Learning Center
Plans & pricing Sign in
Sign Out

Tests Expert CAP Free PDF Sample


Tests expert CAP pdf free download with updated ISC2 CAP questions and CAP answers sample. Buy CAP ISC2 by visiting web page mentioned in the document.

More Info
Certified Authorization Professional
Question: 1

Examine the figure given below.

What will be the expected monetary value of Risk C?

A. -$113,750
B. -$27,000
C. -$175,000
D. $175,000 if the risk event actually happens

                                                                                  Answer: B

The expected monetary value is found by multiplying the probability times the impact. In this
example it would be 0.30 times -$90,000 for -$27,000.
Answer option C is incorrect. This is not a valid calculation for the expected monetary value.
Answer option A is incorrect. This is not a valid calculation for the expected monetary value.
Answer option D is incorrect. The expected monetary value is based on the current probability and
Reference: "Project Management Body of Knowledge (PMBOK Guide), Fourth Edition"

Question: 2

Eric is the project manager of the MTC project for his company. In this project a vendor has offered
Eric a sizeable discount on all hardware if his order total for the project is more than $125,000. Right
now, Eric is likely to spend $118,000 with vendor. If Eric spends $7,000 his cost savings for the
project will be $12,500, but he cannot purchase hardware if he cannot implement the hardware
immediately due to organizational policies. Eric consults with Amy and Allen, other project managers
in the organization, and asks if she needs any hardware for their projects. Both Amy and Allen need

hardware and they agree to purchase the hardware through Eric's relationship with the vendor.
What positive risk response has happened in this instance?

A. Exploiting
B. Transference
C. Sharing
D. Enhancing

                                                                                    Answer: C

This is an example of sharing the positive risks so that all parties involved in the decision can benefit
from the purchase and discount of the hardware.
Sharing response is where two or more entities share a positive risk. Risk sharing deals with sharing
of responsibility and accountability with others to facilitate the team with the best chance of seizing
the opportunity. Teaming agreements are good example of sharing the reward that comes from the
risk of the opportunity.
Answer option D is incorrect. Enhancing is a tempting choice as Eric is enhancing the probability of
receiving the discount from the vendor, but he is sharing the opportunity to receive the discount -
something he would not receive on his own.
Answer option A is incorrect. Exploiting happens when the project manager wants to ensure that an
opportunity is realized. Eric is certain that
Amy and Allen will be purchasing the hardware.
Answer option B is incorrect. Transference is a negative risk response that transfers ownership of a
risk event to a third party, such as a vendor.
Reference: "Project Management Body of Knowledge (PMBOK Guide), Fourth Edition"

Question: 3

Donna is the project manager of the QSD Project and she believes Risk Event D in the following
figure is likely to happen.

If this event does happen, how much will Donna have left in the risk contingency reserve if none of
the risk events have happened?

A. $41,700
B. $6,700
C. $35,000
D. $14,000

                                                                                  Answer: B

To answer this question, you'll first need to calculate the contingency reserve. Contingency reserves
are estimated costs to be used at the discretion of the project manager to deal with anticipated, but
not certain, events. These events are "known unknowns" and are part of the project scope and cost
baselines. The contingency reserve is calculated by multiplying the probability and the impact for the
risk event value for each risk event. The sum of the risk events equals the contingency reserve for
the project. The sum of the risk events equals the contingency reserve for the project. In this
question, the value is $41,700. If Risk D happens, it'll cost the project $35,000. The difference of
$35,000 and $41,700 is $6,700.
Answer option C is incorrect. This is the impact of Risk Event D.

Answer option D is incorrect. $14,000 is the risk event value of Risk Event D.
Answer option A is incorrect. $41,700 is the amount of the contingency reserve.
Reference: Chapter 11. A Guide to the Project Management Body of Knowledge, (PMBOK Guide),
Fourth Edition, ISBN:9781933890517, Section

Question: 4

Harry is the project manager of the MMQ Construction Project. In this project Harry has identified a
supplier who can create stained glass windows for 1,000 window units in the construction project.
The supplier is an artist who works by himself, but creates windows for several companies
throughout the United States. Management reviews the proposal to use this supplier and while they
agree that the supplier is talented, they do not think the artist can fulfill the 1,000 window units in
time for the project's deadline. Management asked Harry to find a supplier who will guarantee the
completion of the windows by the needed date in the schedule. What risk response has
management asked Harry to implement?

A. Acceptance
B. Mitigation
C. Transference
D. Avoidance

                                                                                  Answer: B

This is an example of mitigation. By changing to a more reliable supplier Harry is reducing the
probability the supplier will be late. It's still possible that the vendor may not be able to deliver the
stained glass windows, but the more reputable supplier reduces the probability of the lateness.
Mitigation is a risk response planning technique associated with threats that seeks to reduce the
probability of occurrence or impact of a risk to below an acceptable threshold. Risk mitigation
involves taking early action to reduce the probability and impact of a risk occurring on the project.
Adopting less complex processes, conducting more tests, or choosing a more stable supplier are
examples of mitigation actions.

