintained to the levels approved on the Service Level Agreement (SLA)?

A) The Change Manager
B) The IT Security Manager
C) The Service Level Manager
D) The Configuration Manager
Question
Kelly is the project manager of the BHH project for her organization. She is completing the risk identification process for this portion of her project. Which one of the following is the only thing that the risk identification process will create for Kelly?

A) Project document updates
B) Risk register updates
C) Change requests
D) Risk register
Question
You work as a project manager for BlueWell Inc. You are working on a project and the management wants a rapid and cost-effective means for establishing priorities for planning risk responses in your project. Which risk management process can satisfy management's objective for your project?

A) Qualitative risk analysis
B) Quantitative analysis
C) Historical information
D) Rolling wave planning
Question
Walter is the project manager of a large construction project. He'll be working with several vendors on the project. Vendors will be providing materials and labor for several parts of the project. Some of the works in the project are very dangerous so Walter has implemented safety requirements for all of the vendors and his own project team. Stakeholders for the project have added new requirements, which have caused new risks in the project. A vendor has identified a new risk that could affect the project if it comes into fruition. Walter agrees with the vendor and has updated the risk register and created potential risk responses to mitigate the risk. What should Walter also update in this scenario considering the risk event?

A) Project management plan
B) Project contractual relationship with the vendor
C) Project communications plan
D) Project scope statement
Question
Which of the following DoD directives is referred to as the Defense Automation Resources Management Manual ?

A) DoD 5200.22-M
B) DoD 5200.1-R
C) DoD 8910.1
D) DoDD 8000.1
E) DoD 7950.1-M
Question
Which of the following C&A professionals plays the role of an advisor?

A) Information System Security Engineer (ISSE)
B) Chief Information Officer (CIO)
C) Authorizing Official
D) Information Owner
Question
Which of the following evidences are the collection of facts that, when considered together, can be used to infer a conclusion about the malicious activity/person?

A) Circumstantial
B) Incontrovertible
C) Direct
D) Corroborating
Question
You are the project manager for your organization. You have determined that an activity is too dangerous to complete internally so you hire licensed contractor to complete the work. The contractor, however, may not complete the assigned work on time which could cause delays in subsequent work beginning. This is an example of what type of risk event?

A) Secondary risk
B) Transference
C) Internal
D) Pure risk
Question
Certification and Accreditation (C&A or CnA) is a process for implementing information security. Which of the following is the correct order of C&A phases in a DITSCAP assessment?

A) Definition, Validation, Verification, and Post Accreditation
B) Verification, Definition, Validation, and Post Accreditation
C) Verification, Validation, Definition, and Post Accreditation
D) Definition, Verification, Validation, and Post Accreditation
Question
Which of the following RMF phases is known as risk analysis?

A) Phase 0
B) Phase 1
C) Phase 2
D) Phase 3
Question
What approach can a project manager use to improve the project's performance during qualitative risk analysis?

A) Create a risk breakdown structure and delegate the risk analysis to the appropriate project team members.
B) Focus on high-priority risks.
C) Focus on near-term risks first.
D) Analyze as many risks as possible regardless of who initiated the risk event.
Question
You are preparing to start the qualitative risk analysis process for your project. You will be relying on some organizational process assets to influence the process. Which one of the following is NOT a probable reason for relying on organizational process assets as an input for qualitative risk analysis?

A) Information on prior, similar projects
B) Review of vendor contracts to examine risks in past projects
C) Risk databases that may be available from industry sources
D) Studies of similar projects by risk specialists
Question
Which one of the following is the only output for the qualitative risk analysis process?

A) Project management plan
B) Risk register updates
C) Enterprise environmental factors
D) Organizational process assets
Question
Gary is the project manager for his project. He and the project team have completed the qualitative risk analysis process and are about to enter the quantitative risk analysis process when Mary, the project sponsor, wants to know what quantitative risk analysis will review. Which of the following statements best defines what quantitative risk analysis will review?

A) The quantitative risk analysis process will analyze the effect of risk events that may substantially impact the project's competing demands.
B) The quantitative risk analysis reviews the results of risk identification and prepares the project for risk response management.
C) The quantitative risk analysis process will review risk events for their probability and impact on the project objectives.
D) The quantitative risk analysis seeks to determine the true cost of each identified risk event and the probability of each risk event to determine the risk exposure.
Question
Which of the following is a standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system?

A) FITSAF
B) TCSEC
C) FIPS
D) SSAA
Question
Which of the following groups represents the most likely source of an asset loss through the inappropriate use of computers?

A) Hackers
B) Visitors
C) Customers
D) Employees
Question
Which of the following refers to a process that is used for implementing information security?

A) Certification and Accreditation (C&A)
B) Information Assurance (IA)
C) Five Pillars model
D) Classic information security model
Question
An authentication method uses smart cards as well as usernames and passwords for authentication. Which of the following authentication methods is being referred to?

