Appendix A Answers to Assessment Questions

1. 

Which of the following choices is an incorrect description of a control?

  1. Detective controls discover attacks and trigger preventative or corrective controls.
  2. Corrective controls reduce the likelihood of a deliberate attack.
  3. Corrective controls reduce the effect of an attack.
  4. Controls are the countermeasures for vulnerabilities.

answer: b the other three answers are correct descriptions of controls.

2. 

Which of the following statements is accurate about the reasons to implement a layered security architecture?

  1. A layered security approach is not necessary when using COTS products.
  2. A good packet-filtering router will eliminate the need to implement a layered security architecture.
  3. A layered security approach is intended to increase the work-factor for an attacker.
  4. A layered approach doesn’t really improve the security posture of the organization.

image from book

3. 

Which of the following choices represents an application or system demonstrating a need for a high level of confidentiality protection and controls?

  1. Unavailability of the system could result in inability to meet payroll obligations and could cause work stoppage and failure of user organizations to meet critical mission requirements. The system requires 24-hour access.
  2. The application contains proprietary business information and other financial information, which, if disclosed to unauthorized sources, could cause an unfair advantage for vendors, contractors, or individuals and could result in financial loss or adverse legal action to user organizations.
  3. Destruction of the information would require significant expenditures of time and effort to replace. Although corrupted information would present an inconvenience to the staff, most information, and all vital information, is backed up either by paper documentation or on disk.
  4. The mission of this system is to produce local weather forecast information that is made available to the news media forecasters and the general public at all times. None of the information requires protection against disclosure.

image from book

4. 

Which of the following choices is not a concern of policy development at the high level?

  1. Identifying the key business resources
  2. Identifying the type of firewalls to be used for perimeter security
  3. Defining roles in the organization
  4. Determining the capability and functionality of each role

image from book

5. 

Which of the following choices is not an accurate statement about the visibility of IT security policy?

  1. The IT security policy should not be afforded high visibility.
  2. The IT security policy could be visible through panel discussions with guest speakers.
  3. The IT security policy should be afforded high visibility.
  4. The IT security policy should be included as a regular topic at staff meetings at all levels of the organization.

image from book

6. 

Which of the following statements is not accurate regarding the process of risk assessment?

  1. The likelihood of a threat must be determined as an element of the risk assessment.
  2. The level of impact of a threat must be determined as an element of the risk assessment.
  3. Risk assessment is the first process in the risk management methodology.
  4. Risk assessment is the final result of the risk management methodology.

answer: d risk assessment is the first process in the risk management methodology.

7. 

Which of the following choices would not be considered an element of proper user account management?

  1. Users should never be rotated out of their current duties.
  2. The users’ accounts should be reviewed periodically.
  3. A process for tracking access authorizations should be implemented.
  4. Periodically rescreen personnel in sensitive positions.

answer: a the other answers are elements of proper user account management.

8. 

Which of the following choices is not one of NIST’s 33 IT security principles?

  1. Implement least privilege.
  2. Assume that external systems are insecure.
  3. Totally eliminate any level of risk.
  4. Minimize the system elements to be trusted.

image from book

9. 

How often should an independent review of the security controls be performed, according to OMB Circular A-130?

  1. Every year
  2. Every three years
  3. Every five years
  4. Never

image from book

10. 

Which of the following choices best describes the difference between the System Owner and the Information Owner?

  1. There is a one-to-one relationship between system owners and information owners.
  2. One system could have multiple information owners.
  3. The Information Owner is responsible for defining the system’s operating parameters.
  4. The System Owner is responsible for establishing the rules for appropriate use of the information.

answer: b a single system may utilize information from multiple information owners.

11. 

Which of the following choices is not a generally accepted benefit of security awareness, training, and education?

  1. A security awareness program can help operators understand the value of the information.
  2. A security education program can help system administrators recognize unauthorized intrusion attempts.
  3. A security awareness and training program will help prevent natural disasters from occurring.
  4. A security awareness and training program can help an organization reduce the number and severity of errors and omissions.

image from book

12. 

