CAP Practice Questions
404 real CAP exam questions with expert-verified answers and explanations. Page 5 of 9.
- Question #201Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following is a risk that is created by the response to another risk?
Risk managementSecondary riskRisk responseRisk terminology - Question #202Compliance Maintenance
Which of the following processes has the goal to ensure that any change does not lead to reduced or compromised security?
Change controlSecurity change managementSystem integrityOperational security - Question #203Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following is not a part of Identify Risks process?
Risk Identification TechniquesRisk Management ProcessDecision Analysis Tools - Question #204Compliance Maintenance
In which of the following phases does the SSAA maintenance take place?
SSAAAuthorization processMaintenance phaseCompliance - Question #205Compliance Maintenance
Which of the following statements is true about the continuous monitoring process?
Continuous MonitoringRisk Management Framework (RMF)System AuthorizationAccreditation - Question #206Compliance Maintenance
In which of the following phases do the system security plan update and the Plan of Action and Milestones (POAM) update take place?
Continuous MonitoringSystem Security Plan (SSP)Plan of Action and Milestones (POAM)Risk Management Framework (RMF) phases - Question #207Implementation of Security and Privacy Controls
In which of the following phases does the change management process start?
RMF PhasesChange ManagementImplementation PhaseNIST SP 800-37 - Question #208Assessment/Audit of Security and Privacy Controls
Which of the following assessment methods involves observing or conducting the operation of physical devices?
Assessment methodsControl testingPhysical security assessmentSecurity control verification - Question #209Compliance Maintenance
Which of the following individuals is responsible for configuration management and control task?
Configuration managementInformation system ownerRoles and responsibilitiesRMF roles - Question #210Compliance Maintenance
Which of the following individuals is responsible for preparing and submitting security status reports to the organizations?
RMF RolesCommon Control ProviderSecurity ReportingCompliance Monitoring - Question #211Security and Privacy Governance, Risk Management, and Compliance Program
In which of the following DITSCAP phases is the SSAA developed?
DITSCAPSSAACertification and AccreditationSecurity Authorization - Question #212System Compliance
Which of the following is used throughout the entire C&A process?
C&A DocumentationSSAADITSCAPDIACAP - Question #213Security and Privacy Governance, Risk Management, and Compliance Program
What does OCTAVE stand for?
OCTAVERisk Management FrameworksVulnerability EvaluationAcronyms - Question #214Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following C&A professionals plays the role of an advisor?
C&A RolesISSESecurity AuthorizationProfessional Responsibilities - Question #215Security and Privacy Governance, Risk Management, and Compliance Program
In which of the following elements of security does the object retain its veracity and is intentionally modified by the authorized subjects?
CIA TriadData IntegrityInformation Security PrinciplesSecurity Concepts - Question #216Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following recovery plans includes a monitoring process and triggers for initiating planned actions?
Contingency PlanningRecovery PlansMonitoringTriggers - Question #217Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following NIST publications defines impact?
NIST SP 800-30Risk AssessmentImpact AnalysisNIST Publications - Question #218Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following NIST documents defines impact?
NIST SP 800-30Risk AssessmentImpact DefinitionNIST Documents - Question #219Scope of the System
Which of the following formulas was developed by FIPS 199 for categorization of an information system?
FIPS 199System CategorizationImpact AssessmentCIA Triad - Question #220Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following relations correctly describes total risk?
Risk ManagementRisk CalculationThreatsVulnerability - Question #221Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following individuals is responsible for the final accreditation decision?
AccreditationInformation System OwnerAuthorization to Operate (ATO)Roles and Responsibilities - Question #222Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following individuals makes the final accreditation decision?
RMF rolesAccreditation decisionAuthorization Official (AO)Designated Approving Authority (DAA) - Question #223Security and Privacy Governance, Risk Management, and Compliance Program
A ________ points to a statement in a policy or procedure that helps determine a course of action.
PoliciesProceduresGuidelinesGovernance - Question #224Compliance Maintenance
For which of the following reporting requirements are continuous monitoring documentation reports used?
Continuous MonitoringFISMAReporting RequirementsCompliance - Question #225Assessment/Audit of Security and Privacy Controls
Which of the following are the types of assessment tests addressed in NIST SP 800-53A?
NIST SP 800-53AControl AssessmentAssessment MethodsPenetration Testing - Question #226Implementation of Security and Privacy Controls
Which of the following individuals is responsible for configuration management and control task?
Roles and ResponsibilitiesInformation System OwnerConfiguration ManagementNIST RMF - Question #227Assessment/Audit of Security and Privacy Controls
Which of the following documents is used to provide a standard approach to the assessment of NIST SP 800-53 security controls?
NIST SP 800-53ASecurity Control AssessmentAssessment MethodologyNIST SP 800-53 - Question #228Scope of the System
Which of the following guidance documents is useful in determining the impact level of a particular threat on agency systems?
