CAP Practice Questions
404 real CAP exam questions with expert-verified answers and explanations. Page 6 of 9.
- Question #251Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following processes is a structured approach to transitioning individuals, teams, and organizations from a current state to a desired future state?
Change managementOrganizational changeProcess management - Question #252Security and Privacy Governance, Risk Management, and Compliance Program
A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. What are the different types of poli...
Security Policy TypesPolicy ClassificationRegulatory PoliciesAdvisory Policies - Question #253Assessment/Audit of Security and Privacy Controls
Which of the following is a standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system?
TCSECSecurity Control AssessmentEvaluation Standards - Question #254Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following statements correctly describes DIACAP residual risk?
DIACAPResidual RiskRisk Management - Question #255Compliance Maintenance
Which of the following professionals plays the role of a monitor and takes part in the organization's configuration management process?
Common Control ProviderMonitoringConfiguration ManagementNIST RMF Roles - Question #256Security and Privacy Governance, Risk Management, and Compliance Program
The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the most senior executive in an enterprise. What are the responsibili...
CIO ResponsibilitiesIT GovernanceContinuous MonitoringStrategic IT Planning - Question #257Security and Privacy Governance, Risk Management, and Compliance Program
The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statem...
ISSO responsibilitiesISSE responsibilitiesCertification and Accreditation (C&A)Continuous monitoring - Question #258Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following professionals is responsible for starting the Certification & Accreditation (C&A) process?
C&A process initiationInformation system ownerRMF roles - Question #259Assessment/Audit of Security and Privacy Controls
Which of the following assessment methodologies defines a six-step technical security evaluation?
FIPS 102Assessment MethodologiesTechnical Security EvaluationCertification and Accreditation (C&A) - Question #260System Compliance
DIACAP applies to the acquisition, operation, and sustainment of any DoD system that collects, stores, transmits, or processes unclassified or classified information since December...
DIACAPCertification and Accreditation (C&A)DoDSystem Lifecycle - Question #261Selection and Approval of Framework, Security, and Privacy Controls
Mark works as a Network Administrator for NetTech Inc. He wants users to access only those resources that are required for them. Which of the following access control models will h...
Access Control ModelsRole-Based Access ControlLeast Privilege Principle - Question #262System Compliance
Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and systems?
DoD SecuritySystem AccreditationInformation Security DocumentationSSAA - Question #263Implementation of Security and Privacy Controls
James work as an IT systems personnel in SoftTech Inc. He performs the following tasks: Runs regular backups and routine tests of the validity of the backup data. Performs data res...
Data CustodianRoles and ResponsibilitiesBackup and RecoveryInformation Management - Question #264Implementation of Security and Privacy Controls
FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF...
FITSAFSecurity ControlsImplementationAssessment Framework - Question #265Security and Privacy Governance, Risk Management, and Compliance Program
Certification and Accreditation (C&A or CnA) is a process for implementing information security. Which of the following is the correct order of C&A phases in a DITSCAP assessment?
Certification and AccreditationDITSCAPC&A Process Phases - Question #266Security and Privacy Governance, Risk Management, and Compliance Program
System Authorization is the risk management process. System Authorization Plan (SAP) is a comprehensive and uniform approach to the System Authorization Process. What are the diffe...
System Authorization Plan (SAP)Authorization Process PhasesRisk Management Framework (RMF)Certification & Accreditation (C&A) - Question #267Security and Privacy Governance, Risk Management, and Compliance Program
The IAM/CA makes certification accreditation recommendations to the DAA. The DAA issues accreditation determinations. Which of the following are the accreditation determinations is...
Authorization DecisionsAccreditation DeterminationsDAA/AORMF Authorization Step - Question #268Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following requires all general support systems and major applications to be fully certified and accredited before these systems and applications are put into productio...
FISMACertification and Accreditation (C&A)Federal RegulationsOMB - Question #269Security and Privacy Governance, Risk Management, and Compliance Program
The National Information Assurance Certification and Accreditation Process (NIACAP) is the minimum standard process for the certification and accreditation of computer and telecomm...
NIACAPAccreditation typesCertification and Accreditation - Question #270Security and Privacy Governance, Risk Management, and Compliance Program
According to U.S. Department of Defense (DoD) Instruction 8500.2, there are eight Information Assurance (IA) areas, and the controls are referred to as IA controls. Which of the fo...
DoD Instruction 8500.2Information Assurance areasSecurity controlsDoD compliance - Question #271Security and Privacy Governance, Risk Management, and Compliance Program
You are the project manager of the NHH project for your company. You have completed the first round of risk management planning and have created four outputs of the risk response p...
Risk ManagementRisk Response PlanningProject Management Outputs - Question #272Security and Privacy Governance, Risk Management, and Compliance Program
Thomas is a key stakeholder in your project. Thomas has requested several changes to the project scope for the project you are managing. Upon review of the proposed changes, you ha...
Change ControlProject ManagementRisk ManagementGovernance - Question #273Assessment/Audit of Security and Privacy Controls
Which of the following assessment methodologies defines a six-step technical security evaluation?
Security EvaluationAssessment MethodologiesFIPS 102Certification and Accreditation (C&A) - Question #274Implementation of Security and Privacy Controls
You are the project manager of the NNH Project. In this project you have created a contingency response that the schedule performance index should be less than 0.93. The NHH Projec...
Schedule Performance Index (SPI)Earned Value Management (EVM)Project Performance Metrics - Question #275System Compliance
A Web-based credit card company had collected financial and personal details of Mark before issuing him a credit card. The company has now provided Mark's financial and personal de...