Who has the final responsibility for the preservation of the organization’s information?

  1. Technology providers
  2. Senior management
  3. Users
  4. Application owners

image from book

13. 

Which of the following choices is not an example of an issue-specific policy?

  1. E-mail privacy policy
  2. Virus-checking disk policy
  3. Defined router ACLs
  4. Unfriendly employee termination policy

image from book

14. 

Which of the following statements is not true about security awareness, training, and educational programs?

  1. Awareness and training help users become more accountable for their actions.
  2. Security education assists management in determining who should be promoted.
  3. Security improves the users’ awareness of the need to protect information resources.
  4. Security education assists management in developing the in-house expertise to manage security programs.

image from book

15. 

Which of the following choices is an accurate statement about standards?

  1. Standards are the high-level statements made by senior management in support of information systems security.
  2. Standards are the first element created in an effective security policy program.
  3. Standards are used to describe how policies will be implemented within an organization.
  4. Standards are senior management’s directives to create a computer security program.

image from book

16. 

Which of the following choices is a role of the Information Systems Security Officer?

  1. The ISO establishes the overall goals of the organization’s computer security program.
  2. The ISO is responsible for day-to-day security administration.
  3. The ISO is responsible for examining systems to see whether they are meeting stated security requirements.
  4. The ISO is responsible for following security procedures and reporting security problems.

image from book

17. 

Which of the following statements is not correct about safeguard selection in the risk analysis process?

  1. Maintenance costs need to be included in determining the total cost of the safeguard.
  2. The best possible safeguard should always be implemented, regardless of cost.
  3. The most commonly considered criterion is the cost effectiveness of the safeguard.
  4. Many elements need to be considered in determining the total cost of the safeguard.

image from book

18. 

Which of the following choices is usually the number-one used criterion to determine the classification of an information object?

  1. Value
  2. Useful life
  3. Age
  4. Personal association

image from book

19. 

What are high-level policies?

  1. They are recommendations for procedural controls.
  2. They are the instructions on how to perform a Quantitative Risk Analysis.
  3. They are statements that indicate a senior management’s intention to support InfoSec.
  4. They are step-by-step procedures to implement a safeguard.

image from book

20. 

Which policy type is most likely to contain mandatory or compulsory standards?

  1. Guidelines
  2. Advisory
  3. Regulatory
  4. Informative

image from book

21. 

What does an Exposure Factor (EF) describe?

  1. A dollar figure that is assigned to a single event
  2. A number that represents the estimated frequency of the occurrence of an expected threat
  3. The percentage of loss that a realized threat event would have on a specific asset
  4. The annual expected financial loss to an organization from a threat

answer: c answer a is an sle, b is an aro, and d is an ale.

22. 

What is the most accurate definition of a safeguard?

  1. A guideline for policy recommendations
  2. A step-by-step instructional procedure
  3. A control designed to counteract a threat
  4. A control designed to counteract an asset

answer: c answer a is a guideline, b is a procedure, and d is a distracter.

23. 

Which choice most accurately describes the differences between standards, guidelines, and procedures?

  1. Standards are recommended policies, whereas guidelines are mandatory policies.
  2. Procedures are step-by-step recommendations for complying with mandatory guidelines.
  3. Procedures are the general recommendations for compliance with mandatory guidelines.
  4. Procedures are step-by-step instructions for compliance with mandatory standards.

answer: d the other answers are incorrect.

24. 

What are the detailed instructions on how to perform or implement a control called?

  1. Procedures
  2. Policies
  3. Guidelines
  4. Standards

image from book

25. 

How is an SLE derived?

  1. (Cost – benefit) × (% of Asset Value)
  2. AV × EF
  3. ARO × EF
  4. % of AV – implementation cost

image from book

26. 

What are noncompulsory recommendations on how to achieve compliance with published standards called?

