• support@dumpspool.com
SPECIAL LIMITED TIME DISCOUNT OFFER. USE DISCOUNT CODE TO GET 20% OFF DP2021

PDF Only

$35.00 Free Updates Upto 90 Days

  • CAP Dumps PDF
  • 395 Questions
  • Updated On March 29, 2024

PDF + Test Engine

$60.00 Free Updates Upto 90 Days

  • CAP Question Answers
  • 395 Questions
  • Updated On March 29, 2024

Test Engine

$50.00 Free Updates Upto 90 Days

  • CAP Practice Questions
  • 395 Questions
  • Updated On March 29, 2024
Check Our Free ISC2 CAP Online Test Engine Demo.

How to pass ISC2 CAP exam with the help of dumps?

DumpsPool provides you the finest quality resources you’ve been looking for to no avail. So, it's due time you stop stressing and get ready for the exam. Our Online Test Engine provides you with the guidance you need to pass the certification exam. We guarantee top-grade results because we know we’ve covered each topic in a precise and understandable manner. Our expert team prepared the latest ISC2 CAP Dumps to satisfy your need for training. Plus, they are in two different formats: Dumps PDF and Online Test Engine.

How Do I Know ISC2 CAP Dumps are Worth it?

Did we mention our latest CAP Dumps PDF is also available as Online Test Engine? And that’s just the point where things start to take root. Of all the amazing features you are offered here at DumpsPool, the money-back guarantee has to be the best one. Now that you know you don’t have to worry about the payments. Let us explore all other reasons you would want to buy from us. Other than affordable Real Exam Dumps, you are offered three-month free updates.

You can easily scroll through our large catalog of certification exams. And, pick any exam to start your training. That’s right, DumpsPool isn’t limited to just ISC2 Exams. We trust our customers need the support of an authentic and reliable resource. So, we made sure there is never any outdated content in our study resources. Our expert team makes sure everything is up to the mark by keeping an eye on every single update. Our main concern and focus are that you understand the real exam format. So, you can pass the exam in an easier way!

IT Students Are Using our CAP â?? Certified Authorization Professional Dumps Worldwide!

It is a well-established fact that certification exams can’t be conquered without some help from experts. The point of using CAP â?? Certified Authorization Professional Practice Question Answers is exactly that. You are constantly surrounded by IT experts who’ve been through you are about to and know better. The 24/7 customer service of DumpsPool ensures you are in touch with these experts whenever needed. Our 100% success rate and validity around the world, make us the most trusted resource candidates use. The updated Dumps PDF helps you pass the exam on the first attempt. And, with the money-back guarantee, you feel safe buying from us. You can claim your return on not passing the exam.

How to Get CAP Real Exam Dumps?

Getting access to the real exam dumps is as easy as pressing a button, literally! There are various resources available online, but the majority of them sell scams or copied content. So, if you are going to attempt the CAP exam, you need to be sure you are buying the right kind of Dumps. All the Dumps PDF available on DumpsPool are as unique and the latest as they can be. Plus, our Practice Question Answers are tested and approved by professionals. Making it the top authentic resource available on the internet. Our expert has made sure the Online Test Engine is free from outdated & fake content, repeated questions, and false plus indefinite information, etc. We make every penny count, and you leave our platform fully satisfied!

ISC2 CAP Sample Question Answers

Question # 1

Which of the following statements correctly describes DIACAP residual risk?

A. It is the remaining risk to the information system after risk palliation has occurred.
B. It is a process of security authorization.
C. It is the technical implementation of the security design.
D. It is used to validate the information system.

Question # 2

Which of the following is a standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system?

A. TCSEC 
B. FIPS
 C. SSAA 
D. FITSAF

Question # 3

A security policy is an overall generalstatement produced by senior management that dictates what role security plays within the organization. What are the different types of policies? Each correct answer represents a complete solution. Choose all that apply.  

A. Systematic
B. Regulatory
C. Advisory
D. Informative

Question # 4

Which of the following processes is a structured approach to transitioning individuals, teams, and organizations from a current state to a desired future state?

A. Configuration management
B. Procurement management
C. Change management
D. Risk management

Question # 5

Which of the following is used to indicatethat the software has met a defined quality level and is ready for mass distribution either by electronic means or by physical media?

A. DAA
 B. RTM 
C. ATM 
D. CRO 

Question # 6

Which of the following statements aboutDiscretionary Access Control List (DACL)is true?  

