CPC Study Guide 2024 $16.45 Add To Cart
3 Items
Managers spend the majority of their time in which activity? - ANS Communicating Networking accounts for what portion of all positions found by job c... [Show More] andidates? - ANS Two-thirds Which gesture in nonverbal communication is probably less uniformly understood in all cultures? - ANS Lack of eye contact Three factors involved in any attempt to realize objectives in an organization are goals, limited resources, and - ANS People What advice should you give a supervisor about relationships with subordinates? - ANS Give compliments freely Standards that evaluate output with regard to expectations are known as - ANS Performance Universal greeting in the United States - ANS A handshake Communication, coordination, and collusion are three classes of behavior in an - ANS Oligopoly An insecure employee performs best under which kind of leadership? - ANS Autocratic Focus in the task level of operations is an aspect of - ANS Scientific management In value chain management, the power is held by the - ANS Customers Positive stress is also known as - ANS Eustress During a presentation, a speaker's persuasive skills should include - ANS High eye contact Disadvantage of working in groups or teams - ANS Groupthink Work structure has a major influence on worker - ANS Motivation According to Maslow; A manager who praises a subordinate is fulfilling the worker's - ANS Esteem needs One advantage of a line organization is its - ANS Consistency The idea that conflict is natural and not always evil describes conflict from the - ANS Human relations view Higher management most frequently uses the formal communication channel called - ANS Downward Fixed-and-variable ratio schedules are reinforcement techniques that are - ANS Intermittent [Show Less]
ISC2 CAP Exam 2024 NO.1 The IAM/CA makes certification accreditation recommendations to the DAA. The DAA issues accreditation determinations.Which o... [Show More] f the following are the accreditation determinations issued by the DAA?Each correct answer represents a complete solution. Choose all that apply. A. IATO B. ATO C. IATT D. ATT E. DATO - ANS A. IATO B. ATO C. IATT E. DATO NO.2 In 2003, NIST developed a new Certification & Accreditation (C&A) guideline known as FIPS 199. What levels of potential impact are defined by FIPS 199?Each correct answer represents a complete solution. Choose all that apply. A. Low B. Moderate C. High D. Medium - ANS A. Low C. High D. Medium NO.3 The Phase 2 of DITSCAP C&A is known as Verification. The goal of this phase is to obtain a fully integrated system for certification testing and accreditation. What are the process activities of this phase?Each correct answer represents a complete solution. Choose all that apply. A. System development B. Certification analysis C. Registration D. Assessment of the Analysis Results E. Configuring refinement of the SSAA - ANS A. System development B. Certification analysis D. Assessment of the Analysis Results E. Configuring refinement of the SSAA NO.4 You and your project team are just starting the risk identification activities for a project that is scheduled to last for 18 months. Your project team has already identified a long list ofrisks that need to be analyzed. How often should you and the project team do risk identification? A. At least once per month B. Identify risks is an iterative process. C. It depends on how many risks are initially identified. D. Several times until the project moves into execution - ANS B. Identify risks is an iterative process. NO.5 Joan is the project manager of the BTT project for her company. She has worked with her project to create risk responses for both positive and negative risk events within the project. As a result of this process Joan needs to update the project document updates. She has updated the assumptions log as a result of the findings and risk responses, but what other documentation will need to be updated as an output of risk response planning? A. Lessons learned B. Scope statement C. Risk Breakdown Structure D. Technical documentation - ANS D. Technical documentation NO.6 Which of the following are the tasks performed by the owner in the information classification schemes?Each correct answer represents a part of the solution. Choose three. A. To make original determination to decide what level of classification the information requires, which is based on the business requirements for the safety of the data. B. To perform data restoration from the backups whenever required. C. To review the classification assignments from time to time and make alterations as the business requirements alter. D. To delegate the responsibility of the data safeguard duties to the custodian. - ANS A. To make original determination to decide what level of classification the information requires, which is based on the business requirements for the safety of the data. C. To review the classification assignments from time to time and make alterations as the business requirements alter. D. To delegate the responsibility of the data safeguard duties to the custodian. NO.7 You are the project manager of the GHG project. You are preparing for the quantitative risk analysis process. You are using organizational process assets to help you complete the quantitative risk analysis process. Which one of the following is NOT a valid reason to utilize organizational process assets as a part of the quantitative risk analysis process? A. You will use organizational process assets for risk databases that may be available from industry sources. B. You will use organizational process assets for studies of similar projects by risk specialists. C. You will use organizational process assets to determine costs of all risks events within thecurrent project. D. You will use organizational process assets for