  1. Procedures
  2. Policies
  3. Guidelines
  4. Standards

image from book

27. 

Which group represents the most likely source of an asset loss through inappropriate computer use?

  1. Crackers
  2. Hackers
  3. Employees
  4. Saboteurs

image from book

28. 

Which choice most accurately describes the difference between the role of a data owner and the role of a data custodian?

  1. The custodian implements the information classification scheme after the initial assignment by the owner.
  2. The data owner implements the information classification scheme after the initial assignment by the custodian.
  3. The custodian makes the initial information classification assignments, whereas the operations manager implements the scheme.
  4. The custodian implements the information classification scheme after the initial assignment by the operations manager.

image from book

29. 

What is an ARO?

  1. A dollar figure assigned to a single event
  2. The annual expected financial loss to an organization from a threat
  3. A number that represents the estimated frequency of an occurrence of an expected threat
  4. The percentage of loss that a realized threat event would have on a specific asset

answer: c answer a is the definition of sle, b is an ale, and d is an ef.

30. 

Which formula accurately represents an Annualized Loss Expectancy (ALE) calculation?

  1. SLE × ARO
  2. Asset Value (AV) × EF
  3. ARO × EF – SLE
  4. % of ARO × AV

answer: a answer b is the formula for an sle, and answers c and d are nonsense.

31. 

Which of the following assessment methodologies below is a self-guided assessment implemented in a series of short workshops focusing on key organizational areas and conducted in three phases?

  1. Federal Information Technology Security Assessment Framework (FITSAF)
  2. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
  3. Office of Management and Budget (OMB) Circular A-130
  4. INFOSEC Assessment Methodology (IAM)

image from book

32. 

Which of the following assessment methodologies was developed by the National Security Agency to assist both assessment suppliers and consumers?

  1. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
  2. Federal Information Processing Standard (FIPS) 102
  3. Federal Information Technology Security Assessment Framework (FITSAF)
  4. INFOSEC Assessment Methodology (IAM)

image from book

Answers

1. 

Answer: b

The other three answers are correct descriptions of controls.

2. 

Answer: c

Security designs should consider a layered approach to increase the work-factor an attacker must expend to successfully attack the system.

3. 

Answer: b

Although elements of all the systems described could require specific controls for confidentiality, given the descriptions above, system b fits the definition most closely of a system requiring a very high level of confidentiality. Answer a is an example of a system requiring high availability. Answer c is an example of a system that requires medium integrity controls. Answer d is a system that requires only a low level of confidentiality.

4. 

Answer: b

Answers a, c, and d are elements of policy development at the highest level. Key business resources would have been identified during the risk assessment process. The various roles are then defined to determine the various levels of access to those resources. Answer d is the final step in the policy creation process and combines steps a and c. It determines which group gets access to each resource and what access privileges its members are assigned. Access to resources should be based on roles, not on individual identity.

5. 

Answer: a

The other three answers are correct statements about the visibility of IT security policy.

6. 

Answer: d

Risk assessment is the first process in the risk management methodology.

7. 

Answer: a

The other answers are elements of proper user account management.

8. 

Answer: c

Risk can never be totally eliminated. NIST IT security principle 4 states: “Reduce risk to an acceptable level.”

9. 

Answer: b

OMB Circular A-130 requires that a review of the security controls for each major government application be performed at least every three years.

10. 

Answer: b

A single system may utilize information from multiple Information Owners.

11. 

Answer: c

The other answers are generally accepted benefits of security awareness, training, and education.

12. 

Answer: b

Senior management has the final responsibility through due care and due diligence to preserve the capital of the organization and further its business model through the implementation of a security program. Although senior management does not have the functional role of managing security procedures, it has the ultimate responsibility to see that business continuity is preserved.

13. 

Answer: c

Answer c is an example of a system-specific policy - in this case the router’s access control lists. The other three answers are examples of issue-specific policy, as defined by NIST.