A. It is a rule list containing access control entries.  
B. It specifies whether an audit activity should be performed when an object attempts to access a resource. 
C. It is a list containing user accounts, groups, and computers that are allowed (or denied) access to the object.
D. It is a unique number that identifies a user, group, and computer account  

Question # 7

During qualitative risk analysis you want to define the risk urgency assessment. All of the following are indicators of risk priority except for which one?

A. Symptoms
B. Cost of the project
C. Warning signs
D. Risk rating

Question # 8

During which of the following processes,probability and impact matrixis prepared? 

A. Plan Risk Responses
B. Perform Quantitative Risk Analysis
C. Perform Qualitative Risk Analysis
D. Monitoring and Control Risks

Question # 9

Walter is the project manager of a large construction project. He'll be working with several vendors on the project. Vendors will be providing materials and labor for several parts of the project. Some of the works in the project are very dangerous so Walter has implemented safety requirements for all of the vendors and his own project team. Stakeholders for theproject have added new requirements, which have caused new risks in the project. A vendor has identified a new risk that could affect the project if it comes into fruition. Walter agrees with the vendor and has updated the risk register and created potential risk responses to mitigate the risk. What should Walter also update in this scenario considering the risk event?

A. Project contractual relationship with the vendor
B. Project communications plan
C. Project management plan
D. Project scope statement

Question # 10

Which of the following is NOT an objective of the security program? 

A. Security organization  
B. Security plan  
C. Security education  
D. Information classification  

Question # 11

In 2003, NIST developed a new Certification & Accreditation (C&A) guideline known as FIPS 199. What levels of potential impact are defined by FIPS 199? Each correct answer represents a complete solution. Choose all that apply.

A. Low 
B. Moderate 
C. High 
D. Medium 

Question # 12

An authentication method uses smart cards as well as usernames and passwordsfor authentication. Which of the following authentication methods is being referred to?

A. Anonymous 
B. Multi-factor 
C. Biometrics
 D. Mutual 

Question # 13

You work as a project manager for BlueWell Inc. There has been a delay in your project work that is adversely affecting the project schedule. You decided, with your stakeholders' approval, to fast track the project work to get the project done faster. When you fast track the project which of the following are likely to increase?

A. Risks
B. Human resource needs
C. Quality control concerns
D. Costs

Question # 14

Which of the following RMF phases is known as risk analysis? 

A. Phase 0
B. Phase 1
C. Phase 2
D. Phase 3

Question # 15

Which one of the following is the only output for the qualitative risk analysis process? 

A. Enterprise environmental factors  
B. Project management plan  
C. Risk register updates  

Question # 16

The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statements are true about ISSO and ISSE? Each correct answer represents a complete solution. Choose all that apply.

A. An ISSE manages the security of the information system that is slated for Certification & Accreditation (C&A). 
B. An ISSO takes part in the development activities that are required to implement system ch anges.
C. An ISSE provides advice on the continuous monitoring of the information system.  
D. An ISSE provides advice on the impacts of system changes.  
E. An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A). 

Question # 17

Harry is a project manager of a software development project. In the early stages of planning, he and the stakeholders operated with the belief that the software they were developing would work with their organization's current computer operating system. Now that the project team has started developing the software it has become apparent that the software will not work with nearly half of the organization's computer operating systems. The incorrect belief Harry had in the software compatibility is an example of what in project management?

A. Assumption
B. Issue
C. Risk
D. Constraint

Question # 18

Which of the following DITSCAP phases validates that the preceding work has produced an IS that operates in a specified computing environment?

A. Phase 3
B. Phase 2
C. Phase 4
D. Phase 1

Question # 19

Which of the following processes is described in the statement below? "It is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project." 

A. Perform Quantitative Risk Analysis
B. Monitor and Control Risks
C. Perform Qualitative Risk Analysis
D. Identify Risks

Question # 20

There are seven risk responses for any project. Which one of the following is a valid risk response for a negative risk event?

A. Enhance  
B. Exploit  
C. Acceptance  
D. Share  

Question # 21

In which type of access control do user ID and password system come under? 

A. Administrative
B. Technical
C. Physical
D. Power

Question # 22

Eric is the project manager of the NQQ Project and has hired the ZAS Corporation to complete part of the project work for Eric's organization. Due to a change request the ZAS Corporation is no longer needed on the project even though they have completed nearly all of the project work. Is Eric's organization liable to pay the ZAS Corporation for the work they have completed so far on the project?