information from prior similar projects. - ANS C. You will use organizational process assets to determine costs of all risks events within thecurrent project. NO.8 Which of the following formulas was developed by FIPS 199 for categorization of an information type? A. SC information type = {(confidentiality, controls), (integrity, controls), (authentication, controls)} B. SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)} C. SC information type = {(confidentiality, risk), (integrity, risk), (availability, risk)} D. SC information type = {(Authentication, impact), (integrity, impact), (availability, impact)} - ANS B. SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)} NO.9 You are the project manager of the NNN project for your company. You and the project team are working together to plan the risk responses for the project. You feel that the team has successfully completed the risk response planning and now you must initiate what risk process it is. Which of the following risk processes is repeated after the plan risk responses to determine if the overall project risk has been satisfactorily decreased? A. Risk identification B. Qualitative risk analysis C. Risk response implementation D. Quantitative risk analysis - ANS D. Quantitative risk analysis NO.10 You are the project manager of the HJK Project for your organization. You and the project team have created risk responses for many of the risk events in the project. Where should you document the proposed responses and the current status of all identified risks? A. Risk management plan B. Stakeholder management strategy C. Risk register D. Lessons learned documentation - ANS C. Risk register NO.11 Which of the following documents is used to provide a standard approach to the assessment of NIST SP 800-53 security controls? A. NIST SP 800-53A B. NIST SP 800-66 C. NIST SP 800-41 D. NIST SP 800-37 - ANS A. NIST SP 800-53A NO.12 What are the responsibilities of a system owner?Each correct answer represents a complete solution. Choose all that apply. A. Integrates security considerations into application and system purchasing decisions and development projects. B. Ensures that the systems are properly assessed for vulnerabilities and must report any to the incident response team and data owner. C. Ensures that adequate security is being provided by the necessary controls, password management, remoteaccess controls, operating system configurations, and so on. D. Ensures that the necessary security controls are in place. - ANS A. Integrates security considerations into application and system purchasing decisions and development projects. B. Ensures that the systems are properly assessed for vulnerabilities and must report any to the incident response team and data owner. C. Ensures that adequate security is being provided by the necessary controls, password management, remoteaccess controls, operating system configurations, and so on. NO.13 There are seven risks responses that a project manager can choose from. Which risk response is appropriate for both positive and negative risk events? A. Acceptance B. Mitigation C. Sharing D. Transference - ANS A. Acceptance NO.14 Eric is the project manager of the NQQ Project and has hired the ZAS Corporation to complete part of the project work for Eric's organization. Due to a change request the ZAS Corporation is no longer needed on the project even though they have completed nearly all of the project work. Is Eric's organization liable to pay the ZAS Corporation for the work they have completed so far on the project? A. No, the ZAS Corporation did not complete all of the work. B. Yes, the ZAS Corporation did not choose to terminate the contract work. C. It depends on what the outcome of a lawsuit will determine. D. It depends on what the terminationclause of the contract stipulates - ANS D. It depends on what the terminationclause of the contract stipulates NO.15 Which of the following is an entry in an object's discretionary access control list (DACL) that grants permissions to a user or group? A. Access control entry (ACE) B. Discretionary access control entry (DACE) C. Access control list (ACL) D. Security Identifier (SID) - ANS A. Access control entry (ACE) NO.16 Which of the following DITSCAP C&A phases takes place between the signing of the initial version of the SSAA and the formal accreditation of the system? A. Phase 3 B. Phase 1 C. Phase 2 D. Phase 4 - ANS C. Phase 2 NO.17 What are the subordinate tasks of the Initiate and Plan IA C&A phase of the DIACAP process? Each correct answer represents a complete solution. Choose all that apply. A. Develop DIACAP strategy. B. Assign IA controls. C. Assemble DIACAP team. D. Initiate IA implementation plan. E. Register system with Do D Component IA Program. F. Conduct validation activity. - ANS A. Develop DIACAP strategy. B. Assign IA controls. C. Assemble DIACAP team. D. Initiate IA implementation plan. E. Register system with Do D Component IA Program. NO.18 The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statements are true about ISSO and ISSE?Each correct answer represents a complete solution. Choose all that apply. A. An ISSE manages the security of the information system that is slated for Certification & Accreditation (C&A). B. An ISSO takes part in the development activities that are required to implement system ch anges. C. An ISSE provides advice on the continuous monitoring of the information system. D. An ISSE provides advice on the impacts of system changes. E. An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A). - ANS C. An ISSE provides advice on the continuous monitoring of the information system. D. An ISSE provides advice on the impacts of system changes. E. An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A). NO.19 Kelly is the project manager of the BHH project for her