A) Anonymous
B) Multi-factor
C) Biometrics
D) Mutual
Question
During which of the following processes, probability and impact matrix is prepared?

A) Plan Risk Responses
B) Perform Quantitative Risk Analysis
C) Perform Qualitative Risk Analysis
D) Monitoring and Control Risks
Question
Which of the following RMF phases identifies key threats and vulnerabilities that could compromise the confidentiality, integrity, and availability of the institutional critical assets?

A) Phase 2
B) Phase 1
C) Phase 3
D) Phase 0
Question
You are the project manager for your company and a new change request has been approved for your project. This change request, however, has introduced several new risks to the project. You have communicated these risk events and the project stakeholders understand the possible effects these risks could have on your project. You elect to create a mitigation response for the identified risk events. Where will you record the mitigation response?

A) Risk register
B) Risk log
C) Risk management plan
D) Project management plan
Question
Jenny is the project manager of the NHJ Project for her company. She has identified several positive risk events within the project and she thinks these events can save the project time and money. You, a new team member wants to know that how many risk responses are available for a positive risk event. What will Jenny reply to you?

A) Four
B) Seven
C) Acceptance is the only risk response for positive risk events.
D) Three
Question
The Phase 2 of DITSCAP C&A is known as Verification. The goal of this phase is to obtain a fully integrated system for certification testing and accreditation. What are the process activities of this phase? Each correct answer represents a complete solution. Choose all that apply.

A) System development
B) Certification analysis
C) Registration
D) Assessment of the Analysis Results
E) Configuring refinement of the SSAA
Question
Beth is the project manager of the BFG Project for her company. In this project Beth has decided to create a contingency response based on the performance of the project schedule. If the project schedule variance is greater than $10,000 the contingency plan will be implemented. What is the formula for the schedule variance?

A) SV=EV-PV
B) SV=EV/AC
C) SV=PV-EV
D) SV=EV/PV
Question
Which of the following NIST publications defines impact?

A) NIST SP 800-41
B) NIST SP 800-37
C) NIST SP 800-30
D) NIST SP 800-53
Question
Which of the following is the acronym of RTM?

A) Resource tracking method
B) Requirements Traceability Matrix
C) Resource timing method
D) Requirements Testing Matrix
Question
FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls have been implemented?

A) Level 4
B) Level 1
C) Level 3
D) Level 5
E) Level 2
Question
You are the project manager of QSL project for your organization. You are working you're your project team and several key stakeholders to create a diagram that shows how various elements of a system interrelate and the mechanism of causation within the system. What diagramming technique are you using as a part of the risk identification process?

A) Cause and effect diagrams
B) System or process flowcharts
C) Predecessor and successor diagramming
D) Influence diagrams
Question
The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the most senior executive in an enterprise. What are the responsibilities of a Chief Information Officer? Each correct answer represents a complete solution. Choose all that apply.

A) Proposing the information technology needed by an enterprise to achieve its goals and then working within a budget to implement the plan
B) Preserving high-level communications and working group relationships in an organization
C) Establishing effective continuous monitoring program for the organization
D) Facilitating the sharing of security risk-related information among authorizing officials
Question
You are the project manager of the GHQ project for your company. You are working you're your project team to prepare for the qualitative risk analysis process. Mary, a project team member, does not understand why you need to complete qualitative risks analysis. You explain to Mary that qualitative risks analysis helps you determine which risks needs additional analysis. There are also some other benefits that qualitative risks analysis can do for the project. Which one of the following is NOT an accomplishment of the qualitative risk analysis process?

A) Cost of the risk impact if the risk event occurs
B) Corresponding impact on project objectives
C) Time frame for a risk response
D) Prioritization of identified risk events based on probability and impact
Question
The National Information Assurance Certification and Accreditation Process (NIACAP) is the minimum standard process for the certification and accreditation of computer and telecommunications systems that handle U.S. national security information. What are the different types of NIACAP accreditation? Each correct answer represents a complete solution. Choose all that apply.

A) Secure accreditation
B) Type accreditation
C) System accreditation
D) Site accreditation
Question
David is the project manager of HGF project for his company. David, the project team, and several key stakeholders have completed risk identification and are ready to move into qualitative risk analysis. Tracy, a project team member, does not understand why they need to complete qualitative risk analysis. Which one of the following is the best explanation for completing qualitative risk analysis?

A) It is a rapid and cost-effective means of establishing priorities for the plan risk responses and lays the foundation for quantitative analysis.
B) It is a cost-effective means of establishing probability and impact for the project risks.
C) Qualitative risk analysis helps segment the project risks, create a risk breakdown structure, and create fast and accurate risk responses.
D) All risks must pass through quantitative risk analysis before qualitative risk analysis.
Question
In what portion of a project are risk and opportunities greatest and require intense planning and anticipation of risk events?