A. No, the ZAS Corporation did not complete all of the work.
B. Yes, the ZAS Corporation did not choose to terminate the contract work.
C. It depends on what the outcome of a lawsuit will determine.
D. It depends on what the terminationclause of the contract stipulates

Question # 23

Shoulder surfing is a type of in-person attack in which the attacker gathers information about the premises of an organization. This attack is often performed by looking surreptitiously at the keyboard of an employee's computer while he is typing in his password at any access point such as a terminal/Web site. Which of the following isviolated in a shoulder surfing attack?

A. Authenticity
B. Integrity
C. Availability
D. Confidentiality

Question # 24

Management wants you to create a visual diagram of what resources will be utilized in the project deliverables. What type of a chart is management asking you to create?

A. Work breakdown structure
B. Roles and responsibility matrix
C. Resource breakdown structure
D. RACI chart

Question # 25

Which of the following DoD directives is referred to as theDefense Automation Resources Management Manual?

A. DoD 5200.22-M
B. DoD 5200.1-R
C. DoD 8910.1
D. DoDD 8000.1
E. DoD 7950.1-M

Question # 26

Tom is the project manager for his organization. In his project he has recently finished the risk response planning. He tells his manager that he will now need to update the cost and schedule baselines. Why would the risk response planning cause Tom the need to update the cost and schedule baselines?

A. New or omitted work as part of a risk response can cause changes to the cost and/or schedule baseline. 
B. Risk responses protect the time and investment of the project.
C. Risk responses may take time and money to implement.
D. Baselines should not be updated, but refined through versions.

Question # 27

Which of the following guidance documents is useful in determining the impact level of a particular threat on agency systems?

A. NIST SP 800-41
B. NIST SP 800-37
C. FIPS 199
D. NIST SP 800-14

Question # 28

Which of the following documents is used to provide a standard approach to the assessment of NIST SP 800-53 security controls?

A. NIST SP 800-53A
B. NIST SP 800-66
C. NIST SP 800-41
D. NIST SP 800-37

Question # 29

Which of the following individuals is responsible for configuration management and control task?

A. Commoncontrol provider  
B. Information system owner  
C. Authorizing official  
D. Chief information officer  

Question # 30

Which of the following are the types of assessment tests addressed in NIST SP 800-53A? 

A. Functional, penetration, validation
B. Validation, evaluation, penetration
C. Validation, penetration, evaluation
D. Functional, structural, penetration

Question # 31

For which of the following reporting requirements are continuous monitoring documentation reports used?

A. FISMA
B. NIST
C. HIPAA
D. FBI 

Question # 32

A ________ points to a statement in a policy or procedure that helps determine a course of action.

A. Comment  
B. Guideline  
C. Procedure  
D. Baseline  

Question # 33

Which of the following individuals makes the final accreditation decision? 

A. DAA
B. ISSO
C. CIO
D. CISO

Question # 34

Which of the following individuals is responsible for the final accreditation decision? 

A. Certification Agent
B. User Representative
C. Information System Owner
D. Risk Executive

Question # 35

Which of the following relations correctly describes total risk? 

A. Total Risk = Threats x Vulnerability x Asset Value  
B. Total Risk = Viruses x Vulnerability x Asset Value  
C. Total Risk = Threats x Exploit x Asset Value  
D. Total Risk = Viruses x Exploit x Asset Value  

Question # 36

Which of the following formulas was developed by FIPS 199 for categorization of an informationsystem?

A. SCinformation system = {(confidentiality, impact), (integrity, controls), (availability, risk)}  
B. SCinformation system = {(confidentiality, risk), (integrity, impact), (availability, controls)}  
C. SCinformation system = {(confidentiality, impact), (integrity, impact), (availability, impact)} 
D. SCinformation system = {(confidentiality, controls), (integrity, controls), (availability, controls )} 

Question # 37

Which of the following NIST documents defines impact? 

A. NIST SP 800-26
B. NIST SP 800-53A
C. NIST SP 800-53
D. NIST SP 800-30

Question # 38

Which of the following NIST publications defines impact? 

A. NIST SP 800-41
B. NIST SP 800-37
C. NIST SP 800-30
D. NIST SP 800-53

Question # 39

Which of the following recovery plans includes a monitoring process and triggers for initiating planned actions?

A. Business continuity plan
B. Contingency plan
C. Continuity of Operations Plan
D. Disaster recovery plan

Question # 40

In which of the following elements of security does the object retain its veracity and is intentionally modified by the authorized subjects?

A. Integrity
B. Nonrepudiation
C. Availability
D. Confidentiality

Question # 41

Which of the following C&A professionals plays the role of an advisor? 