14. 

Answer: b

The other answers are correct statements about security awareness, training, and educational programs.

15. 

Answer: c

Answers a, b, and d describe policies. Procedures, standards, and guidelines are used to describe how these policies will be implemented within an organization.

16. 

Answer: b

Answer a is a responsibility of senior management. Answer c is a description of the role of auditing. Answer d is the role of the user, or consumer, of security in an organization.

17. 

Answer: b

Performing a cost-benefit analysis of the proposed safeguard before implementation is vital. The level of security afforded could easily fail to outweigh the cost of a proposed safeguard. Other factors need to be considered in the safeguard selection process, such as accountability, auditability, and the level of manual operations needed to maintain or operate the safeguard.

18. 

Answer: a

Value of the information asset to the organization is usually the first and foremost criterion used in determining its classification.

19. 

Answer: c.

High-level policies are senior management statements of recognition of the importance of security controls to the mission of the organization.

20. 

Answer: c

Answer b (advisory policies) might specify penalties for noncompliance, but regulatory policies are required to be followed by the organization. Answers a and d are informational or recommended policies only.

21. 

Answer: c

Answer a is an SLE, b is an ARO, and d is an ALE.

22. 

Answer: c

Answer a is a guideline, b is a procedure, and d is a distracter.

23. 

Answer: d

The other answers are incorrect.

24. 

Answer: a

25. 

Answer: b.

A Single Loss Expectancy is derived by multiplying the Asset Value by its Exposure Factor. The other answers do not exist.

26. 

Answer: c

27. 

Answer: c

Internal personnel far and away constitute the largest amount of dollar loss due to unauthorized or inappropriate computer use.

28. 

Answer: a

29. 

Answer: c

Answer a is the definition of SLE, b is an ALE, and d is an EF.

30. 

Answer: a

Answer b is the formula for an SLE, and answers c and d are nonsense.

31. 

Answer: b

Carnegie Mellon University’s Software Engineering Institute (SEI) created the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE). OCTAVE is a self-guided assessment implemented in a series of short workshops focusing on key organizational areas.

It is conducted in three phases:

  1. Identify critical assets and the threats to those assets
  2. Identify the vulnerabilities that expose those threats
  3. Develop an appropriate protection strategy for the organization’s mission and priorities

32. 

Answer: d

The INFOSEC Assessment Methodology (IAM) is a detailed and systematic way of examining cyber vulnerabilities that was developed by the National Security Agency to assist both INFOSEC assessment suppliers and consumers requiring assessments. The IAM examines the mission, organization, security policies and programs, and information systems and the threat to these systems.

1. 

The goals of integrity do not include:

  1. Accountability of responsible individuals
  2. Prevention of the modification of information by unauthorized users
  3. Prevention of the unauthorized or unintentional modification of information by authorized users
  4. Preservation of internal and external consistency

image from book

2. 

Kerberos is an authentication scheme that can be used to implement:

  1. Public-key cryptography
  2. Digital signatures
  3. Hash functions
  4. Single Sign-On (SSO)

image from book

3. 

The fundamental entity in a relational database is the:

  1. Domain
  2. Relation
  3. Pointer
  4. Cost

image from book

4. 

In a relational database, security is provided to the access of data through:

  1. Candidate keys
  2. Views
  3. Joins
  4. Attributes

image from book

5. 

In biometrics, a one-to-one search to verify an individual’s claim of an identity is called:

  1. Audit trail review
  2. Authentication
  3. Accountability
  4. Aggregation

image from book

6. 

Biometrics is used for identification in the physical controls and for authentication in the:

  1. Detective controls
  2. Preventive controls
  3. Logical controls
  4. Corrective controls

image from book

7. 

Referential integrity requires that for any foreign key attribute, the referenced relation must have:

  1. A tuple with the same value for its primary key
  2. A tuple with the same value for its secondary key
  3. An attribute with the same value for its secondary key
  4. An attribute with the same value for its other foreign key

image from book

8. 