organization. She is completing the risk identification process for this portion of her project. Which one of the following is the only thing that the risk identification process will create for Kelly? A. Project document updates B. Risk register updates C. Change requests D. Risk register - ANS D. Risk register NO.20 You are preparing to complete the quantitative risk analysis process with your project team and several subject matter experts. You gather the necessary inputs including the project's cost management plan. Why is it necessary to include the project's cost management plan in the preparation for the quantitative risk analysis process? A. The project's cost management plan can help you to determine what the total cost of the project is allowed to be.B. The project's cost management plan provides direction on how costs may be changed due to identified risks. C. The project's cost management plan provides control that may help determine the structure for quantitative analysis of the budget. D. The project's cost management plan is not an input to the quantitative risk analysis process . - ANS C. The project's cost management plan provides control that may help determine the structure for quantitative analysis of the budget. NO.21 You are the project manager of the NKJ Project for your company. The project's success or failure will have a significant impact on your organization's profitability for the coming year. Management has asked you to identify the risk events and communicate the event's probability and impact as early as possible in the project. Management wants to avoid risk events and needs to analyze the cost-benefits of each risk event in this project. What term is assigned to the low-level of stakeholder tolerance in this project? A. Risk avoidance B. Mitigation-ready project management C. Risk utility function D. Risk-reward mentality - ANS C. Risk utility function NO.22 Which of the following acts is used to recognize the importance of information security to the economic and national security interests of the United States? A. Computer Fraud and Abuse Act B. FISMA C. Lanham Act D. Computer Misuse Act - ANS B. FISMA NO.23 Which of the following approaches can be used to build a security program? Each correct answer represents a complete solution. Choose all that apply. A. Bottom-Up Approach B. Right-Up Approach C. Top-Down Approach D. Left-Up Approach - ANS A. Bottom-Up Approach C. Top-Down Approach NO.24 Risks with low ratings of probability and impact are included on a ____ for future monitoring. A. Watchlist B. Risk alarm C. Observation list D. Risk register - ANS A. Watchlist NO.25 In 2003, NIST developed a new Certification & Accreditation (C&A) guideline known as FIPS 199. What levels of potential impact are defined by FIPS 199? Each correct answer represents a complete solution. Choose all that apply. A. Medium B. High C. Low D. Moderate - ANS A. Medium B. High C. Low NO.26 In which of the following phases of the DITSCAP process does Security Test and Evaluation (ST&E) occur? A. Phase 2 B. Phase 3 C. Phase 1 D. Phase 4 - ANS B. Phase 3 NO.27 Where can a project manager find risk-rating rules? A. Risk probability and impact matrix B. Organizational process assets C. Enterprise environmental factors D. Risk management plan - ANS B. Organizational process assets NO.28 Which of the following requires all general support systems and major applications to be fully certified and accredited before these systems and applications are put into production?Each correct answer represents a part of the solution. Choose all that apply. A. NIST B. FIPS C. Office of Management and Budget (OMB) D. FISMA - ANS C. Office of Management and Budget (OMB) D. FISMA NO.29 What approach can a project manager use to improve the project's performance during qualitative risk analysis? A. Create a risk breakdown structure and delegate the risk analysis to the appropriate project team members. B. Focus on high-priority risks. C. Focus on near-term risks first. D. Analyze as many risks as possible regardless of who initiated the risk event. - ANS B. Focus on high-priority risks. NO.30 Which of the following parts of BS 7799 covers risk analysis and management? A. Part 1 B. Part 3 C. Part 2 D. Part 4 - ANS B. Part 3 NO.31 Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and systems? A. FITSAF B. FIPS C. TCSEC D. SSAA - ANS D. SSAA NO.32 FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls are tested and reviewed? A. Level 1 B. Level 2 C. Level 4 D. Level 5 E. Level 3 - ANS C. Level 4 NO.33 Penetration testing (also called pen testing) is the practice of testing a computer system, network, or Web application to find vulnerabilities that an attacker could exploit. Which of the following areas can be exploited in a penetration test?Each correct answer represents a complete solution. Choose all that apply. A. Social engineering B. File and directory permissions C. Buffer overflows D. Kernel flaws E. Race conditions F. Information system architectures G. Trojan horses - ANS A. Social engineering B. File and directory permissions C. Buffer overflows D. Kernel flaws E. Race conditions G. Trojan horses NO.34 Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and systems? A. FIPS B. TCSEC C. SSAA D. FITSAF - ANS C. SSAA NO.35 Which of the following statements is true about the continuous monitoring process? A. It takes place in the middle of system security accreditation. B. It takes place before and after system security accreditation. C. It takes place before the initial system security accreditation. D. It takes place after the initial system security accreditation. - ANS D. It takes place after the initial system security accreditation. NO.36 You work as a project manager for BlueWell Inc. You are currently working with the project stakeholders to identify risks in