Certified Authorization Professional (CAP) Sample Questions
The Certified Authorization Professional credential is a tried-and-true way to advance your career and demonstrate your risk management knowledge (RMF). It validates your advanced technical knowledge and skills for authorizing and maintaining information systems within the RMF using best practices, policies, and procedures defined by (ISC)2’s cyber security experts. This certification can help you advance in your career and boost your resume.
The Certified Authorization Professional (CAP) is a security risk manager who advocates for the authorization of information systems to support an organization’s mission and operations while adhering to legal and regulatory constraints.
Certified Authorization Professional (CAP) Sample Questions
Question 1
Which of the following professionals serves as a monitor in the organization’s configuration management process?
- A. Chief Information Security Officer of the Agency
- B. Appointing Official
- C. Common Control Provider
- D. Chief Information Officer
Correct Answer – C
Question 2
The Chief Information Officer (CIO), also known as the Information Technology (IT) director, is the most senior executive in an organization. What are the duties of the Chief Information Officer?
Each correct response represents an entire solution. Select all that apply.
- A. Maintaining high-level communications and working group relationships within a company
- B. Making it easier for authorized officials to share security risk information.
- C. Developing an effective organizational continuous monitoring program
- D. Proposing the information technology required by an enterprise to achieve its objectives and then working within a budget to put the plan into action
Correct Answer – A, C, D
Question 3
The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) serve as supporters and advisors. Which of the following statements about ISSO and ISSE is correct?
Each correct response represents an entire solution. Select all that apply.
- A. An ISSE advises on the effects of system changes.
- B. An ISSE is in charge of the security of an information system that is being certified and accredited (C&A).
- C. An ISSO is in charge of the security of the information system that is being certified and accredited (C&A).
- D. An ISSO participates in the development activities necessary to implement system changes.
- E. An ISSE advises on the ongoing monitoring of the information system.
Correct Answer – A, C, E
Question 4
Which of the following individuals is in charge of initiating the Certification & Accreditation (C&A) process?
- A. Owner of an information system
- B. Appointing Official
- C. Chief Risk Officer (CRO)
- D. Chief Information Officer (CIO)
Correct Answer – A
Question 5
Which of the following assessment methodologies defines a six-step technical security evaluation?
- A. FITSAF
- B. FIPS 102
- C. OCTAVE
- D. DITSCAP
Correct Answer – B
Question 6
Since December 1997, DIACAP has applied to the acquisition, operation, and maintenance of any DoD system that collects, stores, transmits, or processes unclassified or classified information. DIACAP identifies which phases?
Each correct response represents an entire solution. Select all that apply.
- A. Certification
- B. Recognition
- C. System Defined
- D. Validation
- E. Verification
- F. Recertification
Correct Answer – C, D, E, F
Question 7
Mark works for NetTech Inc. as a Network Administrator. He wants users to have access to only the resources that they need. Which of the access control models listed below will he employ?
- A. Compulsory Access Control
- B. Access Control Based on Roles
- C. Control of Discretionary Access
- D. Control of Policy Access
Correct Answer – B
Question 8
Which of the following terms refers to an information security document used by the US Department of Defense (DoD) to describe and accredit networks and systems?
- A. FITSAF
- B. FIPS
- C. TCSEC
- D. SSAA
Correct Answer – D
Question 9
SoftTech Inc. employs James as an IT systems personnel. He is responsible for the following duties:
Runs regular backups and tests the backup data’s validity on a regular basis.
When necessary, performs data restoration from backups.
Maintains the retained records in accordance with the information classification policy that has been established.
What role does James play in the organization?
- A. Supervisor
- B. The proprietor
- C. Custodian
- D. User
Correct Answer – C
Question 10
FITSAF is an acronym that stands for the Federal Information Technology Security Assessment Framework. It is a technique for evaluating the security of information systems. Which of the following FITSAF levels demonstrates the implementation of procedures and controls?
- A. 4th Level
- B. Level One
- C. Third Level
- D. 5th level
- E. Second Level
Correct Answer – C
Question 11
The process of implementing information security is known as certification and accreditation (C&A or CnA).