A password that is the same for each logon is called a:

  1. Dynamic password
  2. Static password
  3. Passphrase
  4. One-time pad

image from book

9. 

Which one of the following is not an access attack?

  1. Spoofing
  2. Back door
  3. Dictionary
  4. Penetration test

image from book

10. 

An attack that uses a detailed listing of common passwords and words in general to gain unauthorized access to an information system is best described as:

  1. Password guessing
  2. Software exploitation
  3. Dictionary attack
  4. Spoofing

image from book

11. 

A statistical anomaly–based intrusion detection system:

  1. Acquires data to establish a normal system operating profile
  2. Refers to a database of known attack signatures
  3. Will detect an attack that does not significantly change the system’s operating characteristics
  4. Does not report an event that caused a momentary anomaly in the system

image from book

12. 

Which one of the following definitions best describes system scanning?

  1. An attack that uses dial-up modems or asynchronous external connections to an information system in order to bypass information security control mechanisms
  2. An attack that is perpetrated by intercepting and saving old messages and then sending them later, impersonating one of the communicating parties
  3. Acquisition of information that is discarded by an individual or organization
  4. A process used to collect information about a device or network to facilitate an attack on an information system

image from book

13. 

In which type of penetration test does the testing team have access to internal system code?

  1. Closed-box
  2. Transparent-box
  3. Open-box
  4. Coding-box

image from book

14. 

A standard data manipulation and relational database definition language is:

  1. OOD
  2. SQL
  3. SLL
  4. Script

answer: b all answers other than sql (b) do not apply.

15. 

An attack that can be perpetrated against a remote user’s callback access control is:

  1. Call forwarding
  2. A Trojan horse
  3. A maintenance hook
  4. Redialing

image from book

16. 

The definition of CHAP is:

  1. Confidential Hash Authentication Protocol
  2. Challenge Handshake Authentication Protocol
  3. Challenge Handshake Approval Protocol
  4. Confidential Handshake Approval Protocol

image from book

17. 

Using symmetric-key cryptography, Kerberos authenticates clients to other entities on a network and facilitates communications through the assignment of:

  1. Public keys
  2. Session keys
  3. Passwords
  4. Tokens

image from book

18. 

Three things that must be considered for the planning and implementation of access control mechanisms are:

  1. Threats, assets, and objectives
  2. Threats, vulnerabilities, and risks
  3. Vulnerabilities, secret keys, and exposures
  4. Exposures, threats, and countermeasures

image from book

19. 

In mandatory access control, the authorization of a subject to have access to an object is dependent upon:

  1. Labels
  2. Roles
  3. Tasks
  4. Identity

image from book

20. 

The type of access control that is used in local, dynamic situations where subjects have the ability to specify what resources certain users can access is called:

  1. Mandatory access control
  2. Rule-based access control
  3. Sensitivity-based access control
  4. Discretionary access control

image from book

21. 

Role-based access control is useful when:

  1. Access must be determined by the labels on the data.
  2. There are frequent personnel changes in an organization.
  3. Rules are needed to determine clearances.
  4. Security clearances must be used.

image from book

22. 

Clipping levels are used to:

  1. Limit the number of letters in a password
  2. Set thresholds for voltage variations
  3. Reduce the amount of data to be evaluated in audit logs
  4. Limit errors in callback systems

image from book

23. 

Identification is:

  1. A user being authenticated by the system
  2. A user providing a password to the system
  3. A user providing a shared secret to the system
  4. A user professing an identity to the system

image from book

24. 

Authentication is:

  1. The verification that the claimed identity is valid
  2. The presentation of a user’s ID to the system
  3. Not accomplished through the use of a password
  4. Applied only to remote users

image from book

25. 

An example of two-factor authentication is:

  1. A password and an ID
  2. An ID and a PIN
  3. A PIN and an ATM card
  4. A fingerprint

image from book

26. 

