Which of the following DITSCAP C&A phases takes place between the signing of the initial version of the SSAA and the formal accreditation of the system?

A. Phase 3
B. Phase 1
C. Phase 2
D. Phase 4

What are the subordinate tasks of the Implement and Validate Assigned IA Control phase in the DIACAP process? Each correct answer represents a complete solution. Choose all that apply.

A. Conduct activities related to the disposition of the system data and objects.
B. Execute and update IA implementation plan.
C. Conduct validation activities.
D. Combine validation results in DIACAP scorecard.

Which of the following governance bodies directs and coordinates implementations of the information security program?

A. Information Security Steering Committee
B. Senior Management
C. Business Unit Manager
D. Chief Information Security Officer

A high-profile, high-priority project within your organization is being created. Management wants you to pay special attention to the project risks and do all that you can to ensure that all of the risks are identified early in the project. Management has to ensure that this project succeeds. Management's risk aversion in this project is associated with what term?

A. Utility function
B. Risk conscience
C. Quantitative risk analysis
D. Risk mitigation

FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls are tested and reviewed?

A. Level 1
B. Level 2
C. Level 4
D. Level 5
E. Level 3

Which of the following statements are true about security risks? Each correct answer represents a complete solution. Choose three.

A. They can be removed completely by taking proper actions.
B. They can be analyzed and measured by the risk analysis process.
C. They can be mitigated by reviewing and taking responsible actions based on possible risks.
D. They are considered an indicator of threats coupled with vulnerability.

Mark is the project manager of the BFL project for his organization. He and the project team are creating a probability and impact matrix using RAG rating. There is some confusion and disagreement among the project team as to how a certain risk is important and priority for attention should be managed. Where can Mark determine the priority of a risk given its probability and impact?

A. Risk response plan
B. Project sponsor
C. Risk management plan
D. Look-up table

You are responsible for network and information security at a metropolitan police station. The most important concern is that unauthorized parties are not able to access data. What is this called?

A. Confidentiality
B. Encryption
C. Integrity
D. Availability

In which of the following DIACAP phases is residual risk analyzed?

A. Phase 2
B. Phase 4
C. Phase 5
D. Phase 3
E. Phase 1

Which of the following professionals plays the role of a monitor and takes part in the organization's configuration management process?

A. Senior Agency Information Security Officer
B. Authorizing Official
C. Chief Information Officer
D. Common Control Provider