Answer option C is incorrect. Transference is when the risk is transferred to a third party, usually for
a fee. While this question does include a contractual relationship, the risk is the lateness of the
windows. Transference focuses on transferring the risk to a third party to manage the risk event. In
this instance the management of the risk is owned by a third party; the third party actually creates
the risk event because of the possibility of the lateness of the windows.

Answer option D is incorrect. Avoidance changes the project plan to avoid the risk. If the project
manager and management changed the window-type to a standard window in the project
requirements then this would be avoidance.
Answer option A is incorrect. Acceptance accepts the risk that the windows could be late and offers
no response.
Reference: "Project Management Body of Knowledge (PMBOK Guide), Fourth Edition"

Question: 5

There are seven risk responses for any project. Which one of the following is a valid risk response for
a negative risk event?

A. Share
B. Acceptance
C. Exploit
D. Enhance

                                                                                     Answer: B

Among the given choices only acceptance response can be used for a negative risk event.
Acceptance response is a part of Risk Response planning process. Acceptance response delineates
that the project plan will not be changed to deal with the risk. Management may develop a
contingency plan if the risk does occur. Acceptance response to a risk event is a strategy that can be
used for risks that pose either threats or opportunities. Acceptance response can be of two types:
Passive acceptance: It is a strategy in which no plans are made to try or avoid or mitigate the risk.
Active acceptance: Such responses include developing contingency reserves to deal with risks, in
case they occur.
Acceptance is the only response for both threats and opportunities.

Answer options C, D, and A are incorrect. Exploit, enhance, and share risk responses are used to deal
with opportunities or positive risks.
Reference: Chapter 11. A Guide to the Project Management Body of Knowledge, (PMBOK Guide),
Fourth Edition, ISBN:9781933890517, Section 11.5.2.

Question: 6

Which of the following acts promote a risk-based policy for cost effective security?
Each correct answer represents a part of the solution. Choose all that apply.

A. Lanham Act
B. Computer Misuse Act
C. Paperwork Reduction Act (PRA)
D. Clinger-Cohen Act

                                                                                Answer: C, D

The Paperwork Reduction Act (PRA) and the Clinger-Cohen Act promote a risk-based policy for cost
effective security.
Answer option A is incorrect. The Lanham Act is a piece of legislation that contains the federal
statutes of trademark law in the United States.
The Act prohibits a number of activities, including trademark infringement, trademark dilution, and
false advertising. It is also called Lanham Trademark Act.
Answer option B is incorrect. The Computer Misuse Act 1990 is an Act of the UK Parliament, which
states the following statements:
Unauthorized access to the computer material is punishable by 6 months imprisonment or a fine
"not exceeding level 5 on the standard scale" (currently 5000).
Unauthorized access with the intent to commit or facilitate commission of further offences is
punishable by 6 months/maximum fine on summary conviction or 5 years/fine on indictment.
Unauthorized modification of computer material is subject to the same sentences as section 2
What is the Clinger-Cohen Act? Hide
The Clinger-Cohen Act (CCA), formerly the Information Technology Management Reform Act of 1996
(ITMRA), is a 1996
United States federal law, designed to improve the way the federal government acquires, uses, and
disposes information technology.
The Clinger-Cohen Act supplements the information resources management policies by establishing
a comprehensive approach for executive agencies to improve the acquisition and management of
their information resources in the following ways:
Focusing information resource planning to support their strategic missions
Implementing a capital planning and investment control process that links to budget formulation
and execution
Rethinking and restructuring the way they do their work before investing in information systems
What is the Paperwork Reduction Act? Hide

The Paperwork Reduction Act (PRA) of 1980 as amended by the Paperwork Reduction Act of 1995 is
a United States federal law enacted in 1980 that gave authority over the collection of certain
information to the Office of Management and Budget (OMB). Within the OMB, the Office of
Information and Regulatory Affairs (OIRA) was established with specific authority to regulate matters
regarding federal information and to establish information policies. These information policies were
intended to reduce the total amount of paperwork handled by the United States government and
the general public.
The PRA mandates that all federal government agencies must obtain a Control Number from OMB
before promulgating a form that will impose an information collection burden on the general public.
Once obtained, approval must be renewed every three years. In order to obtain or renew such
approval, an agency must fill out OMB Form 83-I, attach the proposed form, and file it with OIRA. On
Form 83-I, the agency must explain the reason why the form is needed and estimate the burden in
terms of time and money that the form will impose upon the persons required to fill it out.

Question: 7

Which of the following refers to an information security document that is used in the United States
Department of Defense (DoD) to describe and accredit networks and systems?


