Shared Flashcard Set

Details

ISC CAP EXAM
Certified Authorization Professional
395
Computer Science
Professional
05/04/2015

Additional Computer Science Flashcards

 


 

Cards

Term

Which of the following professionals plays the role of a monitor and takes part in the organization's

configuration management process?

 

A. Senior Agency Information Security Officer

B. Authorizing Official

C. Common Control Provider

D. Chief Information Officer

Definition

C. Common Control Provider

Term

The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the most senior executive in an enterprise. What are the responsibilities of a Chief Information Officer?

Each correct answer represents a complete solution. Choose all that apply.

A. Preserving high-level communications and working group relationships in an organization

B. Facilitating the sharing of security risk-related information among authorizing officials\

C. Establishing effective continuous monitoring program for the organization

D. Proposing the information technology needed by an enterprise to achieve its goals and then working within a budget to implement the plan

 

 

 

 

Definition

A. Preserving high-level communications and working group relationships in an organization

C. Establishing effective continuous monitoring

D. Proposing the information technology needed by an enterprise to achieve its goals and then

working within a budget to implement the plan

 

 

Term

The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statements are true about ISSO and ISSE?

Each correct answer represents a complete solution. Choose all that apply.

A. An ISSE provides advice on the impacts of system changes.

B. An ISSE manages the security of the information system that is slated for Certification & Accreditation (C&A).

C. An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A)

D. An ISSO takes part in the development activities that are required to implement system changes.

E. An ISSE provides advice on the continuous monitoring of the information system.

 

 

Definition

A. An ISSE provides advice on the impacts of system changes.

C. An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A)

E. An ISSE provides advice on the continuous monitoring of the information system.

Term

Which of the following professionals is responsible for starting the Certification & Accreditatoin (C&A) process?

 

A. Information system owner

B. Authorizing Official

C. Chief Risk Officer (CRO)

D. Chief Information Officer (CIO)

 

Definition

A. Information system owner

Term

Which of the following assessment methodologies defines a six-step technical security evaluation?

 

A. FITSAF

B. FIPS 102

C. OCTAVE

D. DITSCAP

Definition

B. FIPS 102

Term

DIACAP applies to the acquisition, operation, and sustainment of any DoD system that collects,

stores, transmits, or processes unclassified or classified information since December 1997. What

phases are identified by DIACAP?

Each correct answer represents a complete solution. Choose all that apply.

A. Accreditation

B. Identification

C. System Definition

D. Verification

E. Validation

F. Re-Accreditation

 

 

Definition

C. System Definition

D. Verification

E. Validation

F. Re-Accreditation

Term

Mark works as a Network Administrator for NetTech Inc. He wants users to access only those

resources that are required for them. Which of the following access control models will he use?

A. Mandatory Access Control

B. Role-Based Access Control

C. Discretionary Access Control

D. Policy Access Control

Definition

B. Role-Based Access Control

Term

Which of the following refers to an information security document that is used in the United States

Department of Defense (DoD) to describe and accredit networks and systems?

A. FITSAF

B. FIPS

C. TCSEC

D. SSAA

Definition

D. SSAA

Term

James work as an IT systems personnel in SoftTech Inc. He performs the following tasks:

Runs regular backups and routine tests of the validity of the backup data.

Performs data restoration from the backups whenever required.

Maintains the retained records in accordance with the established information classification policy.

What is the role played by James in the organization?

A. Manager

B. Owner

C. Custodian

D. User

 

 

 

Definition

C. Custodian

Term

FITSAF stands for Federal Information Technology Security Assessment Framework. It is a

methodology for assessing the security of information systems. Which of the following FITSAF

levels shows that the procedures and controls have been implemented?

A. Level 4

B. Level 1

C. Level 3

D. Level 5

E. Level 2

Definition

C. Level 3

Term

Certification and Accreditation (C&A or CnA) is a process for implementing information security.

 

Which of the following is the correct order of C&A phases in a DITSCAP assessment?

 

A. Definition, Validation, Verification, and Post Accreditation

B. Verification, Definition, Validation, and Post Accreditation

C. Verification, Validation, Definition, and Post Accreditation

D. Definition, Verification, Validation, and Post Accreditation

Definition

D. Definition, Verification, Validation, and Post Accreditation

Term

System Authorization is the risk management process. System Authorization Plan (SAP) is a

comprehensive and uniform approach to the System Authorization Process. What are the different

phases of System Authorization Plan?

 

Each correct answer represents a part of the solution. Choose all that apply.

 

A. Post-Authorization

B. Pre-certification

C. Post-certification

D. Certification

E. Authorization

Definition

A. Post-Authorization

B. Pre-certification

D. Certification

E. Authorization

 

Term

Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. Which of the following statements are true about Certification and Accreditation?Each correct answer represents a complete solution. Choose two.

A. Accreditation is the official management decision given by a senior agency official to authorize operation of an information system.

B. Accreditation is a comprehensive assessment of the management, operational, and technical security controls in an information system.

C. Certification is the official management decision given by a senior agency official to authorize operation of an information system.

D. Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system.

Definition

A. Accreditation is the official management decision given by a senior agency official to authorize operation of an information system.

D. Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system.

 

 

 

Term

Which of the following requires all general support systems and major applications to be fully

certified and accredited before these systems and applications are put into production?

Each correct answer represents a part of the solution. Choose all that apply.

A. NIST

B. FIPS

C. FISMA

D. Office of Management and Budget (OMB)

Definition

C. FISMA

D. Office of Management and Budget (OMB)

Term

The National Information Assurance Certification and Accreditation Process (NIACAP) is the

minimum standard process for the certification and accreditation of computer and

telecommunications systems that handle U.S. national security information. What are the different

types of NIACAP accreditation?

Each correct answer represents a complete solution. Choose all that apply.

A. Secure accreditation

B. Type accreditation

C. System accreditation

D. Site accreditation

Definition

B. Type accreditation

C. System accreditation

D. Site accreditation

Term

According to U.S. Department of Defense (DoD) Instruction 8500.2, there are eight Information

Assurance (IA) areas, and the controls are referred to as IA controls. Which of the following are

among the eight areas of IA defined by DoD?

Each correct answer represents a complete solution. Choose all that apply.

A. VI Vulnerability and Incident Management

B. DC Security Design & Configuration

C. EC Enclave and Computing Environment

D. Information systems acquisition, development, and maintenance

Definition

A. VI Vulnerability and Incident Management

B. DC Security Design & Configuration

C. EC Enclave and Computing Environment

Term

DIACAP applies to the acquisition, operation, and sustainment of any DoD system that collects,

stores, transmits, or processes unclassified or classified information since December 1997. What

phases are identified by DIACAP?

Each correct answer represents a complete solution. Choose all that apply.

A. Validation

B. Re-Accreditation

C. Verification

D. System Definition

E. Identification

F. Accreditation

Definition

A. Validation

B. Re-Accreditation

C. Verification

D. System Definition

Term

Which of the following is a subset discipline of Corporate Governance focused on information

security systems and their performance and risk management?

A. Lanham Act

B. ISG

C. Clinger-Cohen Act

D. Computer Misuse Act

Definition

B. ISG

Term

Ben is the project manager of the YHT Project for his company. Alice, one of his team members, is

confused about when project risks will happen in the project. Which one of the following

statements is the most accurate about when project risk happens?

A. Project risk can happen at any moment.

B. Project risk is uncertain, so no one can predict when the event will happen.

C. Project risk happens throughout the project execution.

D. Project risk is always in the future.

Definition

D. Project risk is always in the future.

Term

You are the project manager of the NKJ Project for your company. The project's success or failure

will have a significant impact on your organization's profitability for the coming year. Management

has asked you to identify the risk events and communicate the event's probability and impact as

early as possible in the project. Management wants to avoid risk events and needs to analyze the

cost-benefits of each risk event in this project. What term is assigned to the low-level of

stakeholder tolerance in this project?

A. Risk avoidance

B. Mitigation-ready project management

C. Risk utility function

D. Risk-reward mentality

Definition

C. Risk utility function

Term

Where can a project manager find risk-rating rules?

A. Risk probability and impact matrix

B. Organizational process assets

C. Enterprise environmental factors

D. Risk management plan

Definition

B. Organizational process assets

Term

There are five inputs to the quantitative risk analysis process. Which one of the following is NOT

an input to the perform quantitative risk analysis process?

A. Risk register

B. Cost management plan

C. Risk management plan

D. Enterprise environmental factors

Definition

D. Enterprise environmental factors

Term

Your project has several risks that may cause serious financial impact should they happen. You

have studied the risk events and made some potential risk responses for the risk events but

management wants you to do more. They'd like for you to create some type of a chart that

identified the risk probability and impact with a financial amount for each risk event. What is the

likely outcome of creating this type of chart?

A. Risk response plan

B. Quantitative analysis

C. Risk response

D. Contingency reserve

Definition

D. Contingency reserve

Term

Which of the following professionals is responsible for starting the Certification & Accreditation

(C&A) process?

A. Authorizing Official

B. Chief Risk Officer (CRO)

C. Chief Information Officer (CIO)

D. Information system owner

Definition

D. Information system owner

Term

You are working as a project manager in your organization. You are nearing the final stages of

project execution and looking towards the final risk monitoring and controlling activities. For your

project archives, which one of the following is an output of risk monitoring and control?

A. Quantitative risk analysis

B. Qualitative risk analysis

C. Requested changes

D. Risk audits

 

Definition

C. Requested changes

Term

Which of the following DoD directives is referred to as the Defense Automation Resources

Management Manual?

A. DoDD 8000.1

B. DoD 7950.1-M

C. DoD 5200.22-M

D. DoD 8910.1

E. DoD 5200.1-R

Definition

B. DoD 7950.1-M

Term

The phase 3 of the Risk Management Framework (RMF) process is known as mitigation planning.

Which of the following processes take place in phase 3?

Each correct answer represents a complete solution. Choose all that apply.

A. Identify threats, vulnerabilities, and controls that will be evaluated.

B. Document and implement a mitigation plan.

C. Agree on a strategy to mitigate risks.

D. Evaluate mitigation progress and plan next assessment.

Definition

B. Document and implement a mitigation plan.

C. Agree on a strategy to mitigate risks.

D. Evaluate mitigation progress and plan next assessment.

Term

Gary is the project manager of his organization. He is managing a project that is similar to a project his organization completed recently. Gary has decided that he will use the information from the past project to help him and the project team to identify the risks that may be present in the project. Management agrees that this checklist approach is ideal and will save time in the project.

Which of the following statement is most accurate about the limitations of the checklist analysis approach for Gary?

A. The checklist analysis approach is fast but it is impossible to build and exhaustive checklist.

B. The checklist analysis approach only uses qualitative analysis.

C. The checklist analysis approach saves time, but can cost more.

D. The checklist is also known as top down risk assessment

 

 

Definition
A. The checklist analysis approach is fast but it is impossible to build and exhaustive checklist.
Term

What are the subordinate tasks of the Initiate and Plan IA C&A phase of the DIACAP process?

Each correct answer represents a complete solution.

 

Choose all that apply.

A. Develop DIACAP strategy.

B. Assign IA controls.

C. Assemble DIACAP team.

D. Initiate IA implementation plan.

E. Register system with DoD Component IA Program.

F. Conduct validation activity

Definition

What are the subordinate tasks of the Initiate and Plan IA C&A phase of the DIACAP process?

 

Each correct answer represents a complete solution. Choose all that apply.

 

A. Develop DIACAP strategy.

B. Assign IA controls.

C. Assemble DIACAP team.

D. Initiate IA implementation plan.

E. Register system with DoD Component IA Program.

Term

Information risk management (IRM) is the process of identifying and assessing risk, reducing it to

an acceptable level, and implementing the right mechanisms to maintain that level. What are the

different categories of risk?

Each correct answer represents a complete solution. Choose all that apply.

A. System interaction

B. Human interaction

C. Equipment malfunction

D. Inside and outside attacks

E. Social status

F. Physical damage

Definition

B. Human interaction

C. Equipment malfunction

D. Inside and outside attacks

E. Social status

F. Physical damage

Term

Neil works as a project manager for SoftTech Inc. He is working with Tom, the COO of his

company, on several risks within the project. Tom understands that through qualitative analysis

Neil has identified many risks in the project. Tom's concern, however, is that the priority list of

these risk events are sorted in "high-risk," "moderate-risk," and "low-risk" as conditions apply

within the project. Tom wants to know that is there any other objective on which Neil can make the

priority list for project risks. What will be Neil's reply to Tom?

A. Risk may be listed by the responses inthe near-term

B. Risks may be listed by categories

C. Risks may be listed by the additional analysis and response

D. Risks may be listed by priority separately for schedule, cost, and performance

Definition

D. Risks may be listed by priority separately for schedule, cost, and performance

Term

In which type of access control do user ID and password system come under?

A. Administrative

B. Technical

C. Power

D. Physical

Definition

B. Technical

Term

You and your project team are identifying the risks that may exist within your project. Some of the

risks are small risks that won't affect your project much if they happen. What should you do with

these identified risk events?

 

A. These risks can be accepted.

B. These risks can be added to a low priority risk watch list.

C. All risks must have a valid, documented risk response.

D. These risks can be dismissed.

Definition

B. These risks can be added to a low priority risk watch list.

Term

Your project uses a piece of equipment that if the temperature of the machine goes above 450

degree Fahrenheit the machine will overheat and have to be shut down for 48 hours. Should this

machine overheat even once it will delay the project's end date. You work with your project to

create a response that should the temperature of the machine reach 430, the machine will be

paused for at least an hour to cool it down. The temperature of 430 is called what?

 

A. Risk identification

B. Risk response

C. Risk trigger

D. Risk event

Definition

C. Risk trigger

Term

Adrian is the project manager of the NHP Project. In her project there are several work packages

that deal with electrical wiring. Rather than to manage the risk internally she has decided to hire a

vendor to complete all work packages that deal with the electrical wiring. By removing the risk

internally to a licensed electrician Adrian feels more comfortable with project team being safe.

 

What type of risk response has Adrian used in this example?

 

A. Mitigation

B. Transference

C. Avoidance

D. Acceptance

Definition

B. Transference

Term

James work as an IT systems personnel in SoftTech Inc.

 

He performs the following tasks:

Runs regular backups and routine tests of the validity of the backup data.

Performs data restoration from the backups whenever required.

Maintains the retained records in accordance with the established information classification policy.

 

What is the role played by James in the organization?

 

A. Manager

B. User

C. Owner

D. Custodian

 

 

Definition

D. Custodian

Term

Which of the following is an entry in an object's discretionary access control list (DACL) that grants

permissions to a user or group?

A. Access control entry (ACE)

B. Discretionary access control entry (DACE)

C. Access control list (ACL)

D. Security Identifier (SID)

Definition

A. Access control entry (ACE)

Term

You are the project manager for your organization. You have identified a risk event you’re your

organization could manage internally or externally. If you manage the event internally it will cost

your project $578,000 and an additional $12,000 per month the solution is in use. A vendor can

manage the risk event for you. The vendor will charge $550,000 and $14,500 per month that the

solution is in use. How many months will you need to use the solution to pay for the internal

solution in comparison to the vendor's solution?

A. Approximately 13 months

B. Approximately 11 months

C. Approximately 15 months

D. Approximately 8 months

Definition

B. Approximately 11 months

Term

Which of the following refers to the ability to ensure that the data is not modified or tampered with?

A. Confidentiality

B. Availability

C. Integrity

D. Non-repudiation

Definition

C. Integrity

Term

Management wants you to create a visual diagram of what resources will be utilized in the project

deliverables. What type of a chart is management asking you to create?

A. Work breakdown structure

B. Resource breakdown structure

C. RACI chart

D. Roles and responsibility matrix

Definition

B. Resource breakdown structure

Term

You are preparing to start the qualitative risk analysis process for your project. You will be relying

on some organizational process assets to influence the process. Which one of the following is

NOT a probable reason for relying on organizational process assets as an input for qualitative risk

analysis?

A. Information on prior, similar projects

B. Review of vendor contracts to examine risks in past projects

C. Risk databases that may be available from industry sources

D. Studies of similar projects by risk specialists

Definition

B. Review of vendor contracts to examine risks in past projects

Term

System Authorization is the risk management process. System Authorization Plan (SAP) is a

comprehensive and uniform approach to the System Authorization Process. What are the different

phases of System Authorization Plan?

Each correct answer represents a part of the solution. Choose all that apply.

A. Pre-certification

B. Certification

C. Post-certification

D. Authorization

E. Post-Authorization

Definition

A. Pre-certification

B. Certification

D. Authorization

E. Post-Authorization

 

Term

A part of a project deals with the hardware work. As a project manager, you have decided to hire a

company to deal with all hardware work on the project. Which type of risk response is this?

A. Avoidance

B. Mitigation

C. Exploit

D. Transference

Definition

D. Transference

Term

Risks with low ratings of probability and impact are included on a ____ for future monitoring.

A. Watchlist

B. Risk alarm

C. Observation list

D. Risk register

Definition

A. Watchlist

Term

Penetration testing (also called pen testing) is the practice of testing a computer system, network,

or Web application to find vulnerabilities that an attacker could exploit. Which of the following

areas can be exploited in a penetration test?

Each correct answer represents a complete solution. Choose all that apply.

A. Social engineering

B. File and directory permissions

C. Buffer overflows

D. Kernel flaws

E. Race conditions

F. Information system architectures

G. Trojan horses

Definition

A. Social engineering

B. File and directory permissions

C. Buffer overflows

D. Kernel flaws

E. Race conditions

G. Trojan horses

Term

Frank is the project manager of the NHH Project. He is working with the project team to create a

plan to document the procedures to manage risks throughout the project. This document will

define how risks will be identified and quantified. It will also define how contingency plans will be

implemented by the project team. What document is Frank and the NHH Project team creating in

this scenario?

A. Project management plan

B. Resource management plan

C. Risk management plan

D. Project plan

Definition

C. Risk management plan

Term

In which of the following testing methodologies do assessors use all available documentation and

work under no constraints, and attempt to circumvent the security features of an information

system?