A) Planning
B) Executing
C) Closing
D) Initiating
Question
In which of the following phases does the change management process start?

A) Phase 2
B) Phase 1
C) Phase 4
D) Phase 3
Question
Which of the following recovery plans includes specific strategies and actions to deal with specific variances to assumptions resulting in a particular security problem, emergency, or state of affairs?

A) Business continuity plan
B) Continuity of Operations Plan
C) Disaster recovery plan
D) Contingency plan
Question
In which type of access control do user ID and password system come under?

A) Administrative
B) Technical
C) Power
D) Physical
Question
You are the project manager of the GGH Project in your company. Your company is structured as a functional organization and you report to the functional manager that you are ready to move onto the quantitative risk analysis process. What things will you need as inputs for the quantitative risk analysis of the project in this scenario?

A) You will need the risk register, risk management plan, permission from the functional manager, and any relevant organizational process assets.
B) You will need the risk register, risk management plan, outputs of qualitative risk analysis, and any relevant organizational process assets.
C) You will need the risk register, risk management plan, cost management plan, schedule management plan, and any relevant organizational process assets.
D) Quantitative risk analysis does not happen through the project manager in a functional stru cture.
Question
Which of the following roles is responsible for review and risk analysis of all contracts on a regular basis?

A) The Supplier Manager
B) The IT Service Continuity Manager
C) The Service Catalogue Manager
D) The Configuration Manager
Question
According to FIPS Publication 199, what are the three levels of potential impact on organizations in the event of a compromise on confidentiality, integrity, and availability?

A) Confidential, Secret, and High
B) Minimum, Moderate, and High
C) Low, Normal, and High
D) Low, Moderate, and High
Question
You work as a project manager for TechSoft Inc. You are working with the project stakeholders onthe qualitative risk analysis process in your project. You have used all the tools to the qualitative risk analysis process in your project. Which of the following techniques is NOT used as a tool in qualitative risk analysis process?

A) Risk Reassessment
B) Risk Categorization
C) Risk Urgency Assessment
D) Risk Data Quality Assessment
Question
Which of the following requires all general support systems and major applications to be fully certified and accredited before these systems and applications are put into production? Each correct answer represents a part of the solution. Choose all that apply.

A) NIST
B) FIPS
C) Office of Management and Budget (OMB)
D) FISMA
Question
The phase 0 of Risk Management Framework (RMF) is known as strategic risk assessment planning. Which of the following processes take place in phase 0? Each correct answer represents a complete solution. Choose all that apply.

A) Review documentation and technical data.
B) Apply classification criteria to rank data assets and related IT resources.
C) Establish criteria that will be used to classify and rank data assets.
D) Identify threats, vulnerabilities, and controls that will be evaluated.
E) Establish criteria that will be used to evaluate threats, vulnerabilities, and controls.
Question
DIACAP applies to the acquisition, operation, and sustainment of any DoD system that collects, stores, transmits, or processes unclassified or classified information since December 1997. What phases are identified by DIACAP? Each correct answer represents a complete solution. Choose all that apply.

A) Accreditation
B) Identification
C) System Definition
D) Verification
E) Validation
F) Re-Accreditation
Question
Which of the following professionals plays the role of a monitor and takes part in the organization's configuration management process?

A) Senior Agency Information Security Officer
B) Authorizing Official
C) Common Control Provider
D) Chief Information Officer
Question
Which of the following classification levels defines the information that, if disclosed to the unauthorized parties, could be reasonably expected to cause exceptionally grave damage to the national security?

A) Secret information
B) Top Secret information
C) Confidential information
D) Unclassified information
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/313
auto play flashcards
Play
simple tutorial
Full screen (f)
exit full mode
Deck 1: Certified Authorization Professional
1
In which type of access control do user ID and password system come under?

A) Administrative
B) Technical
C) Physical
D) Power
Technical
2
Which of the following parts of BS 7799 covers risk analysis and management?

A) Part 1
B) Part 3
C) Part 2
D) Part 4
Part 3
3
Which of the following are included in Technical Controls? Each correct answer represents a complete solution. Choose all that apply.

A) Implementing and maintaining access control mechanisms
B) Password and resource management
C) Configuration of the infrastructure
D) Identification and authentication methods
E) Conducting security-awareness training
F) Security devices
Implementing and maintaining access control mechanisms
Password and resource management
Configuration of the infrastructure
Identification and authentication methods
Security devices
4
Henry is the project manager of the QBG Project for his company. This project has a budget of $4,576,900 and is expected to last 18 months to complete. The CIO, a stakeholder in the project, has introduced a scope change request for additional deliverables as part of the project work. What component of the change control system would review the proposed changes' impact on the features and functions of the project's product?