                                                                                Answer: A

System Security Authorization Agreement (SSAA) is an information security document used in the
United States Department of Defense (DoD) to describe and accredit networks and systems. The
SSAA is part of the Department of Defense Information Technology Security Certification and
Accreditation Process, or DITSCAP. The DoD instruction (issues in December 1997, that describes
DITSCAP and provides an outline for the SSAA document is DODI 5200.40. The DITSCAP application
manual (DoD 8510.1-M), published in July 2000, provides additional details.
Answer option D is incorrect. FITSAF stands for Federal Information Technology Security Assessment
Framework. It is a methodology for assessing the security of information systems. It provides an
approach for federal agencies. It determines how federal agencies are meeting existing policy and
establish goals. The main advantage of FITSAF is that it addresses the requirements of Office of
Management and Budget (OMB). It also addresses the guidelines provided by the National Institute
of Standards and Technology (NIsT).
Answer option B is incorrect. Trusted Computer System Evaluation Criteria (TCSEC) is a United States
Government Department of Defense (DoD) standard that sets basic requirements for assessing the
effectiveness of computer security controls built into a computer system. TCSEC was used to
evaluate, classify, and select computer systems being considered for the processing, storage, and
retrieval of sensitive or classified information. It was replaced with the development of the Common

Criteria international standard originally published in 2005. The TCSEC, frequently referred to as the
Orange Book, is the centerpiece of the DoD Rainbow Series publications.
Answer option C is incorrect. The Federal Information Processing Standards (FIPS) are publicly
announced standards developed by the United States federal government for use by all non-military
government agencies and by government contractors. Many FIPS standards are modified versions of
standards used in the wider community (ANSI, IEEE, ISO, etc.).
Some FIPS standards were originally developed by the U.S. government. For instance, standards for
encoding data (e.g., country codes), but more significantly some encryption standards, such as the
Data Encryption Standard (FIPS 46-3) and the Advanced Encryption Standard (FIPS 197) . In 1994,
NOAA (Noaa) began broadcasting coded signals called FIPS (Federal Information Processing System)
codes along with their standard weather broadcasts from local stations. These codes identify the
type of emergency and the specific geographic area (such as a county) affected by the emergency.

Question: 8

You are working as a project manager in your organization. You are nearing the final stages of
project execution and looking towards the final risk monitoring and controlling activities. For your
project archives, which one of the following is an output of risk monitoring and control?

A. Quantitative risk analysis
B. Requested changes
C. Risk audits
D. Qualitative risk analysis

                                                                                  Answer: B

Of all the choices presented, only requested changes is an output of the monitor and control risks
process. You might also have risk register updates, recommended corrective and preventive actions,
organizational process assets, and updates to the project management plan.

Answer options D and A are incorrect. These are the plan risk management processes.

Answer option C is incorrect. Risk audit is a risk monitoring and control technique.

Reference: Chapter 11. A Guide to the Project Management Body of Knowledge, (PMBOK Guide),
Fourth Edition, ISBN:9781933890517, Section 11.6.3.

Question: 9

Which of the following governance bodies directs and coordinates implementations of the
information security program?

A. Chief Information Security Officer
B. Information Security Steering Committee
C. Senior Management
D. Business Unit Manager

                                                                                 Answer: A

Chief Information Security Officer directs and coordinates implementations of the information
security program.
The governance roles and responsibilities are mentioned below in the table:

Question: 10

You work as a project manager for BlueWell Inc. There has been a delay in your project work that is
adversely affecting the project schedule. You decided, with your stakeholders' approval, to fast track
the project work to get the project done faster. When you fast track the project which of the
following is likely to increase?

A. Quality control concerns
B. Risks
C. Costs
D. Human resource needs

                                                                                    Answer: B

Fast tracking allows entire phases of the project to overlap with each other and generally increases
risks within the project. Project risk is concerned with the expected value of one or more results of
one or more future events in a project. It is an uncertain condition that, if it occurs, has an effect on
at least one project objective. Objectives can be scope, schedule, cost, and quality. Project risk is
always in the future.
Answer option A is incorrect. Quality control concerns are not usually affected by fast tracking
Answer option C is incorrect. Costs do not generally increase due to fast tracking decisions.
Answer option D is incorrect. Human resource needs are not affected by fast tracking in most
Reference: "Project Management Body of Knowledge (PMBOK Guide), Fourth Edition"

 You will not find better practice material than testsexpert PDf questions with
answers on the web because it provides real exams preparation environment.
Our practice tests and PDF question, answers are developed by industry leading
experts according to the real exam scenario. At the moment we provides only
question with detailed answers at affordable cost. You will not find comparative
material elsewhere on the web at this price. We offer Cisco, Microsoft, HP,
IBM, Adobe, Comptia, Oracle exams training material and many more.

           We also provide PDF Training Material for:

  Cisco   Microsoft      HP          IBM     Adobe    Comptia    Oracle
 CCNA      MCTS          AIS        Lotus     CS4          A+   11g DBA
 CCNP      MCSE         APC      WebSphere    CS3     Security+ 10g DBA
  CCIP     MCITP        APS        Mastery    ACE      Server+ OSA 10g
  CCIE      MBS          ASE         SOA      CS5     Network+ OCA 9i
  CCVP     MCPD         CSA        Storage    CS2       Linux+     11i
  CCSP     MCAD         MASE       Rational Captivate    iNet+  9i Forms
  CXFF     MCAS         APP         Tivoli    Flex    Project+ Weblogic
 CCENT     MCSA         CSD       IBM DB2     CSM       RFID+   Oracle 8i
 CCDE      MCDBA         CSE      IBM XML     MX7         HTI+  PTADCE

             We provide latest exams preparation material only.

                 Contact US at:

                                Join Us at




To top