A. Full operational test

B. Walk-through test

C. Penetration test

D. Paper test

 

 

Definition

C. Penetration test

Term

Which of the following techniques are used after a security breach and are intended to limit the

extent of any damage caused by the incident?

A. Safeguards

B. Preventive controls

C. Detective controls

D. Corrective controls

Definition

D. Corrective controls

Term

Which of the following DITSCAP phases validates that the preceding work has produced an IS

that operates in a specified computing environment?

 

A. Phase 4

B. Phase 3

C. Phase 2

D. Phase 1

Definition

B. Phase 3

Term

Which of the following roles is also known as the accreditor?

A. Chief Risk Officer

B. Data owner

C. Designated Approving Authority

D. Chief Information Officer

Definition

C. Designated Approving Authority

Term

In which of the following phases of the DITSCAP process does Security Test and Evaluation (ST&E) occur?

 

A. Phase 2

B. Phase 3

C. Phase 1

D. Phase 4

Definition

B. Phase 3

Term

You are the project manager of the NHH project for your company. You have completed the first

round of risk management planning and have created four outputs of the risk response planning

process. Which one of the following is NOT an output of the risk response planning?

A. Risk-related contract decisions

B. Project document updates

C. Risk register updates

D. Organizational process assets updates

Definition

D. Organizational process assets updates

 

 

Term

Thomas is a key stakeholder in your project. Thomas has requested several changes to the

project scope for the project you are managing. Upon review of the proposed changes, you have

discovered that these new requirements are laden with risks and you recommend to the change

control board that the changes be excluded from the project scope. The change control board

agrees with you. What component of the change control system communicates the approval or

denial of a proposed change request?

A. Configuration management system

B. Change log

C. Scope change control system

D. Integrated change control

 

Definition

D. Integrated change control

Term

Which of the following assessment methodologies defines a six-step technical security evaluation?

A. OCTAVE

B. FITSAF

C. DITSCAP

D. FIPS 102

Definition

D. FIPS 102

Term

You are the project manager of the NNH Project. In this project you have created a contingency

response that the schedule performance index should be less than 0.93. The NHH Project has a

budget at completion of $945,000 and is 45 percent complete though the project should be 49

percent complete. The project has spent $455,897 to reach the 45 percent complete milestone.

What is the project's schedule performance index?

A. 1.06

B. 0.92

C. -$37,800

D. 0.93

Definition

B. 0.92

Term

A Web-based credit card company had collected financial and personal details of Mark before

issuing him a credit card. The company has now provided Mark's financial and personal details to

another company. Which of the following Internet laws has the credit card issuing company violated?

A. Security law

 

B. Privacy law

 

C. Copyright law

 

D. Trademark law

Definition

B. Privacy law

Term

Which of the following is a 1996 United States federal law, designed to improve the way the

federal government acquires, uses, and disposes information technology?

 

A. Computer Misuse Act

B. Lanham Act

C. Clinger-CohenAct

D. Paperwork Reduction Act

Definition

C. Clinger-CohenAct

Term

Gary is the project manager for his project. He and the project team have completed the

qualitative risk analysis process and are about to enter the quantitative risk analysis process when

Mary, the project sponsor, wants to know what quantitative risk analysis will review. Which of the

following statements best defines what quantitative risk analysis will review?

A. The quantitative risk analysis seeks to determine the true cost of each identified risk event and

the probability of each risk event to determine the risk exposure.

B. The quantitative risk analysis process will review risk events for their probability and impact on

the project objectives.

C. The quantitative risk analysis reviews the results of risk identification and prepares the project

for risk response management.

D. The quantitative risk analysis process will analyze the effect of risk events that may

substantially impact the project's competing demands.

Definition

D. The quantitative risk analysis process will analyze the effect of risk events that may

substantially impact the project's competing demands.

Term

Which of the following is used to indicate that the software has met a defined quality level and is

ready for mass distribution either by electronic means or by physical media?

 

A. RTM

B. CRO

C. DAA

D. ATM

Definition

A. RTM

Term

Amy is the project manager for her company. In her current project the organization has a very low

tolerance for risk events that will affect the project schedule. Management has asked Amy to

consider the affect of all the risks on the project schedule. What approach can Amy take to create

a bias against risks that will affect the schedule of the project?

A. She can have the project team pad their time estimates to alleviate delays in the project

schedule.

B. She can create an overall project rating scheme to reflect the bias towards risks that affect the

project schedule.

C. She can filter all risks based on their affect on schedule versus other project objectives.

D. She can shift risk-laden activities that affect the project schedule from the critical path as much

as possible.

 

Definition

B. She can create an overall project rating scheme to reflect the bias towards risks that affect the

project schedule

Term

Which of the following processes is a structured approach to transitioning individuals, teams, and

organizations from a current state to a desired future state?

A. Procurement management

B. Change management

C. Risk management

D. Configuration management

Definition

B. Change management

Term

You are the project manager for your company and a new change request has been approved for your project. This change request, however, has introduced several new risks to the project. You have communicated these risk events and the project stakeholders understand the possible effects these risks could have on your project. You elect to create a mitigation response for the identified risk events. Where will you record the mitigation response?

A. Project management plan

B. Risk management plan

C. Risk log

D. Risk register

Definition

D. Risk register

Term

Which of the following RMF phases is known as risk analysis?

A. Phase 2

B. Phase 1

C. Phase 0

D. Phase 3

Definition

A. Phase 2

Term

Jenny is the project manager of the NHJ Project for her company. She has identified several positive risk events within the project and she thinks these events can save the project time and money. You, a new team member wants to know that how many risk responses are available for a positive risk event. What will Jenny reply to you?

A. Four

B. Seven

C. Acceptance is the only risk response for positive risk events.

D. Three

Definition

A. Four

Term

Wendy is about to perform qualitative risk analysis on the identified risks within her project. Which one of the following will NOT help Wendy to perform this project management activity?

A. Stakeholder register

B. Risk register

C. Project scope statement

D. Risk management plan

Definition

A. Stakeholder register

Term

Which of the following roles is responsible for review and risk analysis of all contracts on a regular basis?

A. The Supplier Manager

B. The IT Service Continuity Manager

C. The Service Catalogue Manager

D. The Configuration Manager

Definition

A. The Supplier Manager

Term

You are the project manager for the NHH project. You are working with your project team to examine the project from four different defined perspectives to increase the breadth of identified risks by including internally generated risks. What risk identification approach are you using in this example?

A. SWOT analysis

B. Root cause analysis

C. Assumptions analysis

D. Influence diagramming techniques

Definition

A. SWOT analysis

Term

Which of the following are included in Physical Controls?

Each correct answer represents a complete solution. Choose all that apply.

A. Locking systems and removing unnecessary floppy or CD-ROM drives

B. Environmental controls

C. Password and resource management

D. Identification and authentication methods

E. Monitoring for intrusion

F. Controlling individual access into the facility and different departments

Definition

A. Locking systems and removing unnecessary floppy or CD-ROM drives

B. Environmental controls

E. Monitoring for intrusion

F. Controlling individual access into the facility and different departments

 

 

Term

Which of the following NIST Special Publication documents provides a guideline on network

security testing?

A. NIST SP 800-60

B. NIST SP 800-53A

C. NIST SP 800-37

D. NIST SP 800-42

E. NIST SP 800-59

F. NIST SP 800-53

Definition

D. NIST SP 800-42

Term

Which one of the following is the only output for the qualitative risk analysis process?

A. Project management plan

B. Risk register updates

C. Enterprise environmental factors

D. Organizational process assets

Definition

B. Risk register updates

Term

You are the project manager of the GHG project. You are preparing for the quantitative risk analysis process. You are using organizational process assets to help you complete the quantitative risk analysis process. Which one of the following is NOT a valid reason to utilize organizational process assets as a part of the quantitative risk analysis process?

A. You will use organizational process assets for risk databases that may be available from industry sources.

B. You will use organizational process assets for studies of similar projects by risk specialists.

C. You will use organizational process assets to determine costs of all risks events within thecurrent project.

D. You will use organizational process assets for information from prior similar projects.

Definition

C. You will use organizational process assets to determine costs of all risks events within the current project.

Term

Which of the following objectives are defined by integrity in the C.I.A triad of information security systems?

Each correct answer represents a part of the solution. Choose three.

A. It preservesthe internal and external consistency of information.

B. It prevents the unauthorized or unintentional modification of information by the authorized users.

C. It prevents the modification of information by the unauthorized users.

D. It prevents the intentional or unintentional unauthorized disclosure of a message's contents.

Definition

A. It preservesthe internal and external consistency of information.

B. It prevents the unauthorized or unintentional modification of information by the authorized users.

C. It prevents the modification of information by the unauthorized users.

Term

You and your project team are just starting the risk identification activities for a project that is scheduled to last for 18 months. Your project team has already identified a long list of risks that need to be analyzed. How often should you and the project team do risk identification?

A. At least once per month

B. Identify risks is an iterative process.

C. It depends on how many risks are initially identified.

D. Several times until the project moves into execution

Definition

B. Identify risks is an iterative process.

Term

Eric is the project manager of the MTC project for his company. In this project a vendor has offered Eric a sizeable discount on all hardware if his order total for the project is more than $125,000. Right now, Eric is likely to spend $118,000 with vendor. If Eric spends $7,000 his cost savings for the project will be $12,500, but he cannot purchase hardware if he cannot implement the hardware immediately due to organizational policies. Eric consults with Amy and Allen, other project managers in the organization, and asks if she needs any hardware for their projects. Both Amy and Allen need hardware and they agree to purchase the hardware through Eric's relationship with the vendor. What positive risk response has happened in this instance?

A. Transference

B. Exploiting

C. Sharing

D. Enhancing

Definition

C. Sharing

Term

You work as a project manager for BlueWell Inc. You are preparing to plan risk responses for your project with your team. How many risk response types are available for a negative risk event in the project?

A. Seven

B. Three

C. Four

D. One

Definition

C. Four

Term

Sam is the project manager of a construction project in south Florida. This area of the United States is prone to hurricanes during certain parts of the year. As part of the project plan Sam and the project team acknowledge the possibility of hurricanes and the damage the hurricane could have on the project's deliverables, the schedule of the project, and the overall cost of the project.

Once Sam and the project stakeholders acknowledge the risk of the hurricane they go on planning the project as if the risk is not likely to happen. What type of risk response is Sam using?

A. Mitigation

B. Avoidance

C. Passive acceptance

D. Active acceptance

 

Definition

C. Passive acceptance

Term

Fred is the project manager of the PKL project. He is working with his project team to complete the quantitative risk analysis process as a part of risk management planning. Fred understands that once the quantitative risk analysis process is complete, the process will need to be completed again in at least two other times in the project. When will the quantitative risk analysis process need to be repeated?

A. Quantitative risk analysisprocess will be completed again after the plan risk response planning and as part of procurement.

B. Quantitative risk analysis process will be completed again after the cost managementplanning and as a part of monitoring and controlling.

C. Quantitativerisk analysis process will be completed again after new risks are identified and as part of monitoring and controlling.

D. Quantitative risk analysis process will be completed again after the risk response planning and as a part of monitoring and controlling.

Definition

D. Quantitative risk analysis process will be completed again after the risk response planning and as a part of monitoring and controlling.

Term

You are the project manager for a construction project. The project includes a work that involves very high financial risks. You decide to insure processes so that any ill happening can be compensated. Which type of strategies have you used to deal with the risks involved with that particular work?

A. Transfer

B. Mitigate

C. Accept

D. Avoid

Definition

A. Transfer

Term

Which of the following are included in Administrative Controls?

Each correct answer represents a complete solution. Choose all that apply.

A. Conducting security-awareness training

B. Screening of personnel

C. Monitoring for intrusion

D. Implementing change control procedures

E. Developing policy

Definition

A. Conducting security-awareness training

B. Screening of personnel

D. Implementing change control procedures

E. Developing policy

 

Term

The Phase 2 of DITSCAP C&A is known as Verification. The goal of this phase is to obtain a fully integrated system for certification testing and accreditation. What are the process activities of this phase?

Each correct answer represents a complete solution. Choose all that apply.

A. Configuring refinement of the SSAA

B. Assessment of the Analysis Results

C. System development

D. Certification analysis

E. Registration

Definition

A. Configuring refinement of the SSAA

B. Assessment of the Analysis Results

C. System development

D. Certification analysis

Term

You are the project manager for GHY Project and are working to create a risk response for a negative risk. You and the project team have identified the risk that the project may not complete on time, as required by the management, due to the creation of the user guide for the software you're creating. You have elected to hire an external writer in order to satisfy the requirements and to alleviate the risk event. What type of risk response have you elected to use in this instance?

A. Sharing

B. Avoidance

C. Transference

D. Exploiting

 

 

Definition

C. Transference

Term

You are the project manager of the GHQ project for your company. You are working you’re your project team to prepare for the qualitative risk analysis process. Mary, a project team member, does not understand why you need to complete qualitative risks analysis. You explain to Mary that qualitative risks analysis helps you determine which risks needs additional analysis. There are also some other benefits that qualitative risks analysis can do for the project. Which one of the following is NOT an accomplishment of the qualitative risk analysis process?

A. Cost of the risk impact if the risk event occurs

B. Corresponding impact on project objectives

C. Time frame for a risk response

D. Prioritization of identified risk events based on probability and impact

Definition

A. Cost of the risk impact if the risk event occurs

Term

Mark works as a Network Administrator for NetTech Inc. He wants users to access only those resources that are required for them. Which of the following access control models will he use?

A. Discretionary Access Control

B. Mandatory Access Control

C. Policy Access Control

D. Role-Based Access Control

Definition

D. Role-Based Access Control

Term

Which of the following are the common roles with regard to data in an information classification program?

Each correct answer represents a complete solution. Choose all that apply.

A. Custodian

B. User

C. Security auditor

D. Editor

E. Owner

Definition

A. Custodian

B. User

C. Security Auditor

E. Owner

 

Term

To help review or design security controls, they can be classified by several criteria. One of these criteria is based on nature. According to this criteria, which of the following controls consists of incident response processes, management oversight, security awareness, and training?

A. Technical control

B. Physical control

C. Procedural control

D. Compliance control

Definition

C. Procedural control

Term

An Authorizing Official plays the role of an approver. What are the responsibilities of an Authorizing Official? Each correct answer represents a complete solution. Choose all that apply.

A. Establishing and implementing the organization's continuous monitoring program

B. Determining the requirement of reauthorization and reauthorizing information systems when required

C. Reviewing security status reports and critical security documents

D. Ascertaining the security posture of the organization's information system

Definition

B. Determining the requirement of reauthorization and reauthorizing information systems when required

C. Reviewing security status reports and critical security documents

D. Ascertaining the security posture of the organization's information system

Term

Jeff, a key stakeholder in your project, wants to know how the risk exposure for the risk events is calculated during quantitative risk analysis. He is worried about the risk exposure which is too low for the events surrounding his project requirements. How is the risk exposure calculated?

A. The probability of a risk event plus the impact of a risk event determines the true risk expo sure.

B. The risk exposure of a risk event is determined by historical information.

C. The probability of a risk event times the impact of a risk event determines the true risk exposure.

D. The probability and impact of a risk event are gauged based on research and in-depth analysis.

Definition

C. The probability of a risk event times the impact of a risk event determines the true risk exposure.

Term

You work as a project manager for SoftTech Inc. You are working with the project stakeholders to begin the qualitative risk analysis process. You will need all of the following as inputs to the qualitative risk analysis process except for which one?

A. Risk management plan

B. Risk register

C. Stakeholder register

D. Project scope statement

Definition

C. Stakeholder register

Term

What component of the change management system is responsible for evaluating, testing, and documenting changes created to the project scope?

A. Configuration Management System

B. Project Management InformationSystem

C. Scope Verification

D. Integrated Change Control

Definition

A. Configuration Management System

Term

A project team member has just identified a new project risk. The risk event is determined to have significant impact but a low probability in the project. Should the risk event happen it'll cause the project to be delayed by three weeks, which will cause new risk in the project. What should the project manager do with the risk event?

A. Add the identified risk to a quality control management control chart.

B. Add the identified risk to the risk register.

C. Add the identified risk to the issues log.

D. Add the identified risk to the low-level risk watchlist.

Definition

B. Add the identified risk to the risk register.

Term

Which of the following concepts represent the three fundamental principles of information security?Each correct answer represents a complete solution. Choose three.

A. Privacy

B. Integrity

C. Availability

D. Confidentiality

Definition

B. Integrity

C. Availability

D. Confidentiality

Term

Which of the following governance bodies provides management, operational and technical controls to satisfy security requirements?

A. Chief Information Security Officer

B. Senior Management

C. Information Security Steering Committee

D. Business Unit Manager

 

 

Definition

B. Senior Management

Term

Your organization has a project that is expected to last 20 months but the customer would really like the project completed in 18 months. You have worked on similar projects in the past and believe that you could fast track the project and reach the 18 month deadline. What increases when you fast track a project?

A. Risks

B. Costs

C. Resources

D. Communication

Definition

A. Risks

Term

The IAM/CA makes certification accreditation recommendations to the DAA. The DAA issues accreditation determinations. Which of the following are the accreditation determinations issued by the DAA? Each correct answer represents a complete solution. Choose all that apply.

A. IATO

B. ATO

C. IATT

D. ATT

E. DATO

Definition

A. IATO

B. ATO

C. IATT

E. DATO

 

Term

Tom is the project manager for his organization. In his project he has recently finished the risk response planning. He tells his manager that he will now need to update the cost and schedule baselines. Why would the risk response planning cause Tom the need to update the cost and scheduled baselines?

A. New or omitted work as part of a risk responsecan cause changes to the cost and/or schedule baseline.

B. Risk responses protect the time and investment of the project.

C. Baselines should not be updated, but refined through versions.

D. Risk responses may take time and money to implement.

 

Definition

A. New or omitted work as part of a risk responsecan cause changes to the cost and/or schedule baseline.

Term

During qualitative risk analysis you want to define the risk urgency assessment. All of the following are indicators of risk priority except for which one?