A) Cost change control system
B) Scope change control system
C) Integrated change control
D) Configuration management system
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
5
Mary is the project manager of the HGH Project for her company. She and her project team have agreed that if the vendor is late by more than ten days they will cancel the order and hire the NBG Company to fulfill the order. The NBG Company can guarantee orders within three days, but the costs of their products are significantly more expensive than the current vendor. What type of a response strategy is this?

A) External risk response
B) Internal risk management strategy
C) Contingent response strategy
D) Expert judgment
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
6
Which of the following NIST Special Publication documents provides a guideline on questionnaires and checklists through which systems can be evaluated for compliance against specific control objectives?

A) NIST SP 800-53A
B) NIST SP 800-26
C) NIST SP 800-53
D) NIST SP 800-59
E) NIST SP 800-60
F) NIST SP 800-37
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
7
The Phase 1 of DITSCAP C&A is known as Definition Phase. The goal of this phase is to define the C&A level of effort, identify the main C&A roles and responsibilities, and create an agreement on the method for implementing the security requirements. What are the process activities of this phase? Each correct answer represents a complete solution. Choose all that apply.

A) Registration
B) Document mission need
C) Negotiation
D) Initial Certification Analysis
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
8
The only output of the perform qualitative risk analysis are risk register updates. When the project manager updates the risk register he will need to include several pieces of information including all of the following except for which one?

A) Trends in qualitative risk analysis
B) Risk probability-impact matrix
C) Watchlist of low-priority risks
D) Risks grouped by categories
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
9
Shoulder surfing is a type of in-person attack in which the attacker gathers information about the premises of an organization. This attack is often performed by looking surreptitiously at the keyboard of an employee's computer while he is typing in his password at any access point such as a terminal/Web site. Which of the following is violated in a shoulder surfing attack?

A) Authenticity
B) Confidentiality
C) Availability
D) Integrity
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
10
Which of the following formulas was developed by FIPS 199 for categorization of an information system?

A) SCinformation system = {(confidentiality, impact), (integrity, controls), (availability, risk)}
B) SCinformation system = {(confidentiality, risk), (integrity, impact), (availability, controls)}
C) SCinformation system = {(confidentiality, impact), (integrity, impact), (availability, impact)}
D) SCinformation system = {(confidentiality, controls), (integrity, controls), (availability, controls )}
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
11
Fred is the project manager of the PKL project. He is working with his project team to complete the quantitative risk analysis process as a part of risk management planning. Fred understands that once the quantitative risk analysis process is complete, the process will need to be completed again in at least two other times in the project. When will the quantitative risk analysis process need to be repeated?

A) Quantitative risk analysis process will be completed again after the plan risk response planning and as part of procurement.
B) Quantitative risk analysis process will be completed again after the cost management planning and as a part of monitoring and controlling.
C) Quantitative risk analysis process will be completed again after new risks are identified and as part of monitoring and controlling.
D) Quantitative risk analysis process will be completed again after the risk response planning and as a part of monitoring and controlling.
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
12
Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. Which of the following statements are true about Certification and Accreditation? Each correct answer represents a complete solution. Choose two.

A) Accreditation is the official management decision given by a senior agency official to authorize operation of an information system.
B) Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system.
C) Accreditation is a comprehensive assessment of the management, operational, and technical security controls in an information system.
D) Certification is the official management decision given by a senior agency official to authorize operation of an information system.
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
13
The Project Risk Management knowledge area focuses on which of the following processes? Each correct answer represents a complete solution. Choose all that apply.

A) Potential Risk Monitoring
B) Risk Management Planning
C) Quantitative Risk Analysis
D) Risk Monitoring and Control
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
14
Which of the following individuals informs all C&A participants about life cycle actions, security requirements, and documented user needs?

A) IS program manager
B) Certification Agent
C) User representative
D) DAA
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
15
Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. Which of the following statements are true about Certification and Accreditation? Each correct answer represents a complete solution. Choose two.

A) Accreditation is the official management decision given by a senior agency official to authorize operation of an information system.
B) Accreditation is a comprehensive assessment of the management, operational, and technical security controls in an information system.
C) Certification is the official management decision given by a senior agency official to authorize operation of an information system.
D) Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system.
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
16
Which of the following administrative policy controls requires individuals or organizations to be engaged in good business practices relative to the organization's industry?

A) Segregation of duties
B) Separation of duties
C) Need to Know
D) Due care
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
17
You and your project team are just starting the risk identification activities for a project that is scheduled to last for 18 months. Your project team has already identified a long list of risks that need to be analyzed. How often should you and the project team do risk identification?

A) At least once per month
B) Several times until the project moves into execution
C) It depends on how many risks are initially identified.
D) Identify risks is an iterative process.
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
18
You are the project manager for your organization. You have identified a risk event you're your organization could manage internally or externally. If you manage the event internally it will cost your project $578,000 and an additional $12,000 per month the solution is in use. A vendor can manage the risk event for you. The vendor will charge $550,000 and $14,500 per month that the solution is in use. How many months will you need to use the solution to pay for the internal solution in comparison to the vendor's solution?