your project. You understand that the qualitative risk assessment and analysis can reflect the attitude of the project team and other stakeholders to risk. Effective assessment of risk requires management of the risk attitudes of the participants. What should you, the project manager, do with assessment of identified risks in consideration of the attitude and bias of the participants towards the project risk? A. Document the bias for the risk events and communicate the bias with management B. Evaluate and document the bias towards the risk events C. Evaluate the bias through SWOT for true analysis of the risk events D. Evaluate the bias towards the risk events and correct the assessment accordingly - ANS D. Evaluate the bias towards the risk events and correct the assessment accordingly NO.37 There are seven risk responses for any project. Which one of the following is a valid risk response for a negative risk event? A. Enhance B. Exploit C. Acceptance D. Share - ANS C. Acceptance NO.38 Rob is the project manager of the IDLK Project for his company. This project has a budget of $5,600,000 and is expected to last 18 months. Rob has learned that a new law may affect how the project is allowed to proceed - even though the organization has already invested over $750,000 in the project. What risk response is the most appropriate for this instance? A. Transference B. Mitigation C. Enhance D. Acceptance - ANS D. Acceptance NO.39 According to U.S. Department of Defense (DoD) Instruction 8500.2, there are eight InformationAssurance (IA) areas, and the controls are referred to as IA controls. Which of the following are among the eight areas of IA defined by DoD? Each correct answer represents a complete solution. Choose all that apply. A. VI Vulnerability and Incident Management B. DC Security Design & Configuration C. EC Enclave and Computing Environment D. Information systems acquisition, development, and maintenance - ANS A. VI Vulnerability and Incident Management B. DC Security Design & Configuration C. EC Enclave and Computing Environment NO.40 Which of the following processes is a structured approach to transitioning individuals, teams, and organizations from a current state to a desired future state? A. Configuration management B. Procurement management C. Change management D. Risk management - ANS C. Change management NO.41 FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls have been implemented? A. Level 2 B. Level 5 C. Level 4 D. Level 1 E. Level 3 - ANS E. Level 3 NO.42 The Phase 3 of DITSCAP C&A is known as Validation. The goal of Phase 3 is to validate that the preceding work has produced an IS that operates in a specified computing environment. What are the process activities of this phase?Each correct answer represents a complete solution. Choose all that apply. A. Perform certification evaluation of the integrated system B. System development C. Certification and accreditation decision D. Develop recommendation to the DAA E. Continue to review and refine the SSAA - ANS A. Perform certification evaluation of the integrated system C. Certification and accreditation decision D. Develop recommendation to the DAA E. Continue to review and refine the SSAA NO.43 Which of the following system security policies is used to address specific issues of concern to the organization? A. Program policy B. Issue-specific policy C. Informative policy D. System-specific policy - ANS B. Issue-specific policy NO.44 Which of the following formulas was developed by FIPS 199 for categorization of an information system? A. SC information system = {(confidentiality, impact), (integrity, controls), (availability, risk)} B. SC information system = {(confidentiality, impact), (integrity, impact),(availability, impact)} C. SC information system = {(confidentiality, controls), (integrity, controls), (availability, controls )} D. SC information system = {(confidentiality, risk), (integrity, impact), (availability, controls)} - ANS B. SC information system = {(confidentiality, impact), (integrity, impact),(availability, impact)} NO.45 Which of the following are included in Physical Controls?Each correct answer represents a complete solution. Choose all that apply. A. Locking systems and removing unnecessary floppy or CD-ROM drives B. Environmental controls C. Password and resource management D. Identification and authentication methods E. Monitoring for intrusion F. Controlling individual access into the facility and different departments - ANS A. Locking systems and removing unnecessary floppy or CD-ROM drives B. Environmental controls E. Monitoring for intrusion F. Controlling individual access into the facility and different departments NO.46 In which of the following testing methodologies do assessors use all available documentation and work under no constraints, and attempt to circumvent the security features of an information system? A. Full operational test B. Penetration test C. Paper test D. Walk-through test - ANS B. Penetration test NO.47 There are five inputs to the quantitative risk analysis process. Which one of the following is NOT an input to the perform quantitative risk analysis process? A. Risk register B. Cost management plan C. Risk management plan D. Enterprise environmental factors - ANS D. Enterprise environmental factors NO.48 Sammy is the project manager for her organization. She would like to rate each risk based on its probability and affect on time, cost, and scope. Harry, a project team member, has never done this before and thinks Sammy is wrong to attempt this approach. Harry says that an accumulative risk score should be created, not three separate risk scores. Who is correct in this scenario? A. Harry is correct, because the risk probability and impact considers all objectives of the project. B. Harry is correct, the risk probability and impact