A. Risk rating

B. Warning signs

C. Cost of the project

D. Symptoms

Definition

C. Cost of the project

Term

You are the project manager of the NKQ project for your organization. You have completed the quantitative risk analysis process for this portion of the project. What is the only output of the quantitative risk analysis process?

A. Probability of reaching project objectives

B. Risk contingency reserve

C. Risk response

D. Risk register updates

Definition

D. Risk register updates

Term

You work as the project manager for Bluewell Inc. You are working on NGQQ Projectyou’re your company. You have completed the risk analysis processes for the risk events. You and the project team have created risk responses for most of the identified project risks. Which of the following risk response planning techniques will you use to shift the impact of a threat to a third party, together with the responses?

A. Risk acceptance

B. Risk avoidance

C. Risk transference

D. Risk mitigation

Definition

C. Risk transference

Term

You work as a project manager for BlueWell Inc. You are currently working with the project stakeholders to identify risks in your project. You understand that the qualitative risk assessment and analysis can reflect the attitude of the project team and other stakeholders to risk. Effective assessment of risk requires management of the risk attitudes of the participants. What should you, the project manager, do with assessment of identified risks in consideration of the attitude and bias of the participants towards the project risk?

A. Document the bias for the risk events and communicate the bias with management

B. Evaluate and document the bias towards the risk events

C. Evaluate the bias through SWOT for true analysis of the risk events

D. Evaluate the bias towards the risk events and correct the assessment accordingly

Definition

D. Evaluate the bias towards the risk events and correct the assessment accordingly

Term

Which of the following evidences are the collection of facts that, when considered together, can be used to infer a conclusion about the malicious activity/person?

A. Circumstantial

B. Incontrovertible

C. Direct

D. Corroborating

Definition

A. Circumstantial

Term

Courtney is the project manager for her organization. She is working with the project team to

complete the qualitative risk analysis for her project. During the analysis Courtney encourages the

project team to begin the grouping of identified risks by common causes. What is the primary

advantage to group risks by common causes during qualitative risk analysis?

A. It can lead to developing effective risk responses.

B. It can lead to the creation of risk categories unique to each project.

C. It helps the project team realize the areas of the project most laden with risks.

D. It saves time by collecting the related resources, such as project team members, to analyze the

risk events.

Definition
A. It can lead to developing effective risk responses.
Term

You work as a project manager for BlueWell Inc. You are working with Nancy, the COO of your

company, on several risks within the project. Nancy understands that through qualitative analysis

you have identified 80 risks that have a low probability and low impact as the project is currently

planned. Nancy's concern, however, is that the impact and probability of these risk events may

change as conditions within the project may change. She would like to know where will you

document and record these 80 risks that have low probability and low impact for future reference.

What should you tell Nancy?

A. Risk identification is an iterative process so any changes to the low probability and low impact

risks will be reassessed throughout the project life cycle.

B. Risks with low probability and low impact are recorded in a watchlist for future monitoring.

C. All risks, regardless of their assessed impact and probability, are recorded in the risk log.

D. All risks are recorded in the risk management plan

Definition
B. Risks with low probability and low impact are recorded in a watchlist for future monitoring.
Term

You work as a project manager for BlueWell Inc. Management has asked you to work with the key

project stakeholder to analyze the risk events you have identified in the project. They would like

you to analyze the project risks with a goal of improving the project's performance as a whole.

What approach can you use to achieve the goal of improving the project's performance through

risk analysis with your project stakeholders?

A. Involve subject matter experts in the risk analysis activities

 

B. Focus on the high-priority risks through qualitative risk analysis

 

C. Use qualitative risk analysis to quickly assess the probability and impact of risk events

 

D. Involve the stakeholders for risk identification only in the phases where the project

directlyaffects them

Definition
B. Focus on the high-priority risks through qualitative risk analysis
Term

Your project is an agricultural-based project that deals with plant irrigation systems. You have

discovered a byproduct in your project that your organization could use to make a profityou’re your

organization seizes this opportunity it would be an example of what risk response?

A. Opportunistic

B. Positive

C. Enhancing

D. Exploiting

Definition
D. Exploiting
Term

You are the program manager for your project. You are working with the project managers

regarding the procurement processes for their projects. You have ruled out one particular contract

type because it is considered too risky for the program. Which one of the following contract types

is usually considered to be the most dangerous for the buyer?

A. Cost plus incentive fee

B. Time and materials

C. Cost plus percentage of costs

D. Fixed fee

Definition
C. Cost plus percentage of costs
Term

Which of the following NIST documents provides a guideline for identifying an information system

as a National Security System?

A. NIST SP 800-53

B. NIST SP 800-59

C. NIST SP 800-53A

D. NIST SP 800-37

E. NIST SP 800-60

Definition
B. NIST SP 800-59
Term

You are the project manager of the GHY project for your organization. You are working with your

project team to begin identifying risks for the project. As part of your preparation for identifying the

risks within the project you will need eleven inputs for the process. Which one of the following is

NOT an input to the risk identification process?

A. Cost management plan

B. Procurement management plan

C. Stakeholder register

D. Quality management plan

Definition
B. Procurement management plan
Term

There are seven risks responses that a project manager can choose from. Which risk response is

appropriate for both positive and negative risk events?

A. Acceptance

B. Mitigation

C. Sharing

D. Transference

Definition
A. Acceptance
Term

What course of action can be taken by a party if the current negotiations fail and an agreement

cannot be reached?

A. PON

B. ZOPA

C. BATNA

D. Bias

Definition
C. BATNA
Term

Which of the following is the acronym of RTM?

A. Resource tracking method

B. Requirements Traceability Matrix

C. Resource timing method

D. Requirements Testing Matrix

Definition
B. Requirements Traceability Matrix
Term

Thomas is the project manager of the NHJ Project for his company. He has identified several

positive risk events within his project and he thinks these events can save the project time and

money. Positive risk events, such as these within the NHJ Project are also known as what?

A. Opportunities

B. Benefits

C. Ancillary constituent components

D. Contingency risks

Definition
A. Opportunities
Term

You are the project manager of the GGG project. You have completed the risk identification

process for the initial phases of your project. As you begin to document the risk events in the risk

register what additional information can you associate with the identified risk events?

A. Risk schedule

B. Risk potential responses

C. Risk cost

D. Risk owner

Definition
B. Risk potential responses
Term

Which of the following are the tasks performed by the owner in the information classification

schemes?

Each correct answer represents a part of the solution. Choose three.

A. To make original determination to decide what level of classification the information requires,

which is based on the business requirements for the safety of the data.

B. To perform data restoration from the backups whenever required.

C. To review the classification assignments from time to time and make alterations as the

business requirements alter.

D. To delegate the responsibility of the data safeguard duties to the custodian.

Definition

 

A. To make original determination to decide what level of classification the information requires,

which is based on the business requirements for the safety of the data.

C. To review the classification assignments from time to time and make alterations as the

business requirements alter.

D. To delegate the responsibility of the data safeguard duties to the custodian.

 

Term

Which of the following approaches can be used to build a security program?

Each correct answer represents a complete solution. Choose all that apply.

A. Bottom-Up Approach

B. Right-Up Approach

C. Top-Down Approach

D. Left-Up Approach

Definition

A. Bottom-Up Approach

C. Top-Down Approach

 

Term

Mary is the project manager for the BLB project. She has instructed the project team to assemble,

to review the risks. She has included the schedule management plan as an input for the

quantitative risk analysis process. Why is the schedule management plan needed for quantitative

risk analysis?

A. Mary will utilize the schedule controls and the nature of the schedule for the quantitative

analysis of the schedule.

B. Mary will schedule when the identified risks are likely to happen and affect the project schedule.

C. Mary will utilize the schedule controls to determine how risks may be allowed to change the

project schedule.

D. Mary will use the schedule management plan to schedule the risk identification meetings

throughout the remaining project.

Definition

A. Mary will utilize the schedule controls and the nature of the schedule for the quantitative

analysis of the schedule.

Term

Sammy is the project manager for her organization. She would like to rate each risk based on its

probability and affect on time, cost, and scope. Harry, a project team member, has never done this

before and thinks Sammy is wrong to attempt this approach. Harry says that an accumulative risk

score should be created, not three separate risk scores. Who is correct in this scenario?

A. Sammy is correct, because organizations can create risk scores for each objective of the

project.

B. Harry is correct, because the risk probability and impact considers all objectives of the project.

C. Harry is correct, the risk probability and impact matrix is the only approach to risk assessment.

D. Sammy is correct, because she is the project manager.

Definition

A. Sammy is correct, because organizations can create risk scores for each objective of the

project.

Term

Which of the following phases of the DITSCAP C&A process is used to define the C&A level of

effort, to identify the main C&A roles and responsibilities, and to create an agreement on the

method for implementing the security requirements?

Definition
D. Phase 1
Term

A security policy is an overall general statement produced by senior management that dictates

what role security plays within the organization. Which of the following are required to be

addressed in a well designed policy?

Each correct answer represents a part of the solution. Choose all that apply.

A. Who is expected to exploit the vulnerability?

B. What is being secured?

C. Where is the vulnerability, threat, or risk?

D. Who is expected to comply with the policy?

Definition

B. What is being secured?

C. Where is the vulnerability, threat, or risk?

D. Who is expected to comply with the policy?

Term

The Project Risk Management knowledge area focuses on which of the following processes?

Each correct answer represents a complete solution. Choose all that apply.

A. Potential Risk Monitoring

B. Risk Management Planning

C. Quantitative Risk Analysis

D. Risk Monitoring and Control

Definition

B. Risk Management Planning

C. Quantitative Risk Analysis

D. Risk Monitoring and Control

Term

Which of the following objectives are defined by integrity in the C.I.A triad of information security

systems?

Each correct answer represents a part of the solution. Choose three.

 

A. It preserves the internal and external consistency of information.

B. It prevents the unauthorized or unintentional modification of information by the authorized

users.

C. It prevents the intentional or unintentional unauthorized disclosure of a message's contents .

D. It prevents the modification of information by the unauthorized users.

 

Definition

A. It preserves the internal and external consistency of information.

B. It prevents the unauthorized or unintentional modification of information by the authorized

users.

D. It prevents the modification of information by the unauthorized users.

 

Term

Which of the following are the goals of risk management?

Each correct answer represents a complete solution. Choose three.

A. Finding an economic balance between the impact of the risk and the cost of the

countermeasure

B. Identifying the risk

C. Assessing the impact of potential threats

D. Identifying the accused

Definition

A. Finding an economic balance between the impact of the risk and the cost of the

countermeasure

B. Identifying the risk

C. Assessing the impact of potential threats

Term

In which of the following testing methodologies do assessors use all available documentation and

work under no constraints, and attempt to circumvent the security features of an information

system?

A. Full operational test

B. Penetration test

C. Paper test

D. Walk-through test

Definition
B. Penetration test
Term

You are the project manager of the GHG project. You are preparing for the quantitative risk

analysis process. You are using organizational process assets to help you complete the

quantitative risk analysis process. Which one of the following is NOT a valid reason to utilize

organizational process assets as a part of the quantitative risk analysis process?

A. You will use organizational process assets for studies of similar projects by risk specialists.

B. You will use organizational process assets to determine costs of all risks events within the

current project.

C. You will use organizational process assets for information from prior similar projects.

D. You will use organizational process assets for risk databases that may be available from

industry sources.

Definition

B. You will use organizational process assets to determine costs of all risks events within the

current project.

Term

Which of the following refers to an information security document that is used in the United States

Department of Defense (DoD) to describe and accredit networks and systems?

A. SSAA

B. FIPS

C. FITSAF

D. TCSEC

Definition
A. SSAA
Term

Bill is the project manager of the JKH Project. He and the project team have identified a risk event

in the project with a high probability of occurrence and the risk event has a high cost impact on the

project. Bill discusses the risk event with Virginia, the primary project customer, and she decides

that the requirements surrounding the risk event should be removed from the project. The removal

of the requirements does affect the project scope, but it can release the project from the high risk

exposure. What risk response has been enacted in this project?

A. Acceptance

B. Mitigation

C. Avoidance

D. Transference

Definition
C. Avoidance
Term

Which of the following statements is true about residual risks?

A. It is a weakness or lack of safeguard that can be exploited by a threat.

B. It can be considered as an indicator of threats coupled with vulnerability.

C. It is the probabilistic risk after implementing all security measures.

D. It is the probabilistic risk before implementing all security measures.

 

 

 

 

 

Definition
C. It is the probabilistic risk after implementing all security measures.
Term

Which of the following documents is described in the statement below?

"It is developed along with all processes of the risk management. It contains the results of the

qualitative risk analysis, quantitative risk analysis, and risk response planning."

A. Risk register

B. Risk management plan

C. Project charter

D. Quality management plan

Definition
A. Risk register
Term

You are the project manager of the GHY project for your organization. You are working with your

project team to begin identifying risks for the project. As part of your preparation for identifying the

risks within the project you will need eleven inputs for the process. Which one of the following is

NOT an input to the risk identification process?

A. Cost management plan

B. Quality management plan

C. Procurement management plan

D. Stakeholder register

Definition
C. Procurement management plan
Term

Mary is the project manager of the HGH Project for her company. She and her project team have

agreed that if the vendor is late by more than ten days they will cancel the order and hire the NBG

Company to fulfill the order. The NBG Company can guarantee orders within three days, but the

costs of their products are significantly more expensive than the current vendor. What type of a

response strategy is this?

A. External risk response

B. Internal risk management strategy

C. Contingent response strategy

D. Expert judgment

Definition
C. Contingent response strategy
Term

Which of the following is a standard that sets basic requirements for assessing the effectiveness of

computer security controls built into a computer system?

A. FITSAF

B. TCSEC

C. FIPS

D. SSAA

Definition
B. TCSEC
Term

Your project uses a piece of equipment that if the temperature of the machine goes above 450

degree Fahrenheit the machine will overheat and have to be shut down for 48 hours. Should this

machine overheat even once it will delay the project's end date. You work with your project to

create a response that should the temperature of the machine reach 430, the machine will be

paused for at least an hour to cool it down. The temperature of 430 is called what?

 

A. Risk identification

B. Risk response

C. Risk trigger

D. Risk event

 

Definition
C. Risk trigger
Term

According to U.S. Department of Defense (DoD) Instruction 8500.2, there are eight Information

Assurance (IA) areas, and the controls are referred to as IA controls. Which of the following are

among the eight areas of IA defined by DoD?

Each correct answer represents a complete solution. Choose all that apply.

A. DC Security Design & Configuration

B. VI Vulnerability and Incident Management

C. EC Enclave and Computing Environment

D. Information systems acquisition, development, and maintenance

Definition

A. DC Security Design & Configuration

B. VI Vulnerability and Incident Management

C. EC Enclave and Computing Environment

Term

Which of the following is an Information Assurance (IA) model that protects and defends

information and information systems by ensuring their availability, integrity, authentication,

confidentiality, and non-repudiation?

A. Parkerian Hexad

B. Capability Maturity Model (CMM)

C. Classic information security model

D. Five Pillars model

Definition
D. Five Pillars model
Term

You work as a project manager for BlueWell Inc. Your project is running late and you must

respond to the risk. Which risk response can you choose that will also cause you to update the

human resource management plan?

 

A. Teaming agreements

B. Crashing the project

C. Transference

D. Fast tracking the project

 

Definition
B. Crashing the project
Term

FITSAF stands for Federal Information Technology Security Assessment Framework. It is a

methodology for assessing the security of information systems. Which of the following FITSAF

levels shows that the procedures and controls have been implemented?

A. Level 2

B. Level 3

C. Level 5

D. Level 4

E. Level 1

Definition
B. Level 3
Term

You are the project manager for your company and a new change request has been approved for

your project. This change request, however, has introduced several new risks to the project. You

have communicated these risk events and the project stakeholders understand the possible

effects these risks could have on your project. You elect to create a mitigation response for the

identified risk events. Where will you record the mitigation response?

A. Risk register

B. Risk log

C. Risk management plan

D. Project management plan

Definition
A. Risk register
Term

Which of the following recovery plans includes specific strategies and actions to deal with specific

variances to assumptions resulting in a particular security problem, emergency, or state of affairs?

 

A. Continuity of Operations Plan

B. Disaster recovery plan

C. Contingency plan

D. Business continuity plan

Definition
C. Contingency plan
Term

The Phase 2 of DITSCAP C&A is known as Verification. The goal of this phase is to obtain a fully

integrated system for certification testing and accreditation. What are the process activities of this

phase?

Each correct answer represents a complete solution. Choose all that apply.

A. System development

B. Certification analysis

C. Registration

D. Assessment of the Analysis Results

E. Configuring refinement of the SSAA

Definition

A. System development

B. Certification analysis

D. Assessment of the Analysis Results

E. Configuring refinement of the SSAA

Term

ISO 17799 has two parts. The first part is an implementation guide with guidelines on how to build

a comprehensive information security infrastructure and the second part is an auditing guide

based on requirements that must be met for an organization to be deemed compliant with ISO

17799. What are the ISO 17799 domains?

Each correct answer represents a complete solution. Choose all that apply.

A. Information security policy for the organization

B. Personnel security

C. Business continuity management

D. System architecture management

E. System development and maintenance

Definition

A. Information security policy for the organization

B. Personnel security

C. Business continuity management

E. System development and maintenance

Term

Certification and Accreditation (C&A or CnA) is a process for implementing information security. It

is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or

after a system is in operation. Which of the following statements are true about Certification and

Accreditation?

Each correct answer represents a complete solution. Choose two.

A. Certification is a comprehensive assessment of the management, operational, and technical

security controls in an information system.

B. Accreditation is a comprehensive assessment of the management, operational, and technical

security controls in an information system.

C. Certification isthe official management decision given by a senior agency official to authorize

operation of an information system.

D. Accreditation is the official management decision given by a senior agency official to authorize

operation of an information system.

Definition

A. Certification is a comprehensive assessment of the management, operational, and technical

security controls in an information system.