A) Approximately 13 months
B) Approximately 11 months
C) Approximately 15 months
D) Approximately 8 months
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
19
You work as a project manager for BlueWell Inc. You are working with Nancy, the COO of your company, on several risks within the project. Nancy understands that through qualitative analysis you have identified 80 risks that have a low probability and low impact as the project is currently planned. Nancy's concern, however, is that the impact and probability of these risk events may change as conditions within the project may change. She would like to know where will you document and record these 80 risks that have low probability and low impact for future reference. What should you tell Nancy?

A) Risk identification is an iterative process so any changes to the low probability and low impact risks will be reassessed throughout the project life cycle.
B) Risks with low probability and low impact are recorded in a watchlist for future monitoring.
C) All risks, regardless of their assessed impact and probability, are recorded in the risk log.
D) All risks are recorded in the risk management plan
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
20
In which of the following testing methodologies do assessors use all available documentation and work under no constraints, and attempt to circumvent the security features of an information system?

A) Full operational test
B) Penetration test
C) Paper test
D) Walk-through test
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
21
In which of the following Risk Management Framework (RMF) phases is strategic risk assessment planning performed?

A) Phase 0
B) Phase 1
C) Phase 2
D) Phase 3
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
22
Which of the following individuals is responsible for configuration management and control task?

A) Common control provider
B) Information system owner
C) Authorizing official
D) Chief information officer
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
23
Which of the following is NOT a type of penetration test?

A) Cursory test
B) Partial-knowledge test
C) Zero-knowledge test
D) Full knowledge test
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
24
Sammy is the project manager for her organization. She would like to rate each risk based on its probability and affect on time, cost, and scope. Harry, a project team member, has never done this before and thinks Sammy is wrong to attempt this approach. Harry says that an accumulative risk score should be created, not three separate risk scores. Who is correct in this scenario?

A) Sammy is correct, because organizations can create risk scores for each objective of the project.
B) Harry is correct, because the risk probability and impact considers all objectives of the project.
C) Harry is correct, the risk probability and impact matrix is the only approach to risk assessment.
D) Sammy is correct, because she is the project manager.
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
25
What does RTM stand for?

A) Resource Testing Method
B) Replaced Traceability Matrix
C) Requirements Traceability Matrix
D) Resource Tracking Matrix
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
26
Which of the following are the tasks performed by the owner in the information classification schemes? Each correct answer represents a part of the solution. Choose three.

A) To make original determination to decide what level of classification the information requires, which is based on the business requirements for the safety of the data.
B) To perform data restoration from the backups whenever required.
C) To review the classification assignments from time to time and make alterations as the business requirements alter.
D) To delegate the responsibility of the data safeguard duties to the custodian.
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
27
The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statements are true about ISSO and ISSE? Each correct answer represents a complete solution. Choose all that apply.

A) An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A).
B) An ISSE manages the security of the information system that is slated for Certification & Accreditation (C&A).
C) An ISSE provides advice on the continuous monitoring of the information system.
D) An ISSO takes part in the development activities that are required to implement system ch anges.
E) An ISSE provides advice on the impacts of system changes.
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
28
Which of the following individuals is responsible for the final accreditation decision?

A) Certification Agent
B) User Representative
C) Information System Owner
D) Risk Executive
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
29
Which of the following professionals plays the role of a monitor and takes part in the organization's configuration management process?

A) Senior Agency Information Security Officer
B) Authorizing Official
C) Chief Information Officer
D) Common Control Provider
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
30
Which of the following assessment methodologies defines a six-step technical security evaluation?

A) OCTAVE
B) FITSAF
C) DITSCAP
D) FIPS 102
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
31
Certification and Accreditation (C&A or CnA) is a process for implementing information security. Which of the following is the correct order of C&A phases in a DITSCAP assessment?

A) Definition, Validation, Verification, and Post Accreditation
B) Verification, Definition, Validation, and Post Accreditation
C) Definition, Verification, Validation, and Post Accreditation
D) Verification, Validation, Definition, and Post Accreditation
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
32
In which of the following phases do the system security plan update and the Plan of Action and Milestones (POAM) update take place?

A) Continuous Monitoring Phase
B) Accreditation Phase
C) Preparation Phase
D) DITSCAP Phase
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
33
FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls are tested and reviewed?

A) Level 1
B) Level 2
C) Level 4
D) Level 5
E) Level 3
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
34
You are the project manager of the NHQ project for your company. Management has told you that you must implement an agreed upon contingency response if the Cost Performance Index in your project is less than 0.90. Consider that your project has a budget at completion of $250,000 and is 60 percent complete. You are scheduled to be however, 75 percent complete, and you have spent $165,000 to date. What is the Cost Performance Index for this project to determine if the contingency response should happen?