A. Information System Security Engineer (ISSE)
B. Chief Information Officer (CIO)
C. Authorizing Official
D. Information Owner

Question # 42

What doesOCTAVEstand for? 

A. Operationally Computer Threat, Asset, and Vulnerability Evaluation
B. Operationally Critical Threat, Asset, and Vulnerability Evaluation
C. Operationally Computer Threat, Asset, and Vulnerability Elimination
D. Operationally Critical Threat, Asset, and Vulnerability Elimination 

Question # 43

Which of the following is used throughout the entire C&A process? 

A. DAA
B. DITSCAP
C. SSAA
D. DIACAP

Question # 44

In which of the following DITSCAP phases is the SSAA developed? 

A. Phase 2
B. Phase 4
C. Phase 1
D. Phase 3

Question # 45

Which of the following individuals is responsible for preparing and submitting security status reports to the organizations?

A. Chief Information Officer  
B. Senior Agency Information Security Officer
C. Common Control Provider
D. Authorizing Official

Question # 46

Which of the following individuals is responsible for configuration management and controltask?

A. Authorizing official
B. Information system owner
C. Chief information officer
D. Common control provider

Question # 47

Which of the following assessment methods involves observing or conducting the operation of physical devices?

A. Interview
B. Deviation
C. Examination
D. Testing

Question # 48

In which of the following phases does the change management process start? 

A. Phase 2
B. Phase 1
C. Phase 4
D. Phase 3

Question # 49

Inwhich of the following phases do the system security plan update and the Plan of Action and Milestones (POAM) update take place?

A. Continuous Monitoring Phase
B. Accreditation Phase
C. Preparation Phase
D. DITSCAP Phase

Question # 50

Which of the following statements is true about the continuous monitoring process? 

A. It takes place in the middle of system security accreditation.
B. It takes place before and after system security accreditation.
C. It takes place before the initial system security accreditation.
D. It takes place after the initial system security accreditation.

Question # 51

In which ofthe following phases does the SSAA maintenance take place? 

A. Phase 4
B. Phase 2
C. Phase 1
D. Phase 3

Question # 52

Which of the following isnota part of Identify Risks process?

A. Decision tree diagram
B. Cause and effect diagram
C. Influence diagram
D. System or process flow chart

Question # 53

Which of the following processes has the goal to ensure that any change does not lead to reduced or compromised security?

A. Risk management
B. Security management
C. Configuration management
D. Changecontrol management

Question # 54

Which of the following is a risk that is created by the response to another risk? 

A. Secondary risk
B. Residual risk
C. Positive risk
D. Negative risk

Question # 55

Which of the following individuals is responsible for the final accreditationdecision? 

A. Information System Owner
B. Certification Agent
C. User Representative
D. Risk Executive

Question # 56

According to FIPS Publication 199, what are the three levels of potential impact on organizations in the event of a compromise on confidentiality, integrity, and availability?

A. Confidential, Secret, and High
B. Minimum, Moderate, and High
C. Low, Normal, and High
D. Low, Moderate, and High

Question # 57

Which of the following NIST documents includes components for penetration testing? 

A. NIST SP 800-53
B. NIST SP 800-26
C. NIST SP 800-37
D. NIST SP 800-30

Question # 58

Which of the following parts of BS 7799 covers risk analysis and management? 

A. Part 1  
B. Part 3  
C. Part 2  
D. Part 4  

Question # 59

What does RTM stand for?

A. Resource Testing Method
B. Replaced Traceability Matrix
C. Requirements Traceability Matrix
D. Resource Tracking Matrix

Question # 60

Which of the following recovery plans includes a monitoring process and triggers for initiating planned actions?

A. Contingency plan
B. Business continuity plan
C. Disaster recovery plan
D. Continuity of Operations Plan

Question # 61

In which of the following DITSCAP phases is the SSAA developed? 

A. Phase 4
B. Phase 2
C. Phase 1
D. Phase 3

Question # 62

In which of the following Risk Management Framework (RMF) phases is a risk profile created for threats?

A. Phase 3
B. Phase 1
C. Phase 2
D. Phase 0

Question # 63

Which of the following individuals is responsible for ensuring the security posture of the organization's information system? 

A. Authorizing Official
B. Chief Information Officer
C. Security Control Assessor
D. Common Control Provider

Question # 64

Which of the following system security policies is used to address specific issues of concern to the organization?  