D. Accreditation is the official management decision given by a senior agency official to authorize

operation of an information system.

Term

Amy is the project manager for her company. In her current project the organization has a very low

tolerance for risk events that will affect the project schedule. Management has asked Amy to

consider the affect of all the risks on the project schedule. What approach can Amy take to create

a bias against risks that will affect the schedule of the project?

A. She can have the project team pad their time estimates to alleviate delays in the project

schedule.

B. She can shift risk-laden activities that affect the project schedule from the critical path as much

as possible.

C. She can create an overall project rating scheme to reflect the bias towards risks that affect the

project schedule.

D. She can filter all risks based on their affect on schedule versus other project objectives.

Definition

C. She can create an overall project rating scheme to reflect the bias towards risks that affect the

project schedule.

Term

Joan is a project management consultant and she has been hired by a firm to help them identify

risk events within the project. Joan would first like to examine the project documents including the

plans, assumptions lists, project files, and contracts. What key thing will help Joan to discover

risks within the review of the project documents?

A. Lack of consistency between the plans and the project requirements and assumptions can

bethe indicators of risk in the project.

B. The project documents will help the project manager, or Joan, to identify what risk identification

approach is best to pursue.

C. Plans that have loose definitions of terms and disconnected approaches will revealrisks.

D. Poorly written requirements will reveal inconsistencies in the project plans and documents.

Definition

A. Lack of consistency between the plans and the project requirements and assumptions can

bethe indicators of risk in the project.

Term

You and your project team are just starting the risk identification activities for a project that is

scheduled to last for 18 months. Your project team has already identified a long list of risks that

need to be analyzed. How often should you and the project team do risk identification?

A. At least once per month

B. Several times until the project moves into execution

C. It depends on how many risks are initially identified.

D. Identify risks is an iterative process.

Definition
D. Identify risks is an iterative process.
Term

Which of the following documents were developed by NIST for conducting Certification &

Accreditation (C&A)?

Each correct answer represents a complete solution. Choose all that apply.

A. NIST Special Publication 800-53A

B. NIST Special Publication 800-37A

C. NIST Special Publication 800-59

D. NIST Special Publication 800-53

E. NIST Special Publication 800-37

F. NIST Special Publication 800-60

Definition

A. NIST Special Publication 800-53A

C. NIST Special Publication 800-59

D. NIST Special Publication 800-53

F. NIST Special Publication 800-60

Term

John is the project manager of the NHQ Project for his company. His project has 75 stakeholders,

some of which are external to the organization. John needs to make certain that he communicates

about risk in the most appropriate method for the external stakeholders. Which project

management plan will be the best guide for John to communicate to the external stakeholders?

A. Communications Management Plan

B. Risk Management Plan

C. Project Management Plan

D. Risk ResponsePlan

Definition
A. Communications Management Plan
Term

Which of the following individuals informs all C&A participants about life cycle actions, security

requirements, and documented user needs?

A. IS program manager

B. Certification Agent

C. User representative

D. DAA

Definition
A. IS program manager
Term

Your project has several risks that may cause serious financial impact should they happen. You

have studied the risk events and made some potential risk responses for the risk events but

management wants you to do more. They'd like for you to create some type of a chart that

identified the risk probability and impact with a financial amount for each risk event. What is the

likely outcome of creating this type of chart?

A. Quantitative analysis

B. Risk response plan

C. Contingency reserve

D. Risk response

 

Definition
C. Contingency reserve
Term

Gary is the project manager for his project. He and the project team have completed the

qualitative risk analysis process and are about to enter the quantitative risk analysis process when

Mary, the project sponsor, wants to know what quantitative risk analysis will review. Which of the

following statements best defines what quantitative risk analysis will review?

A. The quantitative risk analysis process will analyze the effect of risk events that may

substantially impact the project's competing demands.

B. The quantitative risk analysis reviews the results of risk identification and prepares the project

for risk response management.

C. The quantitative risk analysis process will review risk events for their probability and impact on

the project objectives.

D. The quantitative risk analysis seeks to determine the true cost of each identified risk event and

the probability of each risk event to determine the risk exposure.

Definition

A. The quantitative risk analysis process will analyze the effect of risk events that may

substantially impact the project's competing demands.

Term

You are the project manager of the NNH Project. In this project you have created a contingency

response that the schedule performance index should be less than 0.93. The NHH Project has a

budget at completion of $945,000 and is 45 percent complete though the project should be 49

percent complete. The project has spent $455,897 to reach the 45 percent complete milestone.

What is the project's schedule performance index?

A. 1.06

B. 0.93

C. -$37,800

D. 0.92

Definition
D. 0.92
Term

Which of the following techniques are used after a security breach and are intended to limit the

extent of any damage caused by the incident?

A. Safeguards

B. Preventive controls

C. Detective controls

D. Corrective controls

Definition
D. Corrective controls
Term

Which of the following is NOT an objective of the security program?

A. Security plan

B. Security education

C. Security organization

D. Information classification

Definition
A. Security plan
Term

Which of the following is NOT a responsibility of a data owner?

A. Maintaining and protecting data

B. Ensuring that the necessary security controls are in place

C. Delegating responsibility of the day-to-day maintenance of the data protection mechanisms to

the data custodian

D. Approving access requests

Definition
A. Maintaining and protecting data
Term

Walter is the project manager of a large construction project. He'll be working with several vendors

on the project. Vendors will be providing materials and labor for several parts of the project. Some

of the works in the project are very dangerous so Walter has implemented safety requirements for

all of the vendors and his own project team. Stakeholders for the project have added new

requirements, which have caused new risks in the project. A vendor has identified a new risk that

could affect the project if it comes into fruition. Walter agrees with the vendor and has updated the

risk register and created potential risk responses to mitigate the risk. What should Walter also

update in this scenario considering the risk event?

 

A. Project communications plan

B. Project management plan

C. Projectcontractual relationship with the vendor

D. Project scope statement

 

Definition
B. Project management plan
Term

Penetration testing (also called pen testing) is the practice of testing a computer system, network,

or Web application to find vulnerabilities that an attacker could exploit. Which of the following

areas can be exploited in a penetration test?

Each correct answer represents a complete solution. Choose all that apply.

A. Race conditions

B. Social engineering

C. Information system architectures

D. Buffer overflows

E. Kernel flaws

F. Trojan horses

G. File and directory permissions

Definition

A. Race conditions

B. Social engineering

D. Buffer overflows

E. Kernel flaws

F. Trojan horses

G. File and directory permissions

 

Term

Harry is the project manager of the MMQ Construction Project. In this project Harry has identified

a supplier who can create stained glass windows for 1,000 window units in the construction

project. The supplier is an artist who works by himself, but creates windows for several companies

throughout the United States. Management reviews the proposal to use this supplier and while

they agree that the supplier is talented, they do not think the artist can fulfill the 1,000 window units

in time for the project's deadline. Management asked Harry to find a supplier who will guarantee

the completion of the windows by the needed date in the schedule. What risk response has management asked Harry to implement?

 

A. Mitigation

B. Acceptance

C. Transference

D. Avoidance

 

Definition
A. Mitigation
Term

Which of the following methods of authentication uses finger prints to identify users?

A. PKI

B. Mutual authentication

C. Biometrics

D. Kerberos

Definition
C. Biometrics
Term

In which of the following Risk Management Framework (RMF) phases is strategic risk assessment

planning performed?

A. Phase 0

B. Phase 1

C. Phase 2

D. Phase 3

Definition
A. Phase 0
Term

Which of the following administrative policy controls requires individuals or organizations to be

engaged in good business practices relative to the organization's industry?

A. Segregation of duties

B. Separation of duties

C. Need to Know

D. Due care

 

Definition
D. Due care
Term

Which of the following is a security policy implemented by an organization due to compliance,

regulation, or other legal requirements?

A. Advisory policy

B. Informative policy

C. System Security policy

D. Regulatory policy

Definition
D. Regulatory policy
Term

Which of the following phases begins with a review of the SSAA in the DITSCAP accreditation?

A. Phase 1

B. Phase 4

C. Phase 3

D. Phase 2

Definition
C. Phase 3
Term

Which of the following formulas was developed by FIPS 199 for categorization of an information

type?

A. SC information type = {(confidentiality, controls), (integrity, controls), (authentication, controls)}

B. SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}

C. SC information type = {(confidentiality, risk), (integrity, risk), (availability, risk)}

D. SC information type = {(Authentication, impact), (integrity, impact), (availability, impact)}

Definition
B. SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}
Term

Which of the following is NOT considered an environmental threat source?

A. Pollution

B. Hurricane

C. Chemical

D. Water

Definition
B. Hurricane
Term

Which of the following is NOT a type of penetration test?

A. Cursory test

B. Partial-knowledge test

C. Zero-knowledge test

D. Full knowledge test

Definition
A. Cursory test
Term

Which of the following formulas was developed by FIPS 199 for categorization of an information

system?

A. SC information system = {(confidentiality, impact), (integrity, controls), (availability, risk)}

B. SC information system = {(confidentiality, impact), (integrity, impact),(availability, impact)}

C. SC information system = {(confidentiality, controls), (integrity, controls), (availability, controls )}

D. SC information system = {(confidentiality, risk), (integrity, impact), (availability, controls)}

Definition
B. SC information system = {(confidentiality, impact), (integrity, impact),(availability, impact)}
Term

Which of the following NIST documents defines impact?

A. NIST SP 800-53

B. NIST SP 800-26

C. NIST SP 800-30

D. NIST SP 800-53A

Definition
C. NIST SP 800-30
Term

Which of the following relations correctly describes residual risk?

A. Residual Risk = Threats x Vulnerability x Asset Gap x Control Gap

B. Residual Risk = Threats x Exploit x Asset Value x Control Gap

C. Residual Risk = Threats x Exploit x Asset Value x Control Gap

D. Residual Risk = Threats x Vulnerability x Asset Value x Control Gap

Definition
D. Residual Risk = Threats x Vulnerability x Asset Value x Control Gap
Term

Which of the following is NOT a phase of the security certification and accreditation process?

A. Initiation

B. Security certification

C. Operation

D. Maintenance

Definition
C. Operation
Term

Which of the following processes has the goal to ensure that any change does not lead to reduced

or compromised security?

 

A. Change control management

B. Security management

C. Configuration management

D. Risk management

Definition
A. Change control management
Term

Which of the following is not a part of Identify Risks process?

A. System or process flow chart

B. Influence diagram

C. Decision tree diagram

D. Cause and effect diagram

Definition
C. Decision tree diagram
Term

In which of the following phases does the SSAA maintenance take place?

A. Phase 3

B. Phase 2

C. Phase 1

D. Phase 4

Definition
D. Phase 4
Term

In which of the following phases do the system security plan update and the Plan of Action and

Milestones (POAM) update take place?

A. Continuous Monitoring Phase

B. Accreditation Phase

C. Preparation Phase

D. DITSCAP Phase

Definition
A. Continuous Monitoring Phase
Term

Which of the following processes is used to protect the data based on its secrecy, sensitivity, or

confidentiality?

A. Change Control

B. Data Hiding

C. Configuration Management

D. Data Classification

Definition
D. Data Classification
Term

Which of the following assessment methods is used to review, inspect, and analyze assessment

objects?

A. Testing

B. Examination

C. Interview

D. Debugging

Definition
B. Examination
Term

Which of the following documents is used to provide a standard approach to the assessment of

NIST SP 800-53 security controls?

A. NIST SP 800-37

B. NIST SP 800-41

C. NIST SP 800-53A

D. NIST SP 800-66

Definition
C. NIST SP 800-53A
Term

What is the objective of the Security Accreditation Decision task?

A. To determine whether the agency-level risk is acceptable or not.

B. To make an accreditation decision

C. To accredit the information system

D. To approve revisions of NIACAP

Definition
A. To determine whether the agency-level risk is acceptable or not.
Term

You are the project manager for your organization. You are working with your key stakeholders in

the qualitative risk analysis process. You understand that there is certain bias towards the risk

events in the project that you need to address, manage, and ideally reduce. What solution does

the PMBOK recommend to reduce the influence of bias during qualitative risk analysis?

A. Establish the definitions of the levels of probability and impact

B. Isolate the stakeholders by project phases to determine their risk bias

C. Involve all stakeholders to vote on the probability and impact of the risk events

D. Provideiterations of risk analysis for true reflection of a risk probability and impact

Definition
A. Establish the definitions of the levels of probability and impact
Term

Numerous information security standards promote good security practices and define frameworks

or systems to structure the analysis and design for managing information security controls. Which

of the following are the international information security standards?

Each correct answer represents a complete solution. Choose all that apply.

A. Human resources security

B. Organization of information security

C. Risk assessment and treatment

D. AU audit and accountability

Definition

A. Human resources security

B. Organization of information security

C. Risk assessment and treatment

Term

Beth is the project manager of the BFG Project for her company. In this project Beth has decided

to create a contingency response based on the performance of the project schedule. If the project

schedule variance is greater than $10,000 the contingency plan will be implemented. What is the

formula for the schedule variance?

A. SV=EV-PV

B. SV=EV/AC

C. SV=PV-EV

D. SV=EV/PV

Definition
A. SV=EV-PV
Term

You are the project manager of the HJK Project for your organization. You and the project team

have created risk responses for many of the risk events in the project. Where should you

document the proposed responses and the current status of all identified risks?

A. Risk management plan

B. Stakeholder management strategy

C. Risk register

D. Lessons learned documentation

Definition
C. Risk register
Term

Ned is the program manager for his organization and he's considering some new materials for his

program. He and his team have never worked with these materials before and he wants to ask the

vendor for some additional information, a demon, and even some samples. What type of a

document should Ned send to the vendor?

A. IFB

B. RFI

C. RFQ

D. RFP

Definition
B. RFI
Term

Which of the following acts is used to recognize the importance of information security to the

economic and national security interests of the United States?

A. Computer Fraud and Abuse Act

B. FISMA

C. Lanham Act

D. Computer Misuse Act

Definition
B. FISMA
Term

What approach can a project manager use to improve the project's performance during qualitative

risk analysis?

A. Create a risk breakdown structure and delegate the risk analysis to the appropriate project

team members.

B. Focus on high-priority risks.

C. Focus on near-term risks first.

D. Analyze as many risks as possible regardless of who initiated the risk event.

Definition
B. Focus on high-priority risks.
Term

Which of the following is used in the practice of Information Assurance (IA) to define assurance

requirements?

A. Classic information security model

B. Communications Management Plan

C. Five Pillars model

D. Parkerian Hexad

Definition
A. Classic information security model
Term

Joan is the project manager of the BTT project for her company. She has worked with her project

to create risk responses for both positive and negative risk events within the project. As a result of

this process Joan needs to update the project document updates. She has updated the

assumptions log as a result of the findings and risk responses, but what other documentation will

need to be updated as an output of risk response planning?

A. Lessons learned

B. Scope statement

C. Risk Breakdown Structure

D. Technical documentation

Definition
D. Technical documentation
Term

Which of the following access control models uses a predefined set of access privileges for an

object of a system?

A. Discretionary Access Control

B. Mandatory Access Control

C. Policy Access Control

D. Role-Based Access Control

Definition
B. Mandatory Access Control
Term

Which of the following describes residual risk as the risk remaining after risk mitigation has

occurred?

A. DIACAP

B. ISSO

C. SSAA

D. DAA

Definition
A. DIACAP
Term

You work as the project manager for Bluewell Inc. There has been a delay in your project work

that is adversely affecting the project schedule. You decide, with your stakeholders' approval, to

fast track the project work to get the project done faster. When you fast track the project, what is

likely to increase?

A. Human resource needs

B. Risks

C. Costs

D. Quality control concerns

Definition
B. Risks
Term

Which of the following components ensures that risks are examined for all new proposed change

requests in the change control system?

A. Risk monitoring and control

B. Scope change control

C. Configuration management

D. Integrated change control

Definition
D. Integrated change control
Term

Which of the following classification levels defines the information that, if disclosed to the

unauthorized parties, could be reasonably expected to cause exceptionally grave damage to the

national security?

A. Secret information

B. Top Secret information

C. Confidential information

D. Unclassified information

Definition
B. Top Secret information
Term

Mary is the project manager of the HGH Project for her company. She and her project team have

agreed that if the vendor is late by more than ten days they will cancel the order and hire the NBG

Company to fulfill the order. The NBG Company can guarantee orders within three days, but the

costs of their products are significantly more expensive than the current vendor. What type of a

response strategy is this?

A. Contingent response strategy

B. Expert judgment

C. Internal risk management strategy

D. External risk response

Definition
A. Contingent response strategy
Term

Which of the following individuals is responsible for monitoring the information system environment

for factors that can negatively impact the security of the system and its accreditation?

A. Chief Risk Officer

B. Chief Information Security Officer

C. Information System Owner

D. Chief Information Officer

Definition
C. Information System Owner
Term

Walter is the project manager of a large construction project. He'll be working with several vendors

on the project. Vendors will be providing materials and labor for several parts of the project. Some

of the works in the project are very dangerous so Walter has implemented safety requirements for

all of the vendors and his own project team. Stakeholders for the project have added new

requirements, which have caused new risks in the project. A vendor has identified a new risk that

could affect the project if it comes into fruition. Walter agrees with the vendor and has updated the

risk register and created potential risk responses to mitigate the risk. What should Walter also

update in this scenario considering the risk event?

 

A. Project management plan

B. Project contractual relationship with the vendor

C. Project communications plan

D. Project scope statement

 

Definition
A. Project management plan
Term

Which of the following is a temporary approval to operate based on an assessment of the

implementation status of the assigned IA Controls?

A. IATT

B. ATO

C. IATO

D. DATO

Definition
C. IATO
Term

Fill in the blank with an appropriate word.