matrix is the only approach to risk assessment. C. Sammy is correct, because sheis the project manager. D. Sammy is correct, because organizations can create risk scores for each objective of the project. - ANS D. Sammy is correct, because organizations can create risk scores for each objective of the project. NO.49 You work as a project manager for BlueWell Inc. Your project is running late and you must respond to the risk. Which risk response can you choose that will also cause you to update the human resource management plan? A. Fast tracking the project B. Teaming agreements C. Transference D. Crashing the project - ANS D. Crashing the project NO.50 Which of the following refers to the ability to ensure that the data is not modified or tampered with? A. Confidentiality B. Availability C. Integrity D. Non-repudiation - ANS C. Integrity NO.51 Which of the following C&A professionals plays the role of an advisor? A. Information System Security Engineer (ISSE) B. Chief Information Officer (CIO) C. Authorizing Official D. Information Owner - ANS A. Information System Security Engineer (ISSE) NO.52 Which of the following statements about Discretionary Access Control List (DACL) is true? A. It is a rule list containing access control entries. B. It specifies whether an audit activity should be performed when an object attempts to access a resource. C. It is a list containing user accounts, groups, and computers that are allowed (or denied) access to the object. D. It is a unique number that identifies a user, group, and computer account - ANS C. It is a list containing user accounts, groups, and computers that are allowed (or denied) access to the object. NO.53 You are the project manager of the CUL project in your organization. You and the project team are assessing the risk events and creating a probability and impact matrix for the identified risks. Which one of the following statements best describes the requirements for the data type used in qualitative risk analysis? A. A qualitative risk analysis requires fast and simple data to complete the analysis. B. A qualitative risk analysis requires accurate and unbiased data if it is to be credible. C. A qualitative risk analysis required unbiased stakeholders with biased risk tolerances. D. A qualitative risk analysis encourages biased data to reveal risk tolerances. - ANS B. A qualitative risk analysis requires accurate and unbiased data if it is to be credible. NO.54 Which of the following processes is described in the statement below?"This is the process of numerically analyzing the effect of identified risks on overall project objectives." A. Identify Risks B. Perform Quantitative Risk Analysis C. Perform Qualitative Risk Analysis D. Monitor and Control Risks - ANS B. Perform Quantitative Risk Analysis NO.55 The Project Risk Management knowledge area focuses on which of the following processes? Each correct answer represents a complete solution. Choose all that apply. A. Potential Risk Monitoring B. Risk Management Planning C. Quantitative Risk Analysis D. Risk Monitoring and Control - ANS B. Risk Management Planning C. Quantitative Risk Analysis D. Risk Monitoring and Control NO.56 A security policy is an overall general statement produced by senior management that dictateswhat role security plays within the organization. What are the different types of policies? Each correct answer represents a complete solution. Choose all that apply. A. Systematic B. Informative C. Regulatory D. Advisory - ANS B. Informative C. Regulatory D. Advisory NO.57 The Project Risk Management knowledge area focuses on which of the following processes? Each correct answer represents a complete solution. Choose all that apply. A. Quantitative Risk Analysis B. Potential Risk Monitoring C. Risk Monitoring and Control D. Risk Management Planning - ANS A. Quantitative Risk Analysis C. Risk Monitoring and Control D. Risk Management Planning NO.58 A Web-based credit card company had collected financial and personal details of Mark before issuing him a credit card. The company has now provided Mark's financial and personal details to another company. Which of the following Internet laws has the credit card issuing company violated? A. Security law B. Privacy law C. Copyright law D. Trademark law - ANS B. Privacy law NO.59 You are the project manager of the NKQ project for your organization. You have completed the quantitative risk analysis process for this portion of the project. What is the only output of the quantitative risk analysis process? A. Probability of reaching project objectives B. Risk contingency reserve C. Risk response D. Risk register updates - ANS D. Risk register updates NO.60 The phase 0 of Risk Management Framework (RMF) is known as strategic risk assessment planning. Which of the following processes take place in phase 0?Each correct answer represents a complete solution. Choose all that apply. A. Review documentation and technical data. B. Apply classification criteria to rank data assets and related IT resources. C. Establish criteria that will be used to classify and rank data assets. D. Identify threats, vulnerabilities, and controls that will be evaluated. E. Establish criteria that will be used to evaluate threats, vulnerabilities, and controls. - ANS B. Apply classification criteria to rank data assets and related IT resources. C. Establish criteria that will be used to classify and rank data assets. D. Identify threats, vulnerabilities, and controls that will be evaluated. E. Establish criteria that will be used to evaluate threats, vulnerabilities, and controls. NO.61 Which of the following NIST Special Publication documents provides a guideline on network security testing? A. NIST SP 800-60 B. NIST SP 800-53A C. NIST SP 800-37 D. NIST SP 800-42 E. NIST SP 800-59 F. NIST SP 800-53 - ANS D. NIST SP 800-42 NO.62 