In biometrics, a good measure of the performance of a system is the:

  1. False detection
  2. Crossover error rate (CER)
  3. Positive acceptance rate
  4. Sensitivity

answer: b answer b is correct. the other items are made-up distracters.

27. 

In finger scan technology:

  1. The full fingerprint is stored.
  2. Features extracted from the fingerprint are stored.
  3. More storage is required than in fingerprint technology.
  4. The technology is applicable to large, one-to-many database searches.

image from book

28. 

An acceptable biometric throughput rate is:

  1. One subject per two minutes
  2. Two subjects per minute
  3. Ten subjects per minute
  4. Five subjects per minute

image from book

29. 

Which one of the following is not a type of penetration test?

  1. Sparse-knowledge test
  2. Full-knowledge test
  3. Partial-knowledge test
  4. Zero-knowledge test

answer: a the correct answer is a, a distracter.

30. 

Object-Oriented Database (OODB) systems:

  1. Are ideally suited for text-only information
  2. Require minimal learning time for programmers
  3. Are useful in storing and manipulating complex data, such as images and graphics
  4. Consume minimal system resources

image from book

31. 

A minimally configured information entry and retrieval device that relies on a remote server for its primary processing, security, storage, and printing functions is called a:

  1. Workstation
  2. Server
  3. Thin client
  4. Remote storage station

image from book

Answers

1. 

Answer: a

Accountability is holding individuals responsible for their actions. Answers b, c, and d are the three goals of integrity.

2. 

Answer: d

Kerberos is a third-party authentication protocol that can be used to implement SSO. Answer a is incorrect because public-key cryptography is not used in the basic Kerberos protocol. Answer b is a public-key-based capability, and answer c is a one-way transformation used to disguise passwords or to implement digital signatures.

3. 

Answer: b

The fundamental entity in a relational database is the relation, in the form of a table. Answer a is the set of allowable attribute values, and answers c and d are distracters.

4. 

Answer: b

Views enable access to data in their underlying tables to be controlled. Candidate keys (answer a) are the set of unique keys from which the primary key is selected. Answer c Joins (answer c) are operations that can be performed on the database, and the attributes (answer d) denote the columns in the relational table.

5. 

Answer: b

Answer b is correct. Answer a is a review of audit system data, usually done after the fact. Answer c is holding individuals responsible for their actions, and answer d is obtaining higher-sensitivity information from a number of pieces of information of lower sensitivity.

6. 

Answer: c

The correct answer is c (logical controls). The other answers are different categories of controls where preventive controls attempt to eliminate or reduce vulnerabilities before an attack occurs; detective controls attempt to determine that an attack is taking place or has taken place; and corrective controls involve taking action to restore the system to normal operation after a successful attack.

7. 

Answer: a

The correct answer is a. Answers b and c are incorrect because a secondary key is not a valid term. Answer d is a distracter because referential integrity has a foreign key referring to a primary key in another relation.

8. 

Answer: b

The correct answer is b. In answer a, the password changes at each logon. A passphrase (answer c) is a long word or phrase that is converted by the system to a password. A one-time pad (answer d) consists of using a random key only once when sending a cryptographic message.

9. 

Answer: d

The correct answer is d, a distracter. A penetration test is conducted to obtain a high level evaluation of a system’s defense or to perform a detailed analysis of the information system’s weaknesses. A penetration test can determine how a system reacts to an attack, whether or not a system’s defenses can be breached, and what information can be acquired from the system. It is performed with the approval of the target organization.

10. 

Answer: c

In a dictionary attack (answer c), a dictionary of common words and passwords are applied to attempt to gain unauthorized access to an information system. In password guessing (answer a), the attacker guesses passwords derived from sources such as notes on the user’s desk, the user’s birthday, a pet’s name, applying social engineering techniques, and so on. Answer b refers to exploiting software vulnerabilities, and answer d, spoofing, is a method used by an attacker to convince an information system that it is communicating with a known, trusted entity.