________ ensures that the information is not disclosed to unauthorized persons or processes.

Definition
A. Confidentiality
Term

Nancy is the project manager of the NHH project. She and the project team have identified a

significant risk in the project during the qualitative risk analysis process. Bob is familiar with the

technology that the risk is affecting and proposes to Nancy a solution to the risk event. Nancy tells

Bob that she has noted his response, but the risk really needs to pass through the quantitative risk

analysis process before creating responses. Bob disagrees and ensures Nancy that his response

is most appropriate for the identified risk. Who is correct in this scenario?

 

A. Bob is correct. Bob is familiar with the technology and the risk event so his response should be

implemented.

B. Nancy is correct. Because Nancy is the project manager she can determine the correct

procedures for risk analysis and risk responses. In addition, she has noted the risk response that

Bob recommends.

C. Nancy is correct. All risks of significant probability and impact should pass the quantitative risk

analysis process before risk responses are created.

D. Bob is correct. Not all risk events have to pass the quantitative risk analysis process to develop

effective risk responses.

Definition

D. Bob is correct. Not all risk events have to pass the quantitative risk analysis process to develop

effective risk responses

Term

Which of the following is a standard that sets basic requirements for assessing the effectiveness of

computer security controls built into a computer system?

A. FITSAF

B. TCSEC

C. FIPS

D. SSAA

Definition
B. TCSEC
Term

The Phase 4 of DITSCAP C&A is known as Post Accreditation. This phase starts after the system

has been accredited in Phase 3. What are the process activities of this phase?

Each correct answer represents a complete solution. Choose all that apply.

A. Maintenance of the SSAA

B. Compliance validation

C. Change management

D. System operations

E. Security operations

F. Continue to review and refine the SSAA

Definition

A. Maintenance of the SSAA

B. Compliance validation

C. Change management

D. System operations

E. Security operations

Term

The only output of the perform qualitative risk analysis are risk register updates. When the project

manager updates the risk register he will need to include several pieces of information including all

of the following except for which one?

A. Trends in qualitative risk analysis

B. Risk probability-impact matrix

C. Watchlist of low-priority risks

D. Risks grouped by categories

Definition
B. Risk probability-impact matrix
Term

Billy is the project manager of the HAR Project and is in month six of the project. The project is

scheduled to last for 18 months. Management asks Billy how often the project team is participating

in risk reassessment in this project. What should Billy tell management if he's following the best

practices for risk management?

A. At every status meeting the project team project risk management is an agenda item.

B. Project risk management happens at every milestone.

C. Project risk management has been concluded with the project planning.

D. Project risk management is scheduled for every monthin the 18-month project.

Definition
A. At every status meeting the project team project risk management is an agenda item.
Term

Rob is the project manager of the IDLK Project for his company. This project has a budget of

$5,600,000 and is expected to last 18 months. Rob has learned that a new law may affect how the

project is allowed to proceed - even though the organization has already invested over $750,000

in the project. What risk response is the most appropriate for this instance?

A. Transference

B. Mitigation

C. Enhance

D. Acceptance

Definition
D. Acceptance
Term

You are the project manager of the CUL project in your organization. You and the project team are

assessing the risk events and creating a probability and impact matrix for the identified risks.

Which one of the following statements best describes the requirements for the data type used in

qualitative risk analysis?

A. A qualitative risk analysis requires fast and simple data to complete the analysis.

B. A qualitative risk analysis requires accurate and unbiased data if it is to be credible.

C. A qualitative risk analysis required unbiased stakeholders with biased risk tolerances.

D. A qualitative risk analysis encourages biased data to reveal risk tolerances.

Definition
B. A qualitative risk analysis requires accurate and unbiased data if it is to be credible.
Term

You are the project manager of a large construction project. Part of the project involves the wiring

of the electricity in the building your project is creating. You and the project team determine the

electrical work is too dangerous to perform yourself so you hire an electrician to perform the work

for the project. This is an example of what type of risk response?

A. Transference

B. Mitigation

C. Avoidance

D. Acceptance

Definition
A. Transference
Term

You are the project manager of the GHY project for your organization. You are about to start the

qualitative risk analysis process for the project and you need to determine the roles and

responsibilities for conducting risk management. Where can you find this information?

 

A. Risk management plan

B. Enterprise environmental factors

C. Staffing management plan

D. Risk register

 

Definition
A. Risk management plan
Term

The Phase 1 of DITSCAP C&A is known as Definition Phase. The goal of this phase is to define

the C&A level of effort, identify the main C&A roles and responsibilities, and create an agreement

on the method for implementing the security requirements. What are the process activities of this

phase?

Each correct answer represents a complete solution. Choose all that apply.

A. Registration

B. Document mission need

C. Negotiation

D. Initial Certification Analysis

Definition

A. Registration

B. Document mission need

C. Negotiation

Term

You are the project manager of the GGH Project in your company. Your company is structured as

a functional organization and you report to the functional manager that you are ready to move onto

the quantitative risk analysis process. What things will you need as inputs for the quantitative risk

analysis of the project in this scenario?

A. You will need the risk register, risk management plan, permission from the functional manager,

and any relevant organizational process assets.

B. You will need the risk register, risk management plan, outputs of qualitative risk analysis, and

any relevant organizational process assets.

C. You will need the risk register, risk management plan, cost management plan, schedule

management plan, and any relevant organizational process assets.

D. Quantitative risk analysis does not happen through the project manager in a functional stru

cture.

Definition

C. You will need the risk register, risk management plan, cost management plan, schedule

management plan, and any relevant organizational process assets.

Term

Which of the following professionals plays the role of a monitor and takes part in the organization's

configuration management process?

A. Senior Agency Information Security Officer

B. Authorizing Official

C. Chief Information Officer

D. Common Control Provider

Definition
D. Common Control Provider
Term

In which of the following DIACAP phases is residual risk analyzed?

A. Phase 2

B. Phase 4

C. Phase 5

D. Phase 3

E. Phase 1

Definition
B. Phase 4
Term

You are responsible for network and information security at a metropolitan police station. The most

important concern is that unauthorized parties are not able to access data. What is this called?

A. Confidentiality

B. Encryption

C. Integrity

D. Availability

Definition
A. Confidentiality
Term

Mark is the project manager of the BFL project for his organization. He and the project team are

creating a probability and impact matrix using RAG rating. There is some confusion and

disagreement among the project team as to how a certain risk is important and priority for attention

should be managed. Where can Mark determine the priority of a risk given its probability and

impact?

A. Risk response plan

 

B. Project sponsor

 

C. Risk management plan

 

D. Look-up table

Definition
D. Look-up table
Term

Which of the following statements are true about security risks?

Each correct answer represents a complete solution. Choose three.

A. They can be removed completely by taking proper actions.

B. They can be analyzed and measured by the risk analysis process.

C. They can be mitigated by reviewing and taking responsible actions based on possible risks.

D. They are considered an indicator of threats coupled with vulnerability.

Definition

B. They can be analyzed and measured by the risk analysis process.

C. They can be mitigated by reviewing and taking responsible actions based on possible risks.

D. They are considered an indicator of threats coupled with vulnerability.

Term

FITSAF stands for Federal Information Technology Security Assessment Framework. It is a

methodology for assessing the security of information systems. Which of the following FITSAF

levels shows that the procedures and controls are tested and reviewed?

A. Level 1

B. Level 2

C. Level 4

D. Level 5

E. Level 3

Definition
C. Level 4
Term

A high-profile, high-priority project within your organization is being created. Management wants

you to pay special attention to the project risks and do all that you can to ensure that all of the

risks are identified early in the project. Management has to ensure that this project succeeds.

Management's risk aversion in this project is associated with what term?

A. Utility function

B. Risk conscience

C. Quantitativerisk analysis

D. Risk mitigation

Definition
A. Utility function
Term

Which of the following governance bodies directs and coordinates implementations of the

information security program?

A. Information Security Steering Committee

B. Senior Management

C. Business Unit Manager

D. Chief Information Security Officer

Definition
D. Chief Information Security Officer
Term

What are the subordinate tasks of the Implement and Validate Assigned IA Control phase in the

DIACAP process?

Each correct answer represents a complete solution. Choose all that apply.

A. Conduct activities related to the disposition of the system data and objects.

B. Execute and update IA implementation plan.

C. Conduct validation activities.

D. Combine validation results in DIACAP scorecard.

Definition

B. Execute and update IA implementation plan.

C. Conduct validation activities.

D. Combine validation results in DIACAP scorecard.

Term

Which of the following DITSCAP C&A phases takes place between the signing of the initial version

of the SSAA and the formal accreditation of the system?

A. Phase 3

B. Phase 1

C. Phase 2

D. Phase 4

Definition
C. Phase 2
Term

The phase 0 of Risk Management Framework (RMF) is known as strategic risk assessment

planning. Which of the following processes take place in phase 0?

Each correct answer represents a complete solution. Choose all that apply.

A. Review documentation and technical data.

B. Apply classification criteria to rank data assets and related IT resources.

C. Establish criteria that will be used to classify and rank data assets.

D. Identify threats, vulnerabilities, and controls that will be evaluated.

E. Establish criteria that will be used to evaluate threats, vulnerabilities, and controls.

Definition

B. Apply classification criteria to rank data assets and related IT resources.

C. Establish criteria that will be used to classify and rank data assets.

D. Identify threats, vulnerabilities, and controls that will be evaluated.

E. Establish criteria that will be used to evaluate threats, vulnerabilities, and controls.

Term

Which of the following fields of management focuses on establishing and maintaining consistency

of a system's or product's performance and its functional and physical attributes with its

requirements, design, and operational information throughout its life?

A. Configuration management

B. Procurement management

C. Risk management

D. Change management

Definition
A. Configuration management
Term

Which of the following roles is used to ensure that the confidentiality, integrity, and availability of

the services are maintained to the levels approved on the Service Level Agreement (SLA)?

A. The Change Manager

B. The IT Security Manager

C. The Service Level Manager

D. The Configuration Manager

Definition
B. The IT Security Manager
Term

Which of the following terms related to risk management represents the estimated frequency at

which a threat is expected to occur?

A. Safeguard

B. Single Loss Expectancy (SLE)

C. Exposure Factor (EF)

D. Annualized Rate of Occurrence (ARO)

Definition
D. Annualized Rate of Occurrence (ARO)
Term

Information Security management is a process of defining the security controls in order to protect

information assets. The first action of a management program to implement information security is

to have a security program in place. What are the objectives of a security program?

Each correct answer represents a complete solution. Choose all that apply.

A. Security organization

B. System classification

C. Information classification

D. Security education

Definition

A. Security organization

C. Information classification

D. Security education

 

Term

Which of the following are the types of access controls?

Each correct answer represents a complete solution. Choose three.

A. Administrative

B. Automatic

C. Technical

D. Physical

Definition

A. Administrative

C. Technical

D. Physical

 

Term

You are the project manager of the NNQ Project for your company and are working you’re your

project team to define contingency plans for the risks within your project. Mary, one of your project

team members, asks what a contingency plan is. Which of the following statements best defines

what a contingency response is?

A. Some responses are designed for use only if certain events occur.

B. Some responses have a cost and a time factor to consider for each risk event.

C. Some responses must counteract pending risk events.

D. Quantified risks should always have contingency responses.

Definition
A. Some responses are designed for use only if certain events occur.
Term

Who is responsible for the stakeholder expectations management in a high-profile, high-risk

project?

A. Project management office

B. Project sponsor

C. Project risk assessment officer

D. Project manager

Definition
D. Project manager
Term

Which of the following requires all general support systems and major applications to be fully

certified and accredited before these systems and applications are put into production?

Each correct answer represents a part of the solution. Choose all that apply.

A. NIST

B. FIPS

C. Office of Management and Budget (OMB)

D. FISMA

Definition

C. Office of Management and Budget (OMB)

D. FISMA

Term

Which of the following refers to a process that is used for implementing information security?

A. Certification and Accreditation(C&A)

B. Information Assurance (IA)

C. Five Pillars model

D. Classic information security model

Definition
A. Certification and Accreditation(C&A)
Term

What project management plan is most likely to direct the quantitative risk analysis process for a

project in a matrix environment?

A. Staffing management plan

B. Risk analysis plan

C. Human resource management plan

D. Risk management plan

Definition
D. Risk management plan
Term

Your project team has identified a project risk that must be responded to. The risk has been

recorded in the risk register and the project team has been discussing potential risk responses for

the risk event. The event is not likely to happen for several months but the probability of the event

is high. Which one of the following is a valid response to the identified risk event?

A. Corrective action

B. Technical performance measurement

C. Risk audit

D. Earned value management

Definition
A. Corrective action
Term

Which of the following documents is described in the statement below?

"It is developed along with all processes of the risk management. It contains the results of the

qualitative risk analysis, quantitative risk analysis, and risk response planning."

A. Project charter

B. Risk management plan

C. Risk register

D. Quality management plan

Definition
C. Risk register
Term

Joan is a project management consultant and she has been hired by a firm to help them identify

risk events within the project. Joan would first like to examine the project documents including the

plans, assumptions lists, project files, and contracts. What key thing will help Joan to discover

risks within the review of the project documents?

A. The project documents will help the project manager, or Joan, to identify what risk identification

approach is best to pursue.

B. Plans that have loose definitions of terms and disconnected approaches will reveal risks.

C. Poorly written requirements will reveal inconsistencies in the project plans and documents.

D. Lack of consistency between the plans and the project requirements and assumptions can be

the indicators of risk in the project.

 

 

Definition

D. Lack of consistency between the plans and the project requirements and assumptions can be

the indicators of risk in the project.

Term

Which of the following statements about the availability concept of Information security

management is true?

A. It ensures that modifications are not made to data by unauthorized personnel or processes .

B. It ensures reliable and timely access to resources.

C. It determines actions and behaviors of a single individual within a system.

D. It ensures that unauthorized modifications are not made to data by authorized personnel or

processes.

Definition
B. It ensures reliable and timely access to resources.
Term

Which of the following are the objectives of the security certification documentation task?

Each correct answer represents a complete solution. Choose all that apply.

A. To prepare the Plan of Action and Milestones (POAM) based on the security assessment

B. To provide the certification findings and recommendations to the information system owner

C. To assemble the final security accreditation package and then submit it to the authorizing o

fficial

D. To update the system security plan based on the results of the security assessment

Definition

A. To prepare the Plan of Action and Milestones (POAM) based on the security assessment

B. To provide the certification findings and recommendations to the information system owner

C. To assemble the final security accreditation package and then submit it to the authorizing o

fficial

D. To update the system security plan based on the results of the security assessment

Term

Which of the following statements about System Access Control List (SACL) is true?

 

A. It contains a list of any events that are set to audit for that particular object.

B. It is a mechanism for reducing the need for globally unique IP addresses.

C. It contains a list of both users and groups and whatever permissions they have.

D. It exists for each and every permission entry assigned to any object.

Definition
A. It contains a list of any events that are set to audit for that particular object.
Term

Kelly is the project manager of the BHH project for her organization. She is completing the risk

identification process for this portion of her project. Which one of the following is the only thing that

the risk identification process will create for Kelly?

A. Project document updates

B. Risk register updates

C. Change requests

D. Risk register

Definition
D. Risk register
Term

You are the project manager for your organization. You are working with your project team to

complete the qualitative risk analysis process. The first tool and technique you are using requires

that you assess the probability and what other characteristic of each identified risk in the project?

A. Risk owner

B. Risk category

C. Impact

D. Cost

Definition
C. Impact
Term

You are preparing to complete the quantitative risk analysis process with your project team and

several subject matter experts. You gather the necessary inputs including the project's cost

management plan. Why is it necessary to include the project's cost management plan in the

preparation for the quantitative risk analysis process?

 

A. The project's cost management plan can help you to determine what the total cost of the project

is allowed to be.

B. The project's cost management plan provides direction on how costs may be changed due to

identified risks.

C. The project's cost management plan provides control that may help determine the structure for

quantitative analysis of the budget.

D. The project's cost management plan is not an input to the quantitative risk analysis process.

Definition

C. The project's cost management plan provides control that may help determine the structure for

quantitative analysis of the budget.

Term

What NIACAP certification levels are recommended by the certifier?

Each correct answer represents a complete solution.

 

Choose all that apply.

 

A. Minimum Analysis

B. Basic System Review

C. Detailed Analysis

D. Maximum Analysis

E. Comprehensive Analysis

F. Basic Security Review

Definition

A.Minimum Analysis

C. Detailed Analysis

E. Comprehensive Analysis

F. Basic Security Review

 

 

Term

You work as a project manager for BlueWell Inc. There has been a delay in your project work that

is adversely affecting the project schedule. You decided, with your stakeholders' approval, to fast

track the project work to get the project done faster. When you fast track the project which of the

following are likely to increase?

A. Quality control concerns

B. Costs

C. Risks

D. Human resource needs

Definition
C. Risks
Term

Information Security management is a process of defining the security controls in order to protect

information assets. What are the security management responsibilities?

Each correct answer represents a complete solution. Choose all that apply.

A. Evaluating business objectives, security risks, user productivity, and functionality requirem ents

B. Determining actual goals that are expected to be accomplished from a security program

C. Defining steps to ensure that all the responsibilities are accounted for and properly address ed

D. Determining objectives, scope, policies, priorities, standards, and strategies

Definition

A. Evaluating business objectives, security risks, user productivity, and functionality requirem ents

B. Determining actual goals that are expected to be accomplished from a security program

C. Defining steps to ensure that all the responsibilities are accounted for and properly address ed

D. Determining objectives, scope, policies, priorities, standards, and strategies

Term

Which of the following are included in Technical Controls?

Each correct answer represents a complete solution. Choose all that apply.

A. Implementing and maintaining access control mechanisms

B. Password and resource management

C. Configuration of the infrastructure

D. Identification and authentication methods

E. Conducting security-awareness training

F. Security devices

Definition

 

A. Implementing and maintaining access control mechanisms

B. Password and resource management

C. Configuration of the infrastructure

D. Identification and authentication methods

F. Security devices

Term

You are the project manager of the HJK project for your organization. You and the project team

have created risk responses for many of the risk events in the project. A teaming agreement is an

example of what risk response?

A. Acceptance

B. Mitigation

C. Sharing

D. Transference

Definition
C. Sharing
Term

Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are

attempting to break in. What are the different categories of penetration testing?