Which of the following terms related to risk management represents the estimated frequency at which a threat is expected to occur? A. Safeguard B. Single Loss Expectancy (SLE) C. Exposure Factor (EF) D. Annualized Rate of Occurrence (ARO) - ANS D. Annualized Rate of Occurrence (ARO) NO.63 Your project uses a piece of equipment that if the temperature of the machine goes above 450 degree Fahrenheit the machine will overheat and have to be shut down for 48 hours. Should this machine overheat even once it will delay the project's end date. You work with your project to create a response that should the temperature of the machine reach 430, the machine will be paused for at least an hour to cool it down. The temperature of 430 is called what? A. Risk identification B. Risk response C. Risk trigger D. Risk event - ANS C. Risk trigger NO.64 NIST SP 800-53A defines three types of interview depending on the level of assessment conducted. Which of the following NIST SP 800-53A interviews consists of informal and ad hoc interviews? A. Substantial B. Significant C. Abbreviated D. Comprehensive - ANS C. Abbreviated NO.65 Which of the following processes is described in the statement below?"It is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project." A. Perform Quantitative Risk Analysis B. Monitor and Control Risks C. Perform Qualitative Risk Analysis D. Identify Risks - ANS B. Monitor and Control Risks NO.66 Which of the following relations correctly describes total risk? A. Total Risk = Threats x Vulnerability x Asset Value B. Total Risk = Viruses x Vulnerability x Asset Value C. Total Risk = Threats x Exploit x Asset Value D. Total Risk = Viruses x Exploit x Asset Value - ANS A. Total Risk = Threats x Vulnerability x Asset Value NO.67 Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. Which of the following statements are true about Certification and Accreditation?Each correct answer represents a complete solution. Choose two. A. Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system. B. Accreditation is a comprehensive assessment of the management, operational, and technical security controls in an information system. C. Certification isthe official management decision given by a senior agency official to authorize operation of an information system. D. Accreditation is the official management decision given by a senior agency official to authorize operation of an information system. - ANS A. Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system. D. Accreditation is the official management decision given by a senior agency official to authorize operation of an information system. NO.68 Which of the following refers to a process that is used for implementing information security? A. Certification and Accreditation(C&A) B. Information Assurance (IA) C. Five Pillars model D. Classic information security model - ANS A. Certification and Accreditation(C&A) NO.69 Which of the following guidance documents is useful in determining the impact level of a particular threat on agency systems? A. NIST SP 800-41 B. NIST SP 800-37 C. FIPS 199 D. NIST SP 800-14 - ANS C. FIPS 199 NO.70 Which of the following is used to indicate that the software has met a defined quality level and is ready for mass distribution either by electronic means or by physical media? A. RTM B. CRO C. DAA D. ATM - ANS A. RTM NO.71 Walter is the project manager of a large construction project. He'll be working with several vendors on the project. Vendors will be providing materials and labor for several parts of the project. Some of the works in the project are very dangerous so Walter has implemented safety requirements for all of the vendors and his own project team. Stakeholders for the project have added new requirements, which have caused new risks in the project. A vendor has identified a new risk that could affect the project if it comes into fruition. Walter agrees with the vendor and has updated the risk register and created potential risk responses to mitigate the risk. What should Walter also update in this scenario considering the risk event? A. Project management plan B. Project contractual relationship with the vendor C. Project communications plan D. Project scope statement - ANS A. Project management plan NO.72 Gary is the project manager of his organization. He is managing a project that is similar to a project his organization completed recently. Gary has decided that he will use the information from the past project to help him and the project team to identify the risks that may be present in the project. Management agrees that this checklist approach is ideal and will save time in the project. Which of the following statement is most accurate about the limitations of the checklist analysis approach for Gary? A. The checklist analysis approach is fast but it is impossible to build and exhaustive checklist. B. The checklist analysis approach only uses qualitative analysis. C. The checklist analysis approach saves time, but can cost more. D. The checklist is also known as top down risk assessment - ANS A. The checklist analysis approach is fast but it is impossible to build and exhaustive checklist. NO.73 Which of the following access control models uses a predefined set of access privileges for an object of a system? A. Discretionary Access Control B. Mandatory Access Control C. Policy Access Control D. Role-Based Access Control - ANS B. Mandatory Access Control NO.74 According to FIPS Publication 199, what are the three levels of potential impact on organizations in the event of a compromise on confidentiality, integrity, and availability? A. Confidential, Secret, and High B. Minimum, Moderate, and High C. Low, Normal, and High D. Low, Moderate, and High - ANS D. Low, Moderate, and High NO.75 You are the project manager of the NNH Project. In this project you have created a