Privacy lawData sharingPersonal informationLegal compliance - Question #276Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following is a 1996 United States federal law, designed to improve the way the federal government acquires, uses, and disposes information technology?
Federal LawClinger-Cohen ActIT GovernanceGovernment Acquisition - Question #277Security and Privacy Governance, Risk Management, and Compliance Program
Fred is the project manager of the PKL project. He is working with his project team to complete the quantitative risk analysis process as a part of risk management planning. Fred u...
Quantitative Risk AnalysisRisk Management ProcessIterative Risk ManagementRisk Response Planning - Question #278Security and Privacy Governance, Risk Management, and Compliance Program
You are the project manager for a construction project. The project includes a work that involves very high financial risks. You decide to insure processes so that any ill happenin...
Risk ManagementRisk Response StrategiesRisk TransferInsurance - Question #279Selection and Approval of Framework, Security, and Privacy Controls
Which of the following are included in Administrative Controls? Each correct answer represents a complete solution. Choose all that apply.
Administrative ControlsSecurity Control TypesPersonnel SecuritySecurity Awareness Training - Question #280Implementation of Security and Privacy Controls
The Phase 2 of DITSCAP C&A is known as Verification. The goal of this phase is to obtain a fully integrated system for certification testing and accreditation. What are the process...
DITSCAPCertification and Accreditation (C&A)System Development Life Cycle (SDLC)Verification Phase - Question #281Security and Privacy Governance, Risk Management, and Compliance Program
You are the project manager for GHY Project and are working to create a risk response for a negative risk. You and the project team have identified the risk that the project may no...
Risk ManagementRisk ResponseTransference - Question #282Security and Privacy Governance, Risk Management, and Compliance Program
You are the project manager of the GHQ project for your company. You are working you're your project team to prepare for the qualitative risk analysis process. Mary, a project team...
Qualitative Risk AnalysisRisk Management ProcessRisk Impact AssessmentProject Risk Management - Question #283Selection and Approval of Framework, Security, and Privacy Controls
Mark works as a Network Administrator for NetTech Inc. He wants users to access only those resources that are required for them. Which of the following access control models will h...
Access Control ModelsRole-Based Access Control (RBAC)Least PrivilegeSecurity Principles - Question #284Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following are the common roles with regard to data in an information classification program? Each correct answer represents a complete solution. Choose all that apply.
Data rolesInformation classificationData governanceSecurity roles - Question #285Selection and Approval of Framework, Security, and Privacy Controls
To help review or design security controls, they can be classified by several criteria. One of these criteria is based on nature. According to this criteria, which of the following...
Security control typesProcedural controlsAdministrative controlsControl classification - Question #286Security and Privacy Governance, Risk Management, and Compliance Program
An Authorizing Official plays the role of an approver. What are the responsibilities of an Authorizing Official? Each correct answer represents a complete solution. Choose all that...
Authorizing Official (AO)Risk Management Framework (RMF)Authorization decisionsContinuous Monitoring - Question #287Security and Privacy Governance, Risk Management, and Compliance Program
Jeff, a key stakeholder in your project, wants to know how the risk exposure for the risk events is calculated during quantitative risk analysis. He is worried about the risk expos...
Risk ManagementQuantitative Risk AnalysisRisk ExposureProbability and Impact - Question #288Security and Privacy Governance, Risk Management, and Compliance Program
You work as a project manager for SoftTech Inc. You are working with the project stakeholders to begin the qualitative risk analysis process. You will need all of the following as...
Risk ManagementQualitative Risk AnalysisProject Management ProcessInputs - Question #289Security and Privacy Governance, Risk Management, and Compliance Program
In which of the following Risk Management Framework (RMF) phases is strategic risk assessment planning performed?
RMFNIST SP 800-37Prepare PhaseRisk Assessment Planning - Question #290Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following administrative policy controls requires individuals or organizations to be engaged in good business practices relative to the organization's industry?
Due careAdministrative controlsPolicy controlsGood business practices - Question #291Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following is a security policy implemented by an organization due to compliance, regulation, or other legal requirements?
Security policiesComplianceRegulatory requirementsPolicy types - Question #292System Compliance
Which of the following phases begins with a review of the SSAA in the DITSCAP accreditation?
DITSCAPSSAAAccreditation PhasesSystem Security Authorization Agreement - Question #293Scope of the System
Which of the following formulas was developed by FIPS 199 for categorization of an information type?
FIPS 199Information CategorizationCIA TriadImpact Assessment - Question #294Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following is NOT considered an environmental threat source?
Environmental threatsThreat identificationRisk managementThreat categorization - Question #295Assessment/Audit of Security and Privacy Controls
Which of the following is NOT a type of penetration test?
Penetration testingSecurity testing typesBlack box testingWhite box testing - Question #296Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following formulas was developed by FIPS 199 for categorization of an information system?
FIPS 199Information System CategorizationSecurity CategorizationCIA Impact Levels - Question #297Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following NIST documents defines impact?
NIST SP 800-30Risk AssessmentImpact AnalysisNIST Guidance - Question #298Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following relations correctly describes residual risk?
Residual RiskRisk CalculationControl EffectivenessRisk Components - Question #299Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following is NOT a phase of the security certification and accreditation process?
Security Certification and Accreditation (C&A)Risk Management Framework (RMF)C&A PhasesSystem Authorization Process - Question #300Compliance Maintenance
Which of the following processes has the goal to ensure that any change does not lead to reduced or compromised security?
Change ManagementSecurity ControlsSystem Security Lifecycle