Each correct answer represents a complete solution. Choose all that apply.

A. Full-box

B. Zero-knowledge test

C. Full-knowledge test

D. Open-box

E. Partial-knowledge test

F. Closed-box

Definition

B. Zero-knowledge test

C. Full-knowledge test

D. Open-box

E. Partial-knowledge test

F. Closed-box

Term

You are the project manager for TTP project. You are in the Identify Risks process. You have to

create the risk register. Which of the following are included in the risk register?

Each correct answer represents a complete solution. Choose two.

A. List of potential responses

B. List of identified risks

C. List ofmitigation techniques

D. List of key stakeholders

Definition

A. List of potential responses

B. List of identified risks

Term

The Software Configuration Management (SCM) process defines the need to trace changes, and

the ability to verify that the final delivered software has all of the planned enhancements that are

supposed to be included in the release. What are the procedures that must be defined for each

software project to ensure that a sound SCM process is implemented?

Each correct answer represents a complete solution. Choose all that apply.

A. Configuration status accounting

B. Configuration change control

C. Configuration deployment

D. Configuration audits

E. Configuration identification

F. Configuration implementation

Definition

A. Configuration status accounting

B. Configuration change control

D. Configuration audits

E. Configuration identification

 

Term

Which of the following refers to an information security document that is used in the United States

Department of Defense (DoD) to describe and accredit networks and systems?

A. FIPS

B. TCSEC

C. SSAA

D. FITSAF

Definition
C. SSAA
Term

The National Information Assurance Certification and Accreditation Process (NIACAP) is the

minimum standard process for the certification and accreditation of computer and

telecommunications systems that handle U.S. national security information. Which of the following

participants are required in a NIACAP security assessment?

Each correct answer represents a part of the solution. Choose all that apply.

A. Information Assurance Manager

B. Designated Approving Authority

C. IS program manager

D. User representative

E. Certification agent

Definition

B. Designated Approving Authority

C. IS program manager

D. User representative

E. Certification agent

Term

Which of the following processes is described in the statement below?

"It is the process of implementing risk response plans, tracking identified risks, monitoring residual

risk, identifying new risks, and evaluating risk process effectiveness throughout the project."

A. Perform Quantitative Risk Analysis

B. Perform Qualitative Risk Analysis

C. Monitor and Control Risks

D. Identify Risks

Definition
C. Monitor and Control Risks
Term

There are seven risk responses for any project. Which one of the following is a valid risk response

for a negative risk event?

A. Enhance

B. Exploit

C. Acceptance

D. Share

Definition
C. Acceptance
Term

The National Information Assurance Certification and Accreditation Process (NIACAP) is the

minimum standard process for the certification and accreditation of computer and

telecommunications systems that handle U.S. national security information. What are the different

types of NIACAP accreditation?

Each correct answer represents a complete solution. Choose all that apply.

A. System accreditation

B. Type accreditation

C. Site accreditation

D. Secure accreditation

Definition

A. System accreditation

B. Type accreditation

C. Site accreditation

Term

You are the project manager of the GHY Project for your company. You have completed the risk

response planning with your project team. You now need to update the WBS. Why would the

project manager need to update the WBS after the risk response planning process? Choose the

best answer.

A. Because of risks associated with work packages

B. Because of work that was omitted during the WBS creation

C. Because of risk responses that are now activities

D. Because of new work generated by the risk responses

Definition
D. Because of new work generated by the risk responses
Term

The risk transference is referred to the transfer of risks to a third party, usually for a fee, it creates

a contractual-relationship for the third party to manage the risk on behalf of the performing

organization. Which one of the following is NOT an example of the transference risk response?

A. Use of insurance

B. Life cycle costing

C. Warranties

D. Performance bonds

Definition
B. Life cycle costing
Term

Adrian is a project manager for a new project using a technology that has recently been released

and there's relatively little information about the technology. Initial testing of the technology makes

the use of it look promising, but there's still uncertainty as to the longevity and reliability of the

technology. Adrian wants to consider the technology factors a risk for her project. Where should

she document the risks associated with this technology so she can track the risk status and

responses?

A. Project charter

B. Risk register

C. Project scope statement

D. Risk low-level watch list

Definition
B. Risk register
Term

Which of the following is a risk response planning technique associated with threats that seeks to

reduce the probability of occurrence or impact of a risk to below an acceptable threshold?

A. Exploit

B. Transference

C. Mitigation

D. Avoidance

Definition
C. Mitigation
Term

BS 7799 is an internationally recognized ISM standard that provides high level, conceptual

recommendations on enterprise security. BS 7799 is basically divided into three parts. Which of

the following statements are true about BS 7799?

Each correct answer represents a complete solution. Choose all that apply.

A. BS 7799 Part 1 was adopted by ISO as ISO/IEC 27001 in November 2005.

B. BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005.

C. BS 7799 Part 1 was a standard originally published as BS 7799 by the British Standards

Institute (BSI) in 1995.

D. BS 7799 Part 3 was published in 2005, covering risk analysis and management.

Definition

B. BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005.

C. BS 7799 Part 1 was a standard originally published as BS 7799 by the British Standards

Institute (BSI) in 1995.

D. BS 7799 Part 3 was published in 2005, covering risk analysis and management.

Term

Gary is the project manager for his organization. He is working with the project stakeholders on

the project requirements and how risks may affect their project. One of the stakeholders is

confused about what constitutes risks in the project. Which of the following is the most accurate

definition of a project risk?

A. It is an uncertain event that can affect the project costs.

B. It is an uncertain event or condition within the project execution.

C. It is an uncertain event that can affect at least one project objective.

D. It is an unknown event that can affect the project scope.

Definition
C. It is an uncertain event that can affect at least one project objective.
Term

You work as a project manager for TechSoft Inc. You are working with the project stakeholders

onthe qualitative risk analysis process in your project. You have used all the tools to the qualitative

risk analysis process in your project. Which of the following techniques is NOT used as a tool in

qualitative risk analysis process?

A. Risk Reassessment

B. Risk Categorization

C. Risk Urgency Assessment

D. Risk Data Quality Assessment

Definition
A. Risk Reassessment
Term

You are the project manager for your organization. You have determined that an activity is too

dangerous to complete internally so you hire licensed contractor to complete the work. The

contractor, however, may not complete the assigned work on time which could cause delays in

subsequent work beginning. This is an example of what type of risk event?


A. Secondary risk

B. Transference

C. Internal

D. Pure risk

Definition
A. Secondary risk
Term

Tracy is the project manager of the NLT Project for her company. The NLT Project is scheduled to

last 14 months and has a budget at completion of $4,555,000. Tracy's organization will receive a

bonus of $80,000 per day that the project is completed early up to $800,000. Tracy realizes that

there are several opportunities within the project to save on time by crashing the project work.

Crashing the project is what type of risk response?

 

A. Mitigation

B. Exploit

C. Enhance

D. Transference

Definition
C. Enhance
Term

Diana is the project manager of the QPS project for her company. In this project Diana and the

project team have identified a pure risk. Diana and the project team decided, along with the key

stakeholders, to remove the pure risk from the project by changing the project plan altogether.

What is a pure risk?

A. It is a risk event that only has a negative side, such as loss of life or limb.

B. It is a risk event that cannot be avoided because of the order of the work.

C. It is a risk event that is created by a risk response.

D. It is a risk event that is generated due to errors or omission in the project work.

Definition
A. It is a risk event that only has a negative side, such as loss of life or limb.
Term

You work as a project manager for BlueWell Inc. You are about to complete the quantitative risk

analysis process for your project. You can use three available tools and techniques to complete

this process. Which one of the following is NOT a tool or technique that is appropriate for the

quantitative risk analysis process?

A. Quantitative risk analysis andmodeling techniques

B. Data gathering and representation techniques

C. Expert judgment

D. Organizational process assets

Definition
D. Organizational process assets
Term

You work as a project manager for TechSoft Inc. You, the project team, and the key project

stakeholders have completed a round of quantitative risk analysis. You now need to update the

risk register with your findings so that you can communicate the risk results to the project

stakeholders - including management. You will need to update all of the following information

except for which one?

A. Probability of achieving cost and time objectives

B. Risk distributions within the project schedule

C. Probabilistic analysis of the project

D. Trends in quantitative risk analysis

Definition
B. Risk distributions within the project schedule
Term

Lisa is the project manager of the SQL project for her company. She has completed the risk

response planning with her project team and is now ready to update the risk register to reflect the

risk response. Which of the following statements best describes the level of detail Lisa should

include with the risk responses she has created?

A. The level of detail is set by historical information.

B. The level of detail must define exactly the risk response for each identified risk.

C. The level of detail is set of project risk governance.

D. The level of detail should correspond with the priority ranking

 

Definition
D. The level of detail should correspond with the priority ranking
Term

David is the project manager of HGF project for his company. David, the project team, and several

key stakeholders have completed risk identification and are ready to move into qualitative risk

analysis. Tracy, a project team member, does not understand why they need to complete

qualitative risk analysis. Which one of the following is the best explanation for completing

qualitative risk analysis?

 

A. It isa rapid and cost-effective means of establishing priorities for the plan risk responses and

lays the foundation for quantitative analysis.

B. It is a cost-effective means of establishing probability and impact for the project risks.

C. Qualitative risk analysis helps segment the project risks, create a risk breakdown structure, and

create fast and accurate risk responses.

D. All risks must pass through quantitative risk analysis before qualitative risk analysis.

 

Definition

A. It isa rapid and cost-effective means of establishing priorities for the plan risk responses and

lays the foundation for quantitative analysis.

Term

The Identify Risk process determines the risks that affect the project and document their

characteristics. Why should the project team members be involved in the Identify Risk process?

A. They are the individuals that will have the best responses for identified risks events within the

project.

B. They are the individuals that are most affected by the risk events.

C. They are the individuals that will need a sense of ownership and responsibility for the risk e

vents.

D. They are the individuals that will most likely cause and respond to the risk events.

Definition

C. They are the individuals that will need a sense of ownership and responsibility for the risk e

vents.

Term

Which of the following NIST Special Publication documents provides a guideline on questionnaires

and checklists through which systems can be evaluated for compliance against specific control

objectives?

A. NIST SP 800-53A

B. NIST SP 800-26

C. NIST SP 800-53

D. NIST SP 800-59

E. NIST SP 800-60

F. NIST SP 800-37

Definition
B. NIST SP 800-26
Term

Which of the following recovery plans includes specific strategies and actions to deal with specific

variances to assumptions resulting in a particular security problem, emergency, or state of affairs?

 

A. Business continuity plan

B. Continuity of Operations Plan

C. Disaster recovery plan

D. Contingency plan

Definition
D. Contingency plan
Term

An organization monitors the hard disks of its employees' computers from time to time. Which

policy does this pertain to?

A. Network security policy

B. User password policy

C. Backup policy

D. Privacy policy

Definition
D. Privacy policy
Term

You work as a project manager for BlueWell Inc. You are working with your team members on the

risk responses in the project. Which risk response will likely cause a project to use the

procurement processes?

A. Acceptance

B. Mitigation

C. Exploiting

D. Sharing

Definition
D. Sharing
Term

ISO 17799 has two parts. The first part is an implementation guide with guidelines on how to build

a comprehensive information security infrastructure and the second part is an auditing guide

based on requirements that must be met for an organization to be deemed compliant with ISO

17799. What are the ISO 17799 domains?

Each correct answer represents a complete solution. Choose all that apply.

 

A. Information security policy for the organization

B. System architecture management

C. Business continuity management

D. System developmentand maintenance

E. Personnel security

 

Definition

A. Information security policy for the organization

C. Business continuity management

D. System developmentand maintenance

E. Personnel security

 

Term

FITSAF stands for Federal Information Technology Security Assessment Framework. It is a

methodology for assessing the security of information systems. Which of the following FITSAF

levels shows that the procedures and controls have been implemented?

A. Level 2

B. Level 5

C. Level 4

D. Level 1

E. Level 3

Definition
E. Level 3
Term

Sammy is the project manager for her organization. She would like to rate each risk based on its

probability and affect on time, cost, and scope. Harry, a project team member, has never done this

before and thinks Sammy is wrong to attempt this approach. Harry says that an accumulative risk

score should be created, not three separate risk scores. Who is correct in this scenario?

A. Harry is correct, because the risk probability and impact considers all objectives of the proj ect.

B. Harry is correct, the risk probability and impact matrix is the only approach to risk assessm ent.

C. Sammy is correct, because sheis the project manager.

D. Sammy is correct, because organizations can create risk scores for each objective of the project.

 

Definition
D. Sammy is correct, because organizations can create risk scores for each objective of the project.
Term

An authentication method uses smart cards as well as usernames and passwords for

authentication. Which of the following authentication methods is being referred to?

A. Anonymous

B. Multi-factor

C. Biometrics

D. Mutual

Definition
B. Multi-factor
Term

Which of the following risk responses delineates that the project plan will not be changed to deal

with the risk?

A. Acceptance

B. Mitigation

C. Exploitation

D. Transference

Definition
A. Acceptance
Term

Which of the following statements reflect the 'Code of Ethics Canons' in the '(ISC)2 Code of

Ethics'?

Each correct answer represents a complete solution. Choose all that apply.

A. Protect society, the commonwealth, and the infrastructure.

B. Act honorably, honestly, justly, responsibly, and legally.

C. Provide diligent and competent service to principals.

D. Give guidance for resolving good versus good and bad versus baddilemmas.

Definition

A. Protect society, the commonwealth, and the infrastructure.

B. Act honorably, honestly, justly, responsibly, and legally.

C. Provide diligent and competent service to principals.

Term

The Phase 3 of DITSCAP C&A is known as Validation. The goal of Phase 3 is to validate that the

preceding work has produced an IS that operates in a specified computing environment. What are

the process activities of this phase?

Each correct answer represents a complete solution. Choose all that apply.

A. Perform certification evaluation of the integrated system

B. System development

C. Certification and accreditation decision

D. Develop recommendation to the DAA

E. Continue to review and refine the SSAA

Definition

A. Perform certification evaluation of the integrated system

C. Certification and accreditation decision

D. Develop recommendation to the DAA

E. Continue to review and refine the SSAA

Term

John is the project manager of the NHQ Project for his company. His project has 75 stakeholders,

some of which are external to the organization. John needs to make certain that he communicates

about risk in the most appropriate method for the external stakeholders. Which project

management plan will be the best guide for John to communicate to the external stakeholders?

A. Risk Response Plan

B. Risk Management Plan

C. Project ManagementPlan

D. Communications Management Plan

Definition
D. Communications Management Plan
Term

Your organization has named you the project manager of the JKN Project. This project has a BAC

of $1,500,000 and it is expected to last 18 months. Management has agreed that if the schedule

baseline has a variance of more than five percent then you will need to crash the project. What

happens when the project manager crashes a project?

A. Project costs will increase.

B. The amount of hours a resource can be used will diminish.

C. The projectwill take longer to complete, but risks will diminish.

D. Project risks will increase.

Definition
A. Project costs will increase.
Term

Which of the following individuals makes the final accreditation decision?

A. ISSE

B. DAA

C. CRO

D. ISSO

Definition
B. DAA
Term

Which of the following DoD directives defines DITSCAP as the standard C&A process for the

Department of Defense?

A. DoD 8000.1

B. DoD 5200.40

C. DoD 5200.22-M

D. DoD 8910.1

Definition
B. DoD 5200.40
Term

Virginia is the project manager for her organization. She has hired a subject matter expert to

interview the project stakeholders on certain identified risks within the project. The subject matter

expert will assess the risk event with what specific goal in mind?

A. To determine the bias of the risk event based on each person interviewed

B. To determine the probability and cost of the risk event

C. To determine the validity of each risk event

D. To determine the level of probability and impact for each risk event

Definition
D. To determine the level of probability and impact for each risk event
Term

A security policy is an overall general statement produced by senior management that dictates

what role security plays within the organization. What are the different types of policies?

Each correct answer represents a complete solution. Choose all that apply.

A. Systematic

B. Informative

C. Regulatory

D. Advisory

Definition

B. Informative

C. Regulatory

D. Advisory

Term

In 2003, NIST developed a new Certification & Accreditation (C&A) guideline known as FIPS 199.

What levels of potential impact are defined by FIPS 199?

Each correct answer represents a complete solution. Choose all that apply.

A. Medium

B. High

C. Low

D. Moderate

Definition

A. Medium

B. High

C. Low

Term

Harry is a project manager of a software development project. In the early stages of planning, he

and the stakeholders operated with the belief that the software they were developing would work

with their organization's current computer operating system. Now that the project team has started

developing the software it has become apparent that the software will not work with nearly half of

the organization's computer operating systems. The incorrect belief Harry had in the software

compatibility is an example of what in project management?

A. Issue

B. Risk

C. Constraint

D. Assumption

Definition
D. Assumption
Term

Which of the following statements about Discretionary Access Control List (DACL) is true?

A. It is a rule list containing access control entries.

B. It specifies whether an audit activity should be performed when an object attempts to access a

resource.

C. It is a unique number that identifies a user, group,and computer account.

D. It is a list containing user accounts, groups, and computers that are allowed (or denied) access

to the object.

Definition

D. It is a list containing user accounts, groups, and computers that are allowed (or denied) access

to the object.

Term

Which types of project tends to have more well-understood risks?

A. State-of-art technologyprojects

B. Recurrent projects

C. Operational work projects

D. First-of-its kind technology projects

Definition
B. Recurrent projects
Term

The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE)

play the role of a supporter and advisor, respectively. Which of the following statements are true

about ISSO and ISSE?

Each correct answer represents a complete solution. Choose all that apply.

A. An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A).

B. An ISSE manages the security of the information system that is slated for Certification &

Accreditation (C&A).

C. An ISSE provides advice on the continuous monitoring of the information system.

D. An ISSO takes part in the development activities that are required to implement system ch

anges.