contingency response that the schedule performance index should be less than 0.93. The NHH Project has a budget at completion of $945,000 and is 45 percent complete though the project should be 49 percent complete. The project has spent $455,897 to reach the 45 percent complete milestone. What is the project's schedule performance index? A. 1.06 B. 0.93 C. -$37,800 D. 0.92 - ANS D. 0.92 NO.76 Which of the following is a risk response planning technique associated with threats that seeks to reduce the probability of occurrence or impact of a risk to below an acceptable threshold? A. Exploit B. Transference C. Mitigation D. Avoidance - ANS C. Mitigation NO.77 Harry is the project manager of the MMQ Construction Project. In this project Harry has identified a supplier who can create stained glass windows for 1,000 window units in the construction project. The supplier is an artist who works by himself, but creates windows for several companies throughout the United States. Management reviews the proposal to use this supplier and while they agree that the supplier is talented, they do not think the artist can fulfill the 1,000 window units in time for the project's deadline. Management asked Harry to find a supplier who will guarantee the completion of the windows by the needed date in the schedule. What risk response has management asked Harry to implement? A. Mitigation B. Acceptance C. Transference D. Avoidance - ANS A. Mitigation NO.78 Your organization has named you the project manager of the JKN Project. This project has a BAC of $1,500,000 and it is expected to last 18 months. Management has agreed that if the schedule baseline has a variance of more than five percent then you will need to crash the project. What happens when the project manager crashes a project? A. Project costs will increase. B. The amount of hours a resource can be used will diminish. C. The projectwill take longer to complete, but risks will diminish. D. Project risks will increase. - ANS A. Project costs will increase. NO.79 Which of the following processes is used to protect the data based on its secrecy, sensitivity, or confidentiality? A. Change Control B. Data Hiding C. Configuration Management D. Data Classification - ANS D. Data Classification NO.80 Eric is the project manager of the MTC project for his company. In this project a vendor has offered Eric a sizeable discount on all hardware if his order total for the project is more than $125,000. Right now, Eric is likely to spend $118,000 with vendor. If Eric spends $7,000 his cost savings for the project will be $12,500, but he cannot purchase hardware if he cannot implement the hardware immediately due to organizational policies. Eric consults with Amy and Allen, other project managers in the organization, and asks if she needs any hardware for their projects. Both Amy and Allen need hardware and they agree to purchase the hardware through Eric's relationship with the vendor. What positive risk response has happened in this instance? A. Transference B. Exploiting C. Sharing D. Enhancing - ANS C. Sharing NO.81 You are the project manager for a construction project. The project includes a work that involves very high financial risks. You decide to insure processes so that any ill happening can be compensated. Which type of strategies have you used to deal with the risks involved with that particular work? A. Transfer B. Mitigate C. Accept D. Avoid - ANS A. Transfer NO.82 What is the objective of the Security Accreditation Decision task? A. To determine whether the agency-level risk is acceptable or not. B. To make an accreditation decision C. To accredit the information system D. To approve revisions of NIACAP - ANS A. To determine whether the agency-level risk is acceptable or not. NO.83 Your project uses a piece of equipment that if the temperature of the machine goes above 450 degree Fahrenheit the machine will overheat and have to be shut down for 48 hours. Should this machine overheat even once it will delay the project's end date. You work with your project to create a response that should the temperature of the machine reach 430, the machine will be paused for at least an hour to cool it down. The temperature of 430 is called what? A. Risk identification B. Risk response C. Risk trigger D. Risk event - ANS C. Risk trigger NO.84 To help review or design security controls, they can be classified by several criteria. One of these criteria is based on nature. According to this criteria, which of the following controls consists of incident response processes, management oversight, security awareness, and training? A. Technical control B. Physical control C. Procedural control D. Compliance control - ANS C. Procedural control NO.85 Which of the following individuals is responsible for preparing and submitting security status reports to the organizations? A. Chief Information Officer B. Senior Agency Information Security Officer C. Common Control Provider D. Authorizing Official - ANS C. Common Control Provider NO.86 The Software Configuration Management (SCM) process defines the need to trace changes, and the ability to verify that the final delivered software has all of the planned enhancements that are supposed to be included in the release. What are the procedures that must be defined for each software project to ensure that a sound SCM process is implemented? Each correct answer represents a complete solution. Choose all that apply. A. Configuration status accounting B. Configuration change control C. Configuration deployment D. Configuration audits E. Configuration identification F. Configuration implementation - ANS A. Configuration status accounting B. Configuration change control D. Configuration audits E. Configuration identification NO.87 Which of the following is NOT a type of penetration test? A. Cursory test