A. Program policy
B. Issue-specific policy
C. Informative policy
D. System-specific policy

Question # 65

Which of the following NIST C&A documents is the guideline for identifying an information system as a National Security System?

A. NIST SP800-53
B. NIST SP 800-59
C. NIST SP 800-37
D. NIST SP 800-53A

Question # 66

Which ofthe following statements best describes the difference between the role of a data owner and the role of a data custodian? 

A. The custodian implements the information classification scheme after the initial assignment by the operations manager. 
B. The datacustodian implements the information classification scheme after the initial assignment by the data owner. 
C. The data owner implements the information classification scheme after the initial assignment by the custodian.
D. The custodian makes the initialinformation classification assignments, and the operations manager implements the scheme. 

Question # 67

You work as a project manager for BlueWell Inc. You are working on a project and the management wants a rapid and cost-effective means for establishing priorities for planning risk responses in your project. Which risk management process can satisfy management's objective for your project?

A. Qualitative risk analysis
B. Quantitative analysis
C. Historical information
D. Rolling wave planning

Question # 68

Which of the following processes provides a standard set of activities, general tasks, and a management structure to certify and accredit systems, which maintain the informationassurance and the security posture of a systemor site?

A. DITSCAP
B. NIACAP
C. NSA-IAM
D. ASSET

Question # 69

Which of the following persons is responsible for testing and verifying whether the security policy is properly implemented, and the derived security solutions are adequate or not?

A. Auditor
B. User
C. Data custodian
D. Data owner

Question # 70

There are seven risk responses for any project. Which one of the following is a valid risk response for a negative risk event?

A. Exploit  
B. Share  
C. Enhance  
D. Acceptance  

Question # 71

Certification and Accreditation (C&A or CnA) is a process for implementing information security. Which of the following is the correct order of C&A phases in a DITSCAP assessment?

A. Definition, Validation, Verification, and Post Accreditation
B. Verification, Definition, Validation, and Post Accreditation
C. Definition, Verification, Validation, and Post Accreditation
D. Verification, Validation, Definition, and Post Accreditation

Question # 72

The Project Risk Management knowledge area focuses on which of the following processes? Each correct answer represents a complete solution. Choose all that apply. 

A. Quantitative Risk Analysis
B. Potential Risk Monitoring
C. Risk Monitoring and Control
D. Risk Management Planning

Question # 73

Which of the following statements aboutrole-based access control (RBAC)model is true? 

A. In this model, the permissions are uniquely assigned to each user account.  
B. In this model, a user can access resources according to his role in the organization.  
C. In this model, the same permission is assigned to each user account.  
D. In this model, the users canaccess resources according to their seniority.  

Question # 74

You are the project manager of QSL project for your organization. You are working you’re your project team and several key stakeholders to create a diagram that shows how various elements of a system interrelate and the mechanism of causation within the system. What diagramming technique are you using as a part of the risk identification process?

A. Cause and effect diagrams
B. System or process flowcharts
C. Predecessor and successor diagramming
D. Influence diagrams

Question # 75

You are the project manager of the NNN project for your company. You and the project team are working together to plan the risk responses for the project. You feel that the team has successfully completed the risk response planning and now you must initiate what risk process it is. Which of the following risk processes is repeated after the plan risk responses to determine if the overall project risk has been satisfactorily decreased?

A. Risk identification
B. Qualitative risk analysis
C. Risk response implementation
D. Quantitative risk analysis

Question # 76

Which of the following groups represents the most likely source of an asset loss throughthe inappropriateuse of computers?

A. Hackers
B. Visitors
C. Customers
D. Employees

Question # 77

You work as a project manager for BlueWell Inc. Your project is running late and you must respond to the risk. Which risk response can you choose that will also cause you to update the human resource management plan?

A. Fast tracking the project
B. Teaming agreements
C. Transference
D. Crashing the project

Question # 78

Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematicprocedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. Which of the following statements are true about Certification and Accreditation? Each correct answer represents a complete solution. Choosetwo.  

A. Accreditation is the official management decision given by a senior agency official to authorize operation of an information system.
B. Certification is a comprehensive assessment of the management, operational, and technical security controls inan information system
C. Accreditation is a comprehensive assessment of the management, operational, and technical security controls in an information system. 
D. Certification is the official management decision given by a senior agency official to authorize operation of an information system.

Question # 79

During which of the following processes,probability and impact matrixis prepared? 

A. Plan Risk Responses
B. Perform Quantitative Risk Analysis
C. Perform Qualitative Risk Analysis
D. Monitoring and Control Risks