In a DITSCAP assessment, which of the following is the correct order of C&A phases?
- A. Define, Validate, Verify, and Post-Accreditation
- B. Verification, Definition, Validation, and Post Accreditation
- C. Verification, Validation, Definition, and Post Accreditation
- D. Definition, Verification, Validation, and Post Accreditation
Correct Answer – D
Question 12
The risk management process is known as system authorization. The System Authorization Plan (SAP) is a thorough and consistent approach to the System Authorization Process. What are the stages of the System Authorization Plan?
Each correct answer contributes to the solution. Select all that apply.
- A. Authorization Following Authorization
- B. Pre-certification
- C. Recertification
- D. Authorization
- E. Permission
Correct Answer – A, B, D, E
Question 13
The process of implementing information security is known as certification and accreditation (C&A or CnA). It is a methodical process for evaluating, describing, testing, and authorizing systems before or after they are put into service. Which of the following statements about certification and accreditation is correct?
Each correct response represents an entire solution—select two.
- A. Accreditation is the official management decision made by a senior agency official to allow an information system to operate.
- B. Accreditation is a comprehensive evaluation of an information system’s management, operational, and technical security controls.
- C. Certification is the official management decision made by a senior agency official to allow an information system to operate.
- D. Certification is a thorough examination of management, operational, and technical security.
Correct Answer – A, D
Question 14
Which of the following requires that all general support systems and major applications be fully certified and accredited before being put into production?
Each correct answer contributes to the solution. Select all that apply.
- A. NIST
- B. FIPS
- C. FISMA
- D. Management and Budget Office (OMB)
Correct Answer – C, D
Question 15
The National Information Assurance Certification and Accreditation Process (NIACAP) is the minimum standard process for certifying and accrediting computer and telecommunications systems that handle national security information in the United States. What are the various levels of NIACAP accreditation?
Each correct response represents an entire solution. Select all that apply.
- A. Obtain accreditation
- B. Type certification
- C. System certification
- D. Site certification
Correct Answer – B, C, D
Question 16
There are eight Information Assurance (IA) areas, and the controls are referred to as IA controls, according to US Department of Defense (DoD) Instruction 8500.2. Which of the following is NOT one of the eight DoD-defined areas of IA?
Each correct response represents an entire solution. Select all that apply.
- A. VI Security and Incident Management
- B. Design and Configuration of DC Security
- C. Computing Environment and EC Enclave
- D. Acquisition, development, and maintenance of information systems
Correct Answer – A, B, C
Question 17
Since December 1997, DIACAP has applied to the acquisition, operation, and maintenance of any DoD system that collects, stores, transmits or processes unclassified or classified information. DIACAP identifies which phases?
Each correct response represents an entire solution. Select all that apply.
- A. Verification
- B. Recertification
- C. Validation
- D. System Defined
- E. Identification
- F. Certification
Correct Answer – A, B, C, D
Question 18
Which of the following is a Corporate Governance subset discipline focused on information security systems and their performance and risk management?
- A. Lanham Act
- B. ISG
- C. Clinger-Cohen Act
- D. Computer Misuse Act
Correct Answer – B
Question 19
Ben is the project manager for his company’s YHT Project. Alice, one of his team members, is perplexed about when project risks will occur.
Which of the following statements about project risk is the most accurate?
- A. Project risk can occur at any time.
- B. Because project risk is unpredictable, no one can predict when the event will occur.
- C. Project risk occurs at all stages of project execution.
- D. The risk of a project is always in the future.
Correct Answer – D
Question 20
You are the project manager for your company’s NKJ Project. The success or failure of the project will have a significant impact on your organization’s profitability in the coming year. Management has asked you to identify risk events and communicate their probability and impact as early in the project as possible.
The management wishes to avoid risk events and must weigh the costs and benefits of each risk event in this project. What term is used to describe the project’s low level of stakeholder tolerance?
- A. Risk aversion
- B. Risk-averse project management
- C. Utility function for risk
- D. Risk-reward mindset
Correct Answer – C