B. Partial-knowledge test C. Zero-knowledge test D. Full knowledge test - ANS A. Cursory test NO.88 In which of the following Risk Management Framework (RMF) phases is a risk profile created for threats? A. Phase 3 B. Phase 1 C. Phase 2 D. Phase 0 - ANS C. Phase 2 NO.89 Which of the following assessment methodologies defines a six-step technical security evaluation? A. FITSAF B. FIPS 102 C. OCTAVE D. DITSCAP - ANS B. FIPS 102 NO.90 Which of the following individuals is responsible for configuration management and control task? A. Authorizing official B. Information system owner C. Chief information officer D. Common control provider - ANS B. Information system owner NO.91 Which of the following is a standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system? A. FITSAF B. TCSEC C. FIPS D. SSAA - ANS B. TCSEC NO.92 Which of the following persons is responsible for testing and verifying whether the security policy is properly implemented, and the derived security solutions are adequate or not? A. Auditor B. User C. Data custodian D. Data owner - ANS A. Auditor NO.93 You work as a project manager for BlueWell Inc. You with your team are using a method or a (technical) process that conceives the risks even if all theoretically possible safety measures would be applied. One of your team member wants to know that what is a residual risk. What will you reply to your team member? A. It is a risk that remains because no risk response is taken. B. It is a risk that remains after planned risk responses are taken. C. It is a risk that can not be addressed by a risk response. D. It is a risk that will remain no matter what type of risk response is offered. - ANS B. It is a risk that remains after planned risk responses are taken. NO.94 System Authorization is the risk management process. System Authorization Plan (SAP) is a comprehensive and uniform approach to the System Authorization Process. What are the different phases of System Authorization Plan?Each correct answer represents a part of the solution. Choose all that apply. A. Post-Authorization B. Pre-certification C. Post-certification D. Certification E. Authorization - ANS A. Post-Authorization B. Pre-certification D. Certification E. Authorization NO.95 Which of the following is the acronym of RTM? A. Resource tracking method B. Requirements Traceability Matrix C. Resource timing method D. Requirements Testing Matrix - ANS B. Requirements Traceability Matrix NO.96 In which of the following phases does the SSAA maintenance take place? A. Phase 4 B. Phase 2 C. Phase 1 D. Phase 3 - ANS A. Phase 4 NO.97 Henry is the project manager of the QBG Project for his company. This project has a budget of $4,576,900 and is expected to last 18 months to complete. The CIO, a stakeholder in the project, has introduced a scope change request for additional deliverables as part of the project work.What component of the change control system would review the proposed changes' impact on the features and functions of the project's product? A. Cost change control system B. Scope change control system C. Integrated change control D. Configuration management system - ANS D. Configuration management system NO.98 Which of the following is not a part of Identify Risks process? A. Decision tree diagram B. Cause and effect diagram C. Influence diagram D. System or process flow chart - ANS A. Decision tree diagram NO.99 Which of the following individuals informs all C&A participants about life cycle actions, security requirements, and documented user needs? A. IS program manager B. Certification Agent C. User representative D. DAA - ANS A. IS program manager NO.100 You and your project team are identifying the risks that may exist within your project. Some of the risks are small risks that won't affect your project much if they happen. What should you do with these identified risk events? A. These risks can be accepted. B. These risks can be added to a low priority risk watch list. C. All risks must have a valid, documented risk response. D. These risks can be dismissed. - ANS B. These risks can be added to a low priority risk watch list. [Show Less]
A morbidly obese male with an unstable cervical fracture and a history of a difficult intubation (Mallampati class IV airway with mouth opening <15 mm) is... [Show More] scheduled for a C3-4 cervical fusion. Which intubation technique with in-line stabilization is MOST appropriate? Asleep direct laryngoscopy Awake fiberoptic bronchoscopy Asleep fiberoptic bronchoscopy Awake video laryngoscopy - ANS Awake fiberoptic bronchoscopy Justification An awake fiberoptic bronchoscope intubation is the most appropriate airway management technique in a patient with a history of a difficult intubation and 3 predictors of a difficult airway (morbid obesity, Mallampati class IV, and mouth opening <15 mm). Additionally, this technique will cause the least cervical spine motion and will allow the patient to maintain spontaneous ventilation. Morbidly obese patients may be difficult to mask ventilate and can desaturate quickly after induction of anesthesia, indicating that induction of anesthesia may be most appropriate after the airway is secured. A possible con [Show Less]
$16.45
71
0
$16.45
DocMerit is a great platform to get and share study resources, especially the resource contributed by past students.
Northwestern University
Karen
I find DocMerit to be authentic, easy to use and a community with quality notes and study tips. Now is my chance to help others.
University Of Arizona
Anna Maria
One of the most useful resource available is 24/7 access to study guides and notes. It helped me a lot to clear my final semester exams.
Devry University
David Smith
DocMerit is super useful, because you study and make money at the same time! You even benefit from summaries made a couple of years ago.
Liberty University
Mike T