FIPS 199Impact LevelSecurity CategorizationNIST - Question #229Security and Privacy Governance, Risk Management, and Compliance Program
Tom is the project manager for his organization. In his project he has recently finished the risk response planning. He tells his manager that he will now need to update the cost a...
Risk ManagementProject PlanningCost BaselinesSchedule Baselines - Question #230Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following DoD directives is referred to as the Defense Automation Resources Management Manual?
DoD DirectivesGovernment RegulationsResource Management Manuals - Question #231Implementation of Security and Privacy Controls
Management wants you to create a visual diagram of what resources will be utilized in the project deliverables. What type of a chart is management asking you to create?
Project ManagementResource ManagementProject PlanningCAP Concepts - Question #232Security and Privacy Governance, Risk Management, and Compliance Program
Shoulder surfing is a type of in-person attack in which the attacker gathers information about the premises of an organization. This attack is often performed by looking surreptiti...
Shoulder surfingConfidentialityPhysical security - Question #233Security and Privacy Governance, Risk Management, and Compliance Program
Eric is the project manager of the NQQ Project and has hired the ZAS Corporation to complete part of the project work for Eric's organization. Due to a change request the ZAS Corpo...
Contract managementVendor managementTermination clausesProject liability - Question #234Selection and Approval of Framework, Security, and Privacy Controls
In which type of access control do user ID and password system come under?
Access ControlTechnical ControlsAuthenticationIdentification - Question #235Security and Privacy Governance, Risk Management, and Compliance Program
There are seven risk responses for any project. Which one of the following is a valid risk response for a negative risk event?
Risk ManagementRisk Response StrategiesNegative RisksAcceptance - Question #236Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following processes is described in the statement below? "It is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, i...
Risk Management ProcessRisk MonitoringRisk ControlRisk Response - Question #237Assessment/Audit of Security and Privacy Controls
Which of the following DITSCAP phases validates that the preceding work has produced an IS that operates in a specified computing environment?
DITSCAP PhasesSystem ValidationCertification & AccreditationSecurity Assessment - Question #238Scope of the System
Harry is a project manager of a software development project. In the early stages of planning, he and the stakeholders operated with the belief that the software they were developi...
Project ManagementAssumptionsSoftware CompatibilityPlanning - Question #239Security and Privacy Governance, Risk Management, and Compliance Program
The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statem...
ISSO responsibilitiesISSE responsibilitiesRisk Management Framework (RMF) rolesContinuous monitoring - Question #240Security and Privacy Governance, Risk Management, and Compliance Program
Which one of the following is the only output for the qualitative risk analysis process?
Risk ManagementQualitative Risk AnalysisRisk Register - Question #241Selection and Approval of Framework, Security, and Privacy Controls
Which of the following RMF phases is known as risk analysis?
RMF PhasesNIST RMFRisk AnalysisControl Selection - Question #242Security and Privacy Governance, Risk Management, and Compliance Program
You work as a project manager for BlueWell Inc. There has been a delay in your project work that is adversely affecting the project schedule. You decided, with your stakeholders' a...
Risk managementProject riskFast-trackingSchedule compression - Question #243Selection and Approval of Framework, Security, and Privacy Controls
An authentication method uses smart cards as well as usernames and passwords for authentication. Which of the following authentication methods is being referred to?
AuthenticationMulti-factor Authentication (MFA)Smart CardsIdentity and Access Management - Question #244Security and Privacy Governance, Risk Management, and Compliance Program
In 2003, NIST developed a new Certification & Accreditation (C&A) guideline known as FIPS 199. What levels of potential impact are defined by FIPS 199? Each correct answer represen...
FIPS 199Impact LevelsInformation ClassificationRisk Categorization - Question #245Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following is NOT an objective of the security program?
Security Program ObjectivesSecurity GovernanceSecurity ManagementProgram Components - Question #246Security and Privacy Governance, Risk Management, and Compliance Program
Walter is the project manager of a large construction project. He'll be working with several vendors on the project. Vendors will be providing materials and labor for several parts...
Risk ManagementProject Management PlanRisk ResponseProject Updates - Question #247Security and Privacy Governance, Risk Management, and Compliance Program
During which of the following processes, probability and impact matrix is prepared?
Risk ManagementQualitative Risk AnalysisProbability and Impact MatrixRisk Prioritization - Question #248Security and Privacy Governance, Risk Management, and Compliance Program
During qualitative risk analysis you want to define the risk urgency assessment. All of the following are indicators of risk priority except for which one?
Qualitative Risk AnalysisRisk PrioritizationRisk Urgency AssessmentRisk Indicators - Question #249Implementation of Security and Privacy Controls
Which of the following statements about Discretionary Access Control List (DACL) is true?
DACLAccess ControlSecurity Controls - Question #250System Compliance
Which of the following is used to indicate that the software has met a defined quality level and is ready for mass distribution either by electronic means or by physical media?
Software Release CycleRelease ManagementQuality AssuranceProduct Lifecycle