A) 0.88
B) 0.80
C) -$37,500
D) 0.91
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
35
You are the program manager for your project. You are working with the project managers regarding the procurement processes for their projects. You have ruled out one particular contract type because it is considered too risky for the program. Which one of the following contract types is usually considered to be the most dangerous for the buyer?

A) Cost plus incentive fee
B) Time and materials
C) Cost plus percentage of costs
D) Fixed fee
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
36
Which of the following roles is used to ensure that the confidentiality, integrity, and availability of the services are maintained to the levels approved on the Service Level Agreement (SLA)?

A) The Change Manager
B) The IT Security Manager
C) The Service Level Manager
D) The Configuration Manager
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
37
Kelly is the project manager of the BHH project for her organization. She is completing the risk identification process for this portion of her project. Which one of the following is the only thing that the risk identification process will create for Kelly?

A) Project document updates
B) Risk register updates
C) Change requests
D) Risk register
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
38
You work as a project manager for BlueWell Inc. You are working on a project and the management wants a rapid and cost-effective means for establishing priorities for planning risk responses in your project. Which risk management process can satisfy management's objective for your project?

A) Qualitative risk analysis
B) Quantitative analysis
C) Historical information
D) Rolling wave planning
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
39
Walter is the project manager of a large construction project. He'll be working with several vendors on the project. Vendors will be providing materials and labor for several parts of the project. Some of the works in the project are very dangerous so Walter has implemented safety requirements for all of the vendors and his own project team. Stakeholders for the project have added new requirements, which have caused new risks in the project. A vendor has identified a new risk that could affect the project if it comes into fruition. Walter agrees with the vendor and has updated the risk register and created potential risk responses to mitigate the risk. What should Walter also update in this scenario considering the risk event?

A) Project management plan
B) Project contractual relationship with the vendor
C) Project communications plan
D) Project scope statement
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
40
Which of the following DoD directives is referred to as the Defense Automation Resources Management Manual ?

A) DoD 5200.22-M
B) DoD 5200.1-R
C) DoD 8910.1
D) DoDD 8000.1
E) DoD 7950.1-M
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
41
Which of the following C&A professionals plays the role of an advisor?

A) Information System Security Engineer (ISSE)
B) Chief Information Officer (CIO)
C) Authorizing Official
D) Information Owner
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
42
Which of the following evidences are the collection of facts that, when considered together, can be used to infer a conclusion about the malicious activity/person?

A) Circumstantial
B) Incontrovertible
C) Direct
D) Corroborating
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
43
You are the project manager for your organization. You have determined that an activity is too dangerous to complete internally so you hire licensed contractor to complete the work. The contractor, however, may not complete the assigned work on time which could cause delays in subsequent work beginning. This is an example of what type of risk event?

A) Secondary risk
B) Transference
C) Internal
D) Pure risk
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
44
Certification and Accreditation (C&A or CnA) is a process for implementing information security. Which of the following is the correct order of C&A phases in a DITSCAP assessment?

A) Definition, Validation, Verification, and Post Accreditation
B) Verification, Definition, Validation, and Post Accreditation
C) Verification, Validation, Definition, and Post Accreditation
D) Definition, Verification, Validation, and Post Accreditation
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
45
Which of the following RMF phases is known as risk analysis?

A) Phase 0
B) Phase 1
C) Phase 2
D) Phase 3
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
46
What approach can a project manager use to improve the project's performance during qualitative risk analysis?

A) Create a risk breakdown structure and delegate the risk analysis to the appropriate project team members.
B) Focus on high-priority risks.
C) Focus on near-term risks first.
D) Analyze as many risks as possible regardless of who initiated the risk event.
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
47
You are preparing to start the qualitative risk analysis process for your project. You will be relying on some organizational process assets to influence the process. Which one of the following is NOT a probable reason for relying on organizational process assets as an input for qualitative risk analysis?

A) Information on prior, similar projects
B) Review of vendor contracts to examine risks in past projects
C) Risk databases that may be available from industry sources
D) Studies of similar projects by risk specialists
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
48
Which one of the following is the only output for the qualitative risk analysis process?

A) Project management plan
B) Risk register updates
C) Enterprise environmental factors
D) Organizational process assets
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
49
Gary is the project manager for his project. He and the project team have completed the qualitative risk analysis process and are about to enter the quantitative risk analysis process when Mary, the project sponsor, wants to know what quantitative risk analysis will review. Which of the following statements best defines what quantitative risk analysis will review?

A) The quantitative risk analysis process will analyze the effect of risk events that may substantially impact the project's competing demands.
B) The quantitative risk analysis reviews the results of risk identification and prepares the project for risk response management.
C) The quantitative risk analysis process will review risk events for their probability and impact on the project objectives.
D) The quantitative risk analysis seeks to determine the true cost of each identified risk event and the probability of each risk event to determine the risk exposure.
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
50
Which of the following is a standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system?