11. 

Answer: a

A statistical anomaly–based intrusion detection system acquires data to establish a normal system operating profile. Answer b is incorrect because it is used in signature-based intrusion detection. Answer c is incorrect because a statistical anomaly–based intrusion detection system will not detect an attack that does not significantly change the system operating characteristics. Similarly, answer d is incorrect because the statistical anomaly–based IDS is susceptible to reporting an event that caused a momentary anomaly in the system.

12. 

Answer: d

Answer d is correct. Answer a describes a back door attack, answer b is a replay attack, and answer c refers to dumpster diving.

13. 

Answer: c

The correct answer is c, open-box testing. In closed-box testing (answer a), the testing team does not have access to internal system code. The other answers are distracters.

14. 

Answer: b

All answers other than SQL (b) do not apply.

15. 

Answer: a

The correct answer is a. A cracker can have a person’s call forwarded to another number to foil the callback system. Answer b is incorrect because it is an example of malicious code embedded in useful code. Answer c is incorrect because it might enable bypassing controls of a system through a means used for debugging or maintenance. Answer d is incorrect because it is a distracter.

16. 

Answer: b

17. 

Answer: b

Session keys are temporary keys assigned by the KDC and used for an allotted period of time as the secret key between two entities. Answer a is incorrect because it refers to asymmetric encryption, which is not used in the basic Kerberos protocol. Answer c is incorrect because it is not a key, and answer d is incorrect because a token generates dynamic passwords.

18. 

Answer: b

Threats define the possible source of security policy violations; vulnerabilities describe weaknesses in the system that might be exploited by the threats; and the risk determines the probability of threats being realized. All three items must be present to meaningfully apply access control. Therefore, the other answers are incorrect.

19. 

Answer: a

Mandatory access controls use labels to determine whether subjects can have access to objects, depending on the subjects’ clearances. Answer b, roles, is applied in nondiscretionary access control, as is answer c, tasks. Answer d, identity, is used in discretionary access control.

20. 

Answer: d

Answer d is correct. Answers a and b require strict adherence to labels and clearances. Answer c is a made-up distracter.

21. 

Answer: b

Role-based access control is part of nondiscretionary access control. Answers a, c, and d relate to mandatory access control.

22. 

Answer: c

Clipping levels are used for reducing the amount of data to be evaluated by definition. Answer a is incorrect because clipping levels do not relate to letters in a password. Answer b is incorrect because clipping levels in this context have nothing to do with controlling voltage levels. Answer d is incorrect because they are not used to limit callback errors.

23. 

Answer: d

A user presents an ID to the system as identification. Answer a is incorrect because presenting an ID is not an authentication act. Answer b is incorrect because a password is an authentication mechanism. Answer c is incorrect because it refers to cryptography or authentication.

24. 

Answer: a

Answer a is correct. Answer b is incorrect because it is an identification act. Answer c is incorrect because authentication can be accomplished through the use of a password. Answer d is incorrect because authentication is applied to local and remote users.

25. 

Answer: c

The correct answer is c. These items are something you know and something you have. Answer a is incorrect because essentially, only one factor is being used - something you know (password). Answer b is incorrect for the same reason. Answer d is incorrect because only one biometric factor is being used.

26. 

Answer: b

Answer b is correct. The other items are made-up distracters.

27. 

Answer: b

In finger scan technology, the features extracted from the fingerprint are stored. Answer a is incorrect because the equivalent of the full finger-print is not stored in finger scan technology. Answers c and d are incorrect because the opposite is true of finger scan technology.

28. 

Answer: c

29. 

Answer: a

The correct answer is a, a distracter.

30. 

Answer: c

Answer c is correct. The other answers are false because for answer a, relational databases are ideally suited to text-only information. For b and d, OODB systems have a steep learning curve and consume a large amount of system resources.

31. 