E. An ISSE provides advice on the impacts of system changes.

Definition

A. An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A).

C. An ISSE provides advice on the continuous monitoring of the information system.

E. An ISSE provides advice on the impacts of system changes.

 

Term

Which of the following processes is described in the statement below?

"This is the process of numerically analyzing the effect of identified risks on overall project

objectives."

A. Identify Risks

B. Perform Quantitative Risk Analysis

C. Perform Qualitative Risk Analysis

D. Monitor and Control Risks

Definition
B. Perform Quantitative Risk Analysis
Term

The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly

given to the most senior executive in an enterprise. What are the responsibilities of a Chief

Information Officer?

Each correct answer represents a complete solution. Choose all that apply.

A. Proposing the information technology needed by an enterprise to achieve its goals and then

working within a budget to implement the plan

B. Preserving high-level communications and working group relationships in an organization

C. Establishing effective continuous monitoring program for the organization

D. Facilitating the sharing of security risk-related information among authorizing officials

Definition

A. Proposing the information technology needed by an enterprise to achieve its goals and then

working within a budget to implement the plan

B. Preserving high-level communications and working group relationships in an organization

C. Establishing effective continuous monitoring program for the organization

Term

Eric is the project manager of the NQQ Project and has hired the ZAS Corporation to complete

part of the project work for Eric's organization. Due to a change request the ZAS Corporation is no

longer needed on the project even though they have completed nearly all of the project work. Is

Eric's organization liable to pay the ZAS Corporation for the work they have completed so far on

the project?

A. It depends on what the outcome of a lawsuit will determine.

B. No, the ZAS Corporation did not complete all of the work.

C. It depends on what the termination clause of the contract stipulates.

D. Yes, the ZAS Corporation did not choose to terminate the contract work.

Definition
C. It depends on what the termination clause of the contract stipulates.
Term

Mark works as a project manager for TechSoft Inc. Mark, the project team, and the key project

stakeholders have completed a round of qualitative risk analysis. He needs to update the risk

register with his findings so that he can communicate the risk results to the project stakeholders -

including management. Mark will need to update all of the following information except for which

one?

A. Watchlist of low-priority risks

B. Prioritized list of quantified risks

C. Risks grouped by categories

D. Trends in qualitative risk analysis

Definition
B. Prioritized list of quantified risks
Term

Numerous information security standards promote good security practices and define frameworks

or systems to structure the analysis and design for managing information security controls. Which

of the following are the U.S. Federal Government information security standards?

Each correct answer represents a complete solution. Choose all that apply.

A. SA System and Services Acquisition

B. CA Certification, Accreditation, and Security Assessments

C. IR Incident Response

D. Information systems acquisition, development, and maintenance.

Definition

A. SA System and Services Acquisition

B. CA Certification, Accreditation, and Security Assessments

C. IR Incident Response

Term

Which of the following tasks are identified by the Plan of Action and Milestones document?

Each correct answer represents a complete solution. Choose all that apply.

A. The plans that need to be implemented

B. The resources needed to accomplish the elements of the plan

C. Any milestones that are needed in meeting the tasks

D. The tasks that are required to be accomplished

E. Scheduled completion dates for the milestones

Definition

B. The resources needed to accomplish the elements of the plan

C. Any milestones that are needed in meeting the tasks

D. The tasks that are required to be accomplished

E. Scheduled completion dates for the milestones

Term

Jenny is the project manager for the NBT projects. She is working with the project team and

several subject matter experts to perform the quantitative risk analysis process. During this

process she and the project team uncover several risks events that were not previously identified.

What should Jenny do with these risk events?

A. The events should be determined if they need to be accepted or responded to.

B. The events should be entered into qualitative risk analysis.

C. The events should continue on with quantitative risk analysis.

D. The events should be entered into the risk register.

Definition
D. The events should be entered into the risk register.
Term

Shoulder surfing is a type of in-person attack in which the attacker gathers information about the

premises of an organization. This attack is often performed by looking surreptitiously at the

keyboard of an employee's computer while he is typing in his password at any access point such

as a terminal/Web site. Which of the following is violated in a shoulder surfing attack?

 

A. Authenticity

B. Confidentiality

C. Availability

D. Integrity

Definition
B. Confidentiality
Term

Harry is the project manager of the MMQ Construction Project. In this project Harry has identified

a supplier who can create stained glass windows for 1,000 window units in the construction

project. The supplier is an artist who works by himself, but creates windows for several companies

throughout the United States. Management reviews the proposal to use this supplier and while

they agree that the supplier is talented, they do not think the artist can fulfill the 1,000 window units

in time for the project's deadline. Management asked Harry to find a supplier who will guarantee

the completion of the windows by the needed date in the schedule. What risk response has

management asked Harry to implement?

A. Acceptance

B. Mitigation

C. Avoidance

D. Transference

Definition
B. Mitigation
Term

You are the project manager of the BlueStar project in your company. Your company is structured

as a functional organization and you report to the functional manager that you are ready to move

onto the qualitative risk analysis process. What will you need as inputs for the qualitative risk

analysis of the project in this scenario?

A. You will need the risk register, risk management plan, project scope statement, and any

relevant organizational process assets.

B. You will need the risk register, risk management plan, outputs of qualitative risk analysis, and

any relevant organizational process assets.

C. You will need the risk register, risk management plan, permission from the functional manager,

and any relevant organizational process assets.

D. Qualitative risk analysis does not happen through the project manager in a functional structure.

Definition

A. You will need the risk register, risk management plan, project scope statement, and any

relevant organizational process assets.

Term

Henry is the project manager of the QBG Project for his company. This project has a budget of

$4,576,900 and is expected to last 18 months to complete. The CIO, a stakeholder in the project,

has introduced a scope change request for additional deliverables as part of the project work.

What component of the change control system would review the proposed changes' impact on the

features and functions of the project's product?

A. Cost change control system

B. Scope change control system

C. Integrated change control

D. Configuration management system

Definition
D. Configuration management system
Term

Security Test and Evaluation (ST&E) is a component of risk assessment. It is useful in discovering

system vulnerabilities. For what purposes is ST&E used?

Each correct answer represents a complete solution. Choose all that apply.

A. To implement the design of system architecture

B. To determine the adequacy of security mechanisms, assurances, and other properties to

enforce the security policy

C. To assess the degree of consistency between the system documentation and its implementation

D. To uncover design, implementation, and operational flaws that may allow the violation of

security policy

Definition

B. To determine the adequacy of security mechanisms, assurances, and other properties to

enforce the security policy

C. To assess the degree of consistency between the system documentation and its implement

ation

D. To uncover design, implementation, and operational flaws that may allow the violation of

security policy

Term

Which of the following are the goals of risk management?

Each correct answer represents a complete solution. Choose three.

 

A. Finding an economic balance between the impact of the risk and the cost of the countermeasure

B. Identifying the risk

C. Assessing the impact of potential threats

D. Identifying the accused

Definition

A. Finding an economic balance between the impact of the risk and the cost of the countermeasure

B. Identifying the risk

C. Assessing the impact of potential threats

Term

Elizabeth is a project manager for her organization and she finds risk management to be very

difficult for her to manage. She asks you, a lead project manager, at what stage in the project will

risk management become easier. What answer best resolves the difficulty of risk management

practices and the effort required?

A. Risk management only becomes easier the more often it is practiced.

B. Risk management is an iterative process and never becomes easier.

C. Risk management only becomes easier when the project moves into project execution.

D. Risk management only becomes easier when the project is closed.

Definition
A. Risk management only becomes easier the more often it is practiced.
Term

Which of the following is NOT an objective of the security program?

A. Security organization

B. Security plan

C. Security education

D. Information classification

Definition
B. Security plan
Term

Which of the following RMF phases identifies key threats and vulnerabilities that could

compromise the confidentiality, integrity, and availability of the institutional critical assets?

 

A. Phase 2

B. Phase 1

C. Phase 3

D. Phase 0

Definition
B. Phase 1
Term

You are the project manager of the NHQ project for your company. Management has told you that

you must implement an agreed upon contingency response if the Cost Performance Index in your

project is less than 0.90. Consider that your project has a budget at completion of $250,000 and is

60 percent complete. You are scheduled to be however, 75 percent complete, and you have spent

$165,000 to date. What is the Cost Performance Index for this project to determine if the

contingency response should happen?

A. 0.88

B. 0.80

C. -$37,500

D. 0.91

Definition
D. 0.91
Term

Bill is the project manager of the JKH Project. He and the project team have identified a risk event

in the project with a high probability of occurrence and the risk event has a high cost impact on the

project. Bill discusses the risk event with Virginia, the primary project customer, and she decides

that the requirements surrounding the risk event should be removed from the project. The removal

of the requirements does affect the project scope, but it can release the project from the high risk

exposure. What risk response has been enacted in this project?

A. Avoidance

B. Acceptance

C. Transference

D. Mitigation

Definition
A. Avoidance
Term

In what portion of a project are risk and opportunities greatest and require intense planning and

anticipation of risk events?

A. Planning

B. Executing

C. Closing

D. Initiating

Definition
D. Initiating
Term

You work as a project manager for BlueWell Inc. You with your team are using a method or a

(technical) process that conceives the risks even if all theoretically possible safety measures

would be applied. One of your team member wants to know that what is a residual risk. What will

you reply to your team member?

A. It is a risk that remains because no risk response is taken.

B. It is a risk that remains after planned risk responses are taken.

C. It is a risk that can not be addressed by a risk response.

D. It is a risk that will remain no matter what type of risk response is offered.

Definition
B. It is a risk that remains after planned risk responses are taken.
Term

You are the project manager for your organization. You are preparing for the quantitative risk

analysis. Mark, a project team member, wants to know why you need to do quantitative risk

analysis when you just completed qualitative risk analysis. Which one of the following statements

best defines what quantitative risk analysis is?

A. Quantitative risk analysis is the planning and quantification of risk responses based on

probability and impact of each risk event.

B. Quantitative risk analysis is the process of prioritizing risks for further analysis or action by

assessing and combining their probability of occurrence and impact.

C. Quantitative risk analysis is the review of the risk events with the high probability and the

highest impact on the project objectives.

D. Quantitative risk analysis is the process of numerically analyzing the effect of identified risks on

overall project objectives.

Definition

D. Quantitative risk analysis is the process of numerically analyzing the effect of identified risks on

overall project objectives.

Term

Fred is the project manager of the CPS project. He is working with his project team to prioritize the

identified risks within the CPS project. He and the team are prioritizing risks for further analysis or

action by assessing and combining the risks probability of occurrence and impact.

What process is Fred completing?

A. Risk identification

B. Perform qualitative analysis

C. Perform quantitative analysis

D. Risk Breakdown Structure creation

Definition
B. Perform qualitative analysis
Term

Diane is the project manager of the HGF Project. A risk that has been identified and analyzed in

the project planning processes is now coming into fruition. What individual should respond to the

risk with the preplanned risk response?

A. Diane

B. Risk owner

C. Subject matter expert

D. Project sponsor

Definition
B. Risk owner
Term

Ned is the project manager of the HNN project for your company. Ned has asked you to help him

complete some probability distributions for his project. What portion of the project will you most

likely use for probability distributions?

A. Uncertainty in values such as duration of schedule activities

B. Bias towards risk in new resources

C. Risk probabilityand impact matrixes

D. Risk identification

 

Definition
A. Uncertainty in values such as duration of schedule activities
Term

Which of the following acts promote a risk-based policy for cost effective security?

Each correct answer represents a part of the solution. Choose all that apply.

A. Clinger-Cohen Act

B. Lanham Act

C. Computer Misuse Act

D. Paperwork Reduction Act (PRA)

Definition

A. Clinger-Cohen Act

D. Paperwork Reduction Act (PRA)

 

Term

To help review or design security controls, they can be classified by several criteria. One of these

criteria is based on time. According to this criteria, which of the following controls are intended to

prevent an incident from occurring?

A. Adaptive controls

B. Preventive controls

C. Detective controls

D. Corrective controls

Definition
B. Preventive controls
Term

You are the project manager for a construction project. The project involves casting of a column in

a very narrow space. Because of lack of space, casting it is highly dangerous. High technical skill

will be required for casting that column. You decide to hire a local expert team for casting that

column. Which of the following types of risk response are you following?

A. Mitigation

B. Avoidance

C. Transference

D. Acceptance

 

Definition
C. Transference
Term

Which of the following statements about the authentication concept of information security

management is true?

A. It determines the actions and behaviors of a single individual within a system, and identifies that

particular individual.

B. It ensures that modifications are not made to data by unauthorized personnel or processes .

C. It establishes the users' identity and ensures that the users are who they say they are.

D. It ensures the reliable and timely access to resources.

Definition
C. It establishes the users' identity and ensures that the users are who they say they are.
Term

You and your project team have identified the project risks and now are analyzing the probability

and impact of the risks. What type of analysis of the risks provides a quick and high-level review of

each identified risk event?

A. Qualitative risk analysis

B. Seven risk responses

C. Quantitative risk analysis

D. A risk probability-impact matrix

Definition
A. Qualitative risk analysis
Term

NIST SP 800-53A defines three types of interview depending on the level of assessment

conducted. Which of the following NIST SP 800-53A interviews consists of informal and ad hoc

interviews?

 

A. Substantial

B. Significant

C. Abbreviated

D. Comprehensive

Definition
C. Abbreviated
Term

What are the responsibilities of a system owner?

Each correct answer represents a complete solution. Choose all that apply.

A. Integrates security considerations into application and system purchasing decisions and

development projects.

B. Ensures that the systems are properly assessed for vulnerabilities and must report any to the

incident response team and data owner.

C. Ensures that adequate security is being provided by the necessary controls, password

management, remoteaccess controls, operating system configurations, and so on.

D. Ensures that the necessary security controls are in place.

Definition

A. Integrates security considerations into application and system purchasing decisions and

development projects.

B. Ensures that the systems are properly assessed for vulnerabilities and must report any to the

incident response team and data owner.

C. Ensures that adequate security is being provided by the necessary controls, password

management, remoteaccess controls, operating system configurations, and so on.

Term

During which of the following processes, probability and impact matrix is prepared?

A. Plan Risk Responses

B. Perform Quantitative Risk Analysis

C. Perform Qualitative Risk Analysis

D. Monitoring and Control Risks

Definition
C. Perform Qualitative Risk Analysis
Term

Certification and Accreditation (C&A or CnA) is a process for implementing information security. It

is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or

after a system is in operation. Which of the following statements are true about Certification and

Accreditation?

Each correct answer represents a complete solution. Choose two.

 

A. Accreditation is the official management decision given by a senior agency official to authorize

operation of an information system.

B. Certification is a comprehensive assessment of the management, operational, and technical

security controls inan information system.

C. Accreditation is a comprehensive assessment of the management, operational, and technical

security controls in an information system.

D. Certification is the official management decision given by a senior agency official to authorize

operation of an information system.

Definition

A. Accreditation is the official management decision given by a senior agency official to authorize

operation of an information system.

B. Certification is a comprehensive assessment of the management, operational, and technical

security controls inan information system.

Term

You work as a project manager for BlueWell Inc. Your project is running late and you must

respond to the risk. Which risk response can you choose that will also cause you to update the

human resource management plan?

A. Fast tracking the project

B. Teaming agreements

C. Transference

D. Crashing the project

Definition
D. Crashing the project
Term

Which of the following groups represents the most likely source of an asset loss through the

inappropriate use of computers?

A. Hackers

B. Visitors

C. Customers

D. Employees

Definition
D. Employees
Term

You are the project manager of the NNN project for your company. You and the project team are

working together to plan the risk responses for the project. You feel that the team has successfully

completed the risk response planning and now you must initiate what risk process it is. Which of

the following risk processes is repeated after the plan risk responses to determine if the overall

project risk has been satisfactorily decreased?

A. Risk identification

B. Qualitative risk analysis

C. Risk response implementation

D. Quantitative risk analysis

Definition
D. Quantitative risk analysis
Term

You are the project manager of QSL project for your organization. You are working you’re your

project team and several key stakeholders to create a diagram that shows how various elements

of a system interrelate and the mechanism of causation within the system. What diagramming

technique are you using as a part of the risk identification process?

A. Cause and effect diagrams

B. System or process flowcharts

C. Predecessor and successor diagramming

D. Influence diagrams

Definition
B. System or process flowcharts
Term

Which of the following statements about role-based access control (RBAC) model is true?

A. In this model, the permissions are uniquely assigned to each user account.

B. In this model, a user can access resources according to his role in the organization.

C. In this model, the same permission is assigned to each user account.

D. In this model, the users canaccess resources according to their seniority.

Definition
B. In this model, a user can access resources according to his role in the organization.
Term

The Project Risk Management knowledge area focuses on which of the following processes?

Each correct answer represents a complete solution. Choose all that apply.

A. Quantitative Risk Analysis

B. Potential Risk Monitoring

C. Risk Monitoring and Control

D. Risk Management Planning

Definition

A. Quantitative Risk Analysis

C. Risk Monitoring and Control

D. Risk Management Planning

 

Term

Certification and Accreditation (C&A or CnA) is a process for implementing information security.

Which of the following is the correct order of C&A phases in a DITSCAP assessment?

A. Definition, Validation, Verification, and Post Accreditation

B. Verification, Definition, Validation, and Post Accreditation

C. Definition, Verification, Validation, and Post Accreditation

D. Verification, Validation, Definition, and Post Accreditation

Definition
C. Definition, Verification, Validation, and Post Accreditation
Term

There are seven risk responses for any project. Which one of the following is a valid risk response

for a negative risk event?

A. Exploit

B. Share

C. Enhance

D. Acceptance

Definition
D. Acceptance
Term

Which of the following persons is responsible for testing and verifying whether the security policy

is properly implemented, and the derived security solutions are adequate or not?

A. Auditor

B. User

C. Data custodian

D. Data owner

Definition
A. Auditor
Term

Which of the following processes provides a standard set of activities, general tasks, and a

management structure to certify and accredit systems, which maintain the information assurance

and the security posture of a system or site?