A) FITSAF
B) TCSEC
C) FIPS
D) SSAA
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
51
Which of the following groups represents the most likely source of an asset loss through the inappropriate use of computers?

A) Hackers
B) Visitors
C) Customers
D) Employees
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
52
Which of the following refers to a process that is used for implementing information security?

A) Certification and Accreditation (C&A)
B) Information Assurance (IA)
C) Five Pillars model
D) Classic information security model
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
53
An authentication method uses smart cards as well as usernames and passwords for authentication. Which of the following authentication methods is being referred to?

A) Anonymous
B) Multi-factor
C) Biometrics
D) Mutual
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
54
During which of the following processes, probability and impact matrix is prepared?

A) Plan Risk Responses
B) Perform Quantitative Risk Analysis
C) Perform Qualitative Risk Analysis
D) Monitoring and Control Risks
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
55
Which of the following RMF phases identifies key threats and vulnerabilities that could compromise the confidentiality, integrity, and availability of the institutional critical assets?

A) Phase 2
B) Phase 1
C) Phase 3
D) Phase 0
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
56
You are the project manager for your company and a new change request has been approved for your project. This change request, however, has introduced several new risks to the project. You have communicated these risk events and the project stakeholders understand the possible effects these risks could have on your project. You elect to create a mitigation response for the identified risk events. Where will you record the mitigation response?

A) Risk register
B) Risk log
C) Risk management plan
D) Project management plan
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
57
Jenny is the project manager of the NHJ Project for her company. She has identified several positive risk events within the project and she thinks these events can save the project time and money. You, a new team member wants to know that how many risk responses are available for a positive risk event. What will Jenny reply to you?

A) Four
B) Seven
C) Acceptance is the only risk response for positive risk events.
D) Three
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
58
The Phase 2 of DITSCAP C&A is known as Verification. The goal of this phase is to obtain a fully integrated system for certification testing and accreditation. What are the process activities of this phase? Each correct answer represents a complete solution. Choose all that apply.

A) System development
B) Certification analysis
C) Registration
D) Assessment of the Analysis Results
E) Configuring refinement of the SSAA
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
59
Beth is the project manager of the BFG Project for her company. In this project Beth has decided to create a contingency response based on the performance of the project schedule. If the project schedule variance is greater than $10,000 the contingency plan will be implemented. What is the formula for the schedule variance?

A) SV=EV-PV
B) SV=EV/AC
C) SV=PV-EV
D) SV=EV/PV
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
60
Which of the following NIST publications defines impact?

A) NIST SP 800-41
B) NIST SP 800-37
C) NIST SP 800-30
D) NIST SP 800-53
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
61
Which of the following is the acronym of RTM?

A) Resource tracking method
B) Requirements Traceability Matrix
C) Resource timing method
D) Requirements Testing Matrix
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
62
FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls have been implemented?

A) Level 4
B) Level 1
C) Level 3
D) Level 5
E) Level 2
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
63
You are the project manager of QSL project for your organization. You are working you're your project team and several key stakeholders to create a diagram that shows how various elements of a system interrelate and the mechanism of causation within the system. What diagramming technique are you using as a part of the risk identification process?

A) Cause and effect diagrams
B) System or process flowcharts
C) Predecessor and successor diagramming
D) Influence diagrams
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
64
The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the most senior executive in an enterprise. What are the responsibilities of a Chief Information Officer? Each correct answer represents a complete solution. Choose all that apply.

A) Proposing the information technology needed by an enterprise to achieve its goals and then working within a budget to implement the plan
B) Preserving high-level communications and working group relationships in an organization
C) Establishing effective continuous monitoring program for the organization
D) Facilitating the sharing of security risk-related information among authorizing officials
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
65
You are the project manager of the GHQ project for your company. You are working you're your project team to prepare for the qualitative risk analysis process. Mary, a project team member, does not understand why you need to complete qualitative risks analysis. You explain to Mary that qualitative risks analysis helps you determine which risks needs additional analysis. There are also some other benefits that qualitative risks analysis can do for the project. Which one of the following is NOT an accomplishment of the qualitative risk analysis process?

A) Cost of the risk impact if the risk event occurs
B) Corresponding impact on project objectives
C) Time frame for a risk response
D) Prioritization of identified risk events based on probability and impact
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
66
The National Information Assurance Certification and Accreditation Process (NIACAP) is the minimum standard process for the certification and accreditation of computer and telecommunications systems that handle U.S. national security information. What are the different types of NIACAP accreditation? Each correct answer represents a complete solution. Choose all that apply.