Answer: c

Answer c is correct. Answers a and b are computing systems with extensive storage and processing capabilities. Answer d is a made up distracter.

1. 

Which of the following is not an element of a fiber-optic cable?

  1. Core
  2. BNC
  3. Jacket
  4. Cladding

image from book

2. 

To what does 10Base5 refer?

  1. 10 Mbps thinnet coax cabling rated to 185 meters maximum length
  2. 10 Mbps thicknet coax cabling rated to 500 meters maximum length
  3. 10 Mbps baseband optical fiber
  4. 100 Mbps unshielded twisted pair cabling

answer: b answer a refers to 10base2; answer c refers to 10basef; and answer d refers to 100baset.

3. 

Which of the following LAN transmission methods describes a packet sent from a single source to multiple specific destinations?

  1. Unicast
  2. Multicast
  3. Broadcast
  4. Anycast

image from book

4. 

Which part of the 48-bit, 12-digit hexadecimal number known as the Media Access Control (MAC) address identifies the manufacturer of the network device?

  1. The first three bytes
  2. The first two bytes
  3. The second half of the MAC address
  4. The last three bytes

image from book

5. 

Which of the following best describes coaxial cable?

  1. Coax consists of two insulated wires wrapped around each other in a regular spiral pattern.
  2. Coax consists of a hollow outer cylindrical conductor surrounding a single, inner conductor.
  3. Coax does not require the fixed spacing between connections that UTP requires.
  4. Coax carries signals as light waves.

image from book

6. 

Which of the following is not one of the legal IP address ranges specified by RFC1976 and reserved by the Internet Assigned Numbers Authority (IANA) for nonroutable private addresses?

  1. 10.0.0.0–10.255.255.255
  2. 127.0.0.0–127.0.255.255
  3. 172.16.0.0–172.31.255.255
  4. 192.168.0.0–192.168.255.255

image from book

7. 

Which of the following statements about the difference between analog and digital signals is incorrect?

  1. An analog signal produces an infinite waveform.
  2. Analog signals cannot be used for data communications.
  3. An analog signal can be varied by amplification.
  4. A digital signal produces a square waveform.

answer: b the other answers are all properties of analog or digital signals.

8. 

Which of the following most accurately describes SSL?

  1. It’s a widely used standard of securing e-mail at the Application level.
  2. It gives a user remote access to a command prompt across a secure, encrypted session.
  3. It uses two protocols, the Authentication Header and the Encapsulating Security Payload.
  4. It allows an application to have authenticated, encrypted communications across a network.

image from book

9. 

Which IEEE protocol defines wireless transmission in the 5 GHz band with data rates up to 54 Mbps?

  1. IEEE 802.11a
  2. IEEE 802.11b
  3. IEEE 802.11g
  4. IEEE 802.15

image from book

10. 

Which protocol is used to resolve a known IP address to an unknown MAC address?

  1. ARP
  2. RARP
  3. ICMP
  4. TFTP

image from book

11. 

Which TCP/IP protocol operates at the OSI Network Layer?

  1. FTP
  2. IP
  3. TCP
  4. UDP

image from book

12. 

Which statement accurately describes the difference between 802.11b WLAN ad hoc and infrastructure modes?

  1. The ad hoc mode requires an Access Point to communicate to the wired network.
  2. Wireless nodes can communicate peer-to-peer in the infrastructure mode.
  3. Wireless nodes can communicate peer-to-peer in the ad hoc mode.
  4. Access points are rarely used in 802.11b WLANs.

image from book

13. 

Which of the following is true about the difference between TCP and UDP?

  1. UDP is considered a connectionless protocol, and TCP is connection-oriented.
  2. TCP is considered a connectionless protocol, and UDP is connection oriented.
  3. UDP acknowledges the receipt of packets, and TCP does not.
  4. TCP is sometimes referred to as an unreliable protocol.

image from book

14. 

Which of the following denotes a packet-switched connectionless wide area network (WAN) technology?