A. DITSCAP

B. NIACAP

C. NSA-IAM

D. ASSET

Definition
B. NIACAP
Term

You work as a project manager for BlueWell Inc. You are working on a project and the

management wants a rapid and cost-effective means for establishing priorities for planning risk

responses in your project. Which risk management process can satisfy management's objective

for your project?

A. Qualitative risk analysis

B. Quantitative analysis

C. Historical information

D. Rolling wave planning

Definition
A. Qualitative risk analysis
Term

Which of the following statements best describes the difference between the role of a data owner

and the role of a data custodian?

A. The custodian implements the information classification scheme after the initial assignment by

the operations manager.

B. The datacustodian implements the information classification scheme after the initial assignment

by the data owner.

C. The data owner implements the information classification scheme after the initial assignment by

the custodian.

D. The custodian makes the initialinformation classification assignments, and the operations

manager implements the scheme.

Definition

B. The datacustodian implements the information classification scheme after the initial assignment

by the data owner.

Term

Which of the following NIST C&A documents is the guideline for identifying an information system

as a National Security System?

A. NIST SP800-53

B. NIST SP 800-59

C. NIST SP 800-37

D. NIST SP 800-53A

Definition
B. NIST SP 800-59
Term

Which of the following system security policies is used to address specific issues of concern to the

organization?

A. Program policy

B. Issue-specific policy

C. Informative policy

D. System-specific policy

Definition
B. Issue-specific policy
Term

Which of the following individuals is responsible for ensuring the security posture of the

organization's information system?

A. Authorizing Official

B. Chief Information Officer

C. Security Control Assessor

D. Common Control Provider

Definition
A. Authorizing Official
Term

In which of the following Risk Management Framework (RMF) phases is a risk profile created for

threats?

A. Phase 3

B. Phase 1

C. Phase 2

D. Phase 0

Definition
C. Phase 2
Term

In which of the following DITSCAP phases is the SSAA developed?

A. Phase 4

B. Phase 2

C. Phase 1

D. Phase 3

Definition
C. Phase 1
Term

Which of the following recovery plans includes a monitoring process and triggers for initiating

planned actions?

 

A. Contingency plan

B. Business continuity plan

C. Disaster recovery plan

D. Continuity of Operations Plan

Definition
A. Contingency plan
Term

What does RTM stand for?

A. Resource Testing Method

B. Replaced Traceability Matrix

C. Requirements Traceability Matrix

D. Resource Tracking Matrix

Definition
C. Requirements Traceability Matrix
Term

Which of the following parts of BS 7799 covers risk analysis and management?

A. Part 1

B. Part 3

C. Part 2

D. Part 4

Definition
B. Part 3
Term

Which of the following NIST documents includes components for penetration testing?

A. NIST SP 800-53

B. NIST SP 800-26

C. NIST SP 800-37

D. NIST SP 800-30

Definition
D. NIST SP 800-30
Term

According to FIPS Publication 199, what are the three levels of potential impact on organizations

in the event of a compromise on confidentiality, integrity, and availability?

A. Confidential, Secret, and High

B. Minimum, Moderate, and High

C. Low, Normal, and High

D. Low, Moderate, and High

Definition
D. Low, Moderate, and High
Term

Which of the following individuals is responsible for the final accreditation decision?

A. Information System Owner

B. Certification Agent

C. User Representative

D. Risk Executive

Definition
A. Information System Owner
Term

Which of the following is a risk that is created by the response to another risk?

A. Secondary risk

B. Residual risk

C. Positive risk

D. Negative risk

Definition
A. Secondary risk
Term

Which of the following processes has the goal to ensure that any change does not lead to reduced

or compromised security?

A. Risk management

B. Security management

C. Configuration management

D. Changecontrol management

Definition
D. Changecontrol management
Term

Which of the following is not a part of Identify Risks process?

A. Decision tree diagram

B. Cause and effect diagram

C. Influence diagram

D. System or process flow chart

Definition
A. Decision tree diagram
Term

In which of the following phases does the SSAA maintenance take place?

A. Phase 4

B. Phase 2

C. Phase 1

D. Phase 3

Definition
A. Phase 4
Term

Which of the following statements is true about the continuous monitoring process?

 

A. It takes place in the middle of system security accreditation.

B. It takes place before and after system security accreditation.

C. It takes place before the initial system security accreditation.

D. It takes place after the initial system security accreditation.

 

Definition
D. It takes place after the initial system security accreditation.
Term

In which of the following phases do the system security plan update and the Plan of Action and

Milestones (POAM) update take place?

A. Continuous Monitoring Phase

B. Accreditation Phase

C. Preparation Phase

D. DITSCAP Phase

Definition
A. Continuous Monitoring Phase
Term

In which of the following phases does the change management process start?

A. Phase 2

B. Phase 1

C. Phase 4

D. Phase 3

Definition
C. Phase 4
Term

Which of the following assessment methods involves observing or conducting the operation of

physical devices?

 

A. Interview

B. Deviation

C. Examination

D. Testing

Definition
D. Testing
Term

Which of the following individuals is responsible for configuration management and control task?

A. Authorizing official

B. Information system owner

C. Chief information officer

D. Common control provider

Definition
B. Information system owner
Term

Which of the following individuals is responsible for preparing and submitting security status

reports to the organizations?

A. Chief Information Officer

B. Senior Agency Information Security Officer

C. Common Control Provider

D. Authorizing Official

Definition
C. Common Control Provider
Term

In which of the following DITSCAP phases is the SSAA developed?

A. Phase 2

B. Phase 4

C. Phase 1

D. Phase 3

Definition
C. Phase 1
Term

Which of the following is used throughout the entire C&A process?

A. DAA

B. DITSCAP

C. SSAA

D. DIACAP

Definition
C. SSAA
Term

What does OCTAVE stand for?

A. Operationally Computer Threat, Asset, and Vulnerability Evaluation

B. Operationally Critical Threat, Asset, and Vulnerability Evaluation

C. Operationally Computer Threat, Asset, and Vulnerability Elimination

D. Operationally Critical Threat, Asset, and Vulnerability Elimination

Definition
B. Operationally Critical Threat, Asset, and Vulnerability Evaluation
Term

Which of the following C&A professionals plays the role of an advisor?

A. Information System Security Engineer (ISSE)

B. Chief Information Officer (CIO)

C. Authorizing Official

D. Information Owner

Definition
A. Information System Security Engineer (ISSE)
Term

In which of the following elements of security does the object retain its veracity and is intentionally

modified by the authorized subjects?

 

A. Integrity

B. Nonrepudiation

C. Availability

D. Confidentiality

Definition
A. Integrity
Term

Which of the following recovery plans includes a monitoring process and triggers for initiating

planned actions?

A. Business continuity plan

B. Contingency plan

C. Continuity of Operations Plan

D. Disaster recovery plan

Definition
B. Contingency plan
Term

Which of the following NIST publications defines impact?

 

A. NIST SP 800-41

B. NIST SP 800-37

C. NIST SP 800-30

D. NIST SP 800-53

Definition
C. NIST SP 800-30
Term

Which of the following NIST documents defines impact?

 

A. NIST SP 800-26

B. NIST SP 800-53A

C. NIST SP 800-53

D. NIST SP 800-30

Definition
D. NIST SP 800-30
Term

Which of the following formulas was developed by FIPS 199 for categorization of an information

system?

A. SCinformation system = {(confidentiality, impact), (integrity, controls), (availability, risk)}

B. SCinformation system = {(confidentiality, risk), (integrity, impact), (availability, controls)}

C. SCinformation system = {(confidentiality, impact), (integrity, impact), (availability, impact)}

D. SCinformation system = {(confidentiality, controls), (integrity, controls), (availability, controls )}

Definition
C. SCinformation system = {(confidentiality, impact), (integrity, impact), (availability, impact)}
Term

Which of the following relations correctly describes total risk?

A. Total Risk = Threats x Vulnerability x Asset Value

B. Total Risk = Viruses x Vulnerability x Asset Value

C. Total Risk = Threats x Exploit x Asset Value

D. Total Risk = Viruses x Exploit x Asset Value

Definition
A. Total Risk = Threats x Vulnerability x Asset Value
Term

Which of the following individuals is responsible for the final accreditation decision?

A. Certification Agent

B. User Representative

C. Information System Owner

D. Risk Executive

Definition
C. Information System Owner
Term

Which of the following individuals makes the final accreditation decision?

A. DAA

B. ISSO

C. CIO

D. CISO

Definition
A. DAA
Term

A ________ points to a statement in a policy or procedure that helps determine a course of action.

 

A. Comment

B. Guideline

C. Procedure

D. Baseline

Definition
B. Guideline
Term

For which of the following reporting requirements are continuous monitoring documentation

reports used?

 

A. FISMA

B. NIST

C. HIPAA

D. FBI

Definition
A. FISMA
Term

Which of the following are the types of assessment tests addressed in NIST SP 800-53A?

 

A. Functional, penetration, validation

B. Validation, evaluation, penetration

C. Validation, penetration, evaluation

D. Functional, structural, penetration

Definition
D. Functional, structural, penetration
Term

Which of the following individuals is responsible for configuration management and control task?

 

A. Commoncontrol provider

B. Information system owner

C. Authorizing official

D. Chief information officer

Definition
B. Information system owner
Term

Which of the following documents is used to provide a standard approach to the assessment of

NIST SP 800-53 security controls?

 

A. NIST SP 800-53A

B. NIST SP 800-66

C. NIST SP 800-41

D. NIST SP 800-37

Definition
A. NIST SP 800-53A
Term

Which of the following guidance documents is useful in determining the impact level of a particular

threat on agency systems?

 

A. NIST SP 800-41

B. NIST SP 800-37

C. FIPS 199

D. NIST SP 800-14

Definition
C. FIPS 199
Term

Tom is the project manager for his organization. In his project he has recently finished the risk

response planning. He tells his manager that he will now need to update the cost and schedule

baselines. Why would the risk response planning cause Tom the need to update the cost and

schedule baselines?

A. New or omitted work as part of a risk response can cause changes to the cost and/or schedule

baseline.

B. Risk responses protect the time and investment of the project.

C. Risk responses may take time and money to implement.

D. Baselines should not be updated, but refined through versions.

Definition

A. New or omitted work as part of a risk response can cause changes to the cost and/or schedule

baseline.

Term

Which of the following DoD directives is referred to as the Defense Automation Resources

Management Manual?

A. DoD 5200.22-M

B. DoD 5200.1-R

C. DoD 8910.1

D. DoDD 8000.1

E. DoD 7950.1-M

Definition
E. DoD 7950.1-M
Term

Management wants you to create a visual diagram of what resources will be utilized in the project

deliverables. What type of a chart is management asking you to create?

 

A. Work breakdown structure

B. Roles and responsibility matrix

C. Resource breakdown structure

D. RACI chart

Definition
C. Resource breakdown structure
Term

Shoulder surfing is a type of in-person attack in which the attacker gathers information about the

premises of an organization. This attack is often performed by looking surreptitiously at the

keyboard of an employee's computer while he is typing in his password at any access point such

as a terminal/Web site. Which of the following is violated in a shoulder surfing attack?

 

A. Authenticity

B. Integrity

C. Availability

D. Confidentiality

Definition
D. Confidentiality
Term

Eric is the project manager of the NQQ Project and has hired the ZAS Corporation to complete

part of the project work for Eric's organization. Due to a change request the ZAS Corporation is no

longer needed on the project even though they have completed nearly all of the project work. Is

Eric's organization liable to pay the ZAS Corporation for the work they have completed so far on

the project?

A. No, the ZAS Corporation did not complete all of the work.

B. Yes, the ZAS Corporation did not choose to terminate the contract work.

C. It depends on what the outcome of a lawsuit will determine.

D. It depends on what the terminationclause of the contract stipulates

Definition
D. It depends on what the terminationclause of the contract stipulates
Term

In which type of access control do user ID and password system come under?

 

A. Administrative

B. Technical

C. Physical

D. Power

Definition
B. Technical
Term

There are seven risk responses for any project. Which one of the following is a valid risk response

for a negative risk event?

 

A. Enhance

B. Exploit

C. Acceptance

D. Share

Definition
C. Acceptance
Term

Which of the following processes is described in the statement below?

"It is the process of implementing risk response plans, tracking identified risks, monitoring residual

risk, identifying new risks, and evaluating risk process effectiveness throughout the project."

A. Perform Quantitative Risk Analysis

B. Monitor and Control Risks

C. Perform Qualitative Risk Analysis

D. Identify Risks

Definition
B. Monitor and Control Risks
Term

Which of the following DITSCAP phases validates that the preceding work has produced an IS

that operates in a specified computing environment?

 

A. Phase 3

B. Phase 2

C. Phase 4

D. Phase 1

Definition
A. Phase 3
Term

Harry is a project manager of a software development project. In the early stages of planning, he

and the stakeholders operated with the belief that the software they were developing would work

with their organization's current computer operating system. Now that the project team has started

developing the software it has become apparent that the software will not work with nearly half of

the organization's computer operating systems. The incorrect belief Harry had in the software

compatibility is an example of what in project management?

 

A. Assumption

B. Issue

C. Risk

D. Constraint

Definition
A. Assumption
Term

The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE)

play the role of a supporter and advisor, respectively. Which of the following statements are true

about ISSO and ISSE?

Each correct answer represents a complete solution. Choose all that apply.

A. An ISSE manages the security of the information system that is slated for Certification &

Accreditation (C&A).

B. An ISSO takes part in the development activities that are required to implement system ch

anges.

C. An ISSE provides advice on the continuous monitoring of the information system.

D. An ISSE provides advice on the impacts of system changes.

E. An ISSO manages the security of the information system that is slated for Certification &

Accreditation (C&A).

Definition

C. An ISSE provides advice on the continuous monitoring of the information system.

D. An ISSE provides advice on the impacts of system changes.

E. An ISSO manages the security of the information system that is slated for Certification &

Accreditation (C&A).

Term

Which one of the following is the only output for the qualitative risk analysis process?

 

A. Enterprise environmental factors

B. Project management plan

C. Risk register updates

D. Organizational process assets

Definition
C. Risk register updates
Term

Which of the following RMF phases is known as risk analysis?

 

A. Phase 0

B. Phase 1

C. Phase 2

D. Phase 3

Definition
C. Phase 2
Term

You work as a project manager for BlueWell Inc. There has been a delay in your project work that

is adversely affecting the project schedule. You decided, with your stakeholders' approval, to fast

track the project work to get the project done faster. When you fast track the project which of the

following are likely to increase?

A. Risks

B. Human resource needs

C. Quality control concerns

D. Costs

Definition
A. Risks
Term

An authentication method uses smart cards as well as usernames and passwords for

authentication. Which of the following authentication methods is being referred to?

A. Anonymous

B. Multi-factor

C. Biometrics

D. Mutual

Definition
B. Multi-factor
Term

In 2003, NIST developed a new Certification & Accreditation (C&A) guideline known as FIPS 199.

What levels of potential impact are defined by FIPS 199?

Each correct answer represents a complete solution. Choose all that apply.

A. Low

B. Moderate

C. High

D. Medium

Definition

A. Low

C. High

D. Medium

 

Term

Which of the following is NOT an objective of the security program?

 

A. Security organization

B. Security plan

C. Security education

D. Information classification

Definition
B. Security plan
Term

Walter is the project manager of a large construction project. He'll be working with several vendors

on the project. Vendors will be providing materials and labor for several parts of the project. Some

of the works in the project are very dangerous so Walter has implemented safety requirements for

all of the vendors and his own project team. Stakeholders for the project have added new

requirements, which have caused new risks in the project. A vendor has identified a new risk that

could affect the project if it comes into fruition. Walter agrees with the vendor and has updated the

risk register and created potential risk responses to mitigate the risk. What should Walter also

update in this scenario considering the risk event?

A. Project contractual relationship with the vendor

B. Project communications plan

C. Project management plan

D. Project scope statement

Definition
C. Project management plan
Term

During which of the following processes, probability and impact matrix is prepared?

A. Plan Risk Responses

B. Perform Quantitative Risk Analysis

C. Perform Qualitative Risk Analysis

D. Monitoring and Control Risks

Definition
C. Perform Qualitative Risk Analysis
Term

During qualitative risk analysis you want to define the risk urgency assessment. All of the following

are indicators of risk priority except for which one?

A. Symptoms

B. Cost of the project

C. Warning signs

D. Risk rating

Definition
B. Cost of the project
Term

Which of the following statements about Discretionary Access Control List (DACL) is true?

A. It is a rule list containing access control entries.

B. It specifies whether an audit activity should be performed when an object attempts to access a

resource.

C. It is a list containing user accounts, groups, and computers that are allowed (or denied) access

to the object.

D. It is a unique number that identifies a user, group, and computer account

Definition

C. It is a list containing user accounts, groups, and computers that are allowed (or denied) access

to the object.

Term

Which of the following is used to indicate that the software has met a defined quality level and is

ready for mass distribution either by electronic means or by physical media?

A. DAA

B. RTM

C. ATM

D. CRO

Definition
B. RTM
Term

Which of the following processes is a structured approach to transitioning individuals, teams, and

organizations from a current state to a desired future state?

A. Configuration management

B. Procurement management

C. Change management

D. Risk management

Definition
C. Change management
Term

A security policy is an overall general statement produced by senior management that dictates

what role security plays within the organization. What are the different types of policies?

Each correct answer represents a complete solution. Choose all that apply.

A. Systematic

B. Regulatory

C. Advisory

D. Informative

Definition

B. Regulatory

C. Advisory

D. Informative

Term

Which of the following is a standard that sets basic requirements for assessing the effectiveness of

computer security controls built into a computer system?

A. TCSEC

B. FIPS

C. SSAA

D. FITSAF

Definition
A. TCSEC
Term

Which of the following statements correctly describes DIACAP residual risk?

A. It is the remaining risk to the information system after risk palliation has occurred.

B. It is a process of security authorization.

C. It is the technical implementation of the security design.

D. It is used to validate the information system.

Definition
A. It is the remaining risk to the information system after risk palliation has occurred.
Supporting users have an ad free experience!