A) Secure accreditation
B) Type accreditation
C) System accreditation
D) Site accreditation
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
67
David is the project manager of HGF project for his company. David, the project team, and several key stakeholders have completed risk identification and are ready to move into qualitative risk analysis. Tracy, a project team member, does not understand why they need to complete qualitative risk analysis. Which one of the following is the best explanation for completing qualitative risk analysis?

A) It is a rapid and cost-effective means of establishing priorities for the plan risk responses and lays the foundation for quantitative analysis.
B) It is a cost-effective means of establishing probability and impact for the project risks.
C) Qualitative risk analysis helps segment the project risks, create a risk breakdown structure, and create fast and accurate risk responses.
D) All risks must pass through quantitative risk analysis before qualitative risk analysis.
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
68
In what portion of a project are risk and opportunities greatest and require intense planning and anticipation of risk events?

A) Planning
B) Executing
C) Closing
D) Initiating
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
69
In which of the following phases does the change management process start?

A) Phase 2
B) Phase 1
C) Phase 4
D) Phase 3
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
70
Which of the following recovery plans includes specific strategies and actions to deal with specific variances to assumptions resulting in a particular security problem, emergency, or state of affairs?

A) Business continuity plan
B) Continuity of Operations Plan
C) Disaster recovery plan
D) Contingency plan
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
71
In which type of access control do user ID and password system come under?

A) Administrative
B) Technical
C) Power
D) Physical
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
72
You are the project manager of the GGH Project in your company. Your company is structured as a functional organization and you report to the functional manager that you are ready to move onto the quantitative risk analysis process. What things will you need as inputs for the quantitative risk analysis of the project in this scenario?

A) You will need the risk register, risk management plan, permission from the functional manager, and any relevant organizational process assets.
B) You will need the risk register, risk management plan, outputs of qualitative risk analysis, and any relevant organizational process assets.
C) You will need the risk register, risk management plan, cost management plan, schedule management plan, and any relevant organizational process assets.
D) Quantitative risk analysis does not happen through the project manager in a functional stru cture.
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
73
Which of the following roles is responsible for review and risk analysis of all contracts on a regular basis?

A) The Supplier Manager
B) The IT Service Continuity Manager
C) The Service Catalogue Manager
D) The Configuration Manager
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
74
According to FIPS Publication 199, what are the three levels of potential impact on organizations in the event of a compromise on confidentiality, integrity, and availability?

A) Confidential, Secret, and High
B) Minimum, Moderate, and High
C) Low, Normal, and High
D) Low, Moderate, and High
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
75
You work as a project manager for TechSoft Inc. You are working with the project stakeholders onthe qualitative risk analysis process in your project. You have used all the tools to the qualitative risk analysis process in your project. Which of the following techniques is NOT used as a tool in qualitative risk analysis process?

A) Risk Reassessment
B) Risk Categorization
C) Risk Urgency Assessment
D) Risk Data Quality Assessment
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
76
Which of the following requires all general support systems and major applications to be fully certified and accredited before these systems and applications are put into production? Each correct answer represents a part of the solution. Choose all that apply.

A) NIST
B) FIPS
C) Office of Management and Budget (OMB)
D) FISMA
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
77
The phase 0 of Risk Management Framework (RMF) is known as strategic risk assessment planning. Which of the following processes take place in phase 0? Each correct answer represents a complete solution. Choose all that apply.

A) Review documentation and technical data.
B) Apply classification criteria to rank data assets and related IT resources.
C) Establish criteria that will be used to classify and rank data assets.
D) Identify threats, vulnerabilities, and controls that will be evaluated.
E) Establish criteria that will be used to evaluate threats, vulnerabilities, and controls.
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
78
DIACAP applies to the acquisition, operation, and sustainment of any DoD system that collects, stores, transmits, or processes unclassified or classified information since December 1997. What phases are identified by DIACAP? Each correct answer represents a complete solution. Choose all that apply.

A) Accreditation
B) Identification
C) System Definition
D) Verification
E) Validation
F) Re-Accreditation
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
79
Which of the following professionals plays the role of a monitor and takes part in the organization's configuration management process?

A) Senior Agency Information Security Officer
B) Authorizing Official
C) Common Control Provider
D) Chief Information Officer
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
80
Which of the following classification levels defines the information that, if disclosed to the unauthorized parties, could be reasonably expected to cause exceptionally grave damage to the national security?

A) Secret information
B) Top Secret information
C) Confidential information
D) Unclassified information
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
Unlock Deck
k this deck
locked card icon
Unlock Deck
Unlock for access to all 313 flashcards in this deck.
QuizPlus
surly
Quizplus
Work With Us
Policies
Download the App
Scan to downloadDownload the App
qr-code
Links
Links
Work With Us
Download the App
surly
English
English
العربية
Scan to downloadDownload the App
qr-code

English
English
العربية
Copyright © 2025 Quizplus LLC.
  • facebook-footer
  • instagram-footer
  • x-footer
  • tiktok
  • Linktree