ISC cap practice test

Question 1

In 2003, NIST developed a new Certification & Accreditation (C&A) guideline known as FIPS 199.
What levels of potential impact are defined by FIPS 199?
Each correct answer represents a complete solution. Choose all that apply.

• A. Low
• B. Moderate
• C. High
• D. Medium

Question 2

An authentication method uses smart cards as well as usernames and passwords for authentication.
Which of the following authentication methods is being referred to?

• A. Anonymous
• B. Multi-factor
• C. Biometrics
• D. Mutual

Question 3

You work as a project manager for BlueWell Inc. There has been a delay in your project work that is
adversely affecting the project schedule. You decided, with your stakeholders' approval, to fast track
the project work to get the project done faster. When you fast track the project which of the
following are likely to increase?

• A. Risks
• B. Human resource needs
• C. Quality control concerns
• D. Costs

Question 4

Which of the following RMF phases is known as risk analysis?

• A. Phase 0
• B. Phase 1
• C. Phase 2
• D. Phase 3

Question 5

Which one of the following is the only output for the qualitative risk analysis process?

• A. Enterprise environmental factors
• B. Project management plan
• C. Risk register updates
• D. Organizational process assets

Question 6

The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play
the role of a supporter and advisor, respectively. Which of the following statements are true about
ISSO and ISSE?
Each correct answer represents a complete solution. Choose all that apply.

• A. An ISSE manages the security of the information system that is slated for Certification & Accreditation (C&A).
• B. An ISSO takes part in the development activities that are required to implement system changes.
• C. An ISSE provides advice on the continuous monitoring of the information system.
• D. An ISSE provides advice on the impacts of system changes.
• E. An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A).

Question 7

Harry is a project manager of a software development project. In the early stages of planning, he and
the stakeholders operated with the belief that the software they were developing would work with
their organization's current computer operating system. Now that the project team has started
developing the software it has become apparent that the software will not work with nearly half of
the organization's computer operating systems. The incorrect belief Harry had in the software
compatibility is an example of what in project management?
A. Assumption
B. Issue
C. Risk
D. Constraint

Question 8

Which of the following DITSCAP phases validates that the preceding work has produced an IS that
operates in a specified computing environment?

• A. Phase 3
• B. Phase 2
• C. Phase 4
• D. Phase 1

Question 9

Which of the following processes is described in the statement below?
"It is the process of implementing risk response plans, tracking identified risks, monitoring residual
risk, identifying new risks, and evaluating risk process effectiveness throughout the project."

• A. Perform Quantitative Risk Analysis
• B. Monitor and Control Risks
• C. Perform Qualitative Risk Analysis
• D. Identify Risks

Question 10

There are seven risk responses for any project. Which one of the following is a valid risk response for
a negative risk event?

• A. Enhance
• B. Exploit
• C. Acceptance
• D. Share

Question 11

In which type of access control do user ID and password system come under?

• A. Administrative
• B. Technical
• C. Physical
• D. Power

Question 12

Eric is the project manager of the NQQ Project and has hired the ZAS Corporation to complete part of
the project work for Eric's organization. Due to a change request the ZAS Corporation is no longer
needed on the project even though they have completed nearly all of the project work. Is Eric's
organization liable to pay the ZAS Corporation for the work they have completed so far on the
project?

• A. No, the ZAS Corporation did not complete all of the work.
• B. Yes, the ZAS Corporation did not choose to terminate the contract work.
• C. It depends on what the outcome of a lawsuit will determine.
• D. It depends on what the termination clause of the contract stipulates

Question 13

Shoulder surfing is a type of in-person attack in which the attacker gathers information about the
premises of an organization. This attack is often performed by looking surreptitiously at the keyboard
of an employee's computer while he is typing in his password at any access point such as a
terminal/Web site. Which of the following is violated in a shoulder surfing attack?

• A. Authenticity
• B. Integrity
• C. Availability
• D. Confidentiality

Question 14

Management wants you to create a visual diagram of what resources will be utilized in the project
deliverables. What type of a chart is management asking you to create?

• A. Work breakdown structure
• B. Roles and responsibility matrix
• C. Resource breakdown structure
• D. RACI chart

Question 15

Which of the following DoD directives is referred to as the Defense Automation Resources
Management Manual?

• A. DoD 5200.22-M
• B. DoD 5200.1-R
• C. DoD 8910.1
• D. DoDD 8000.1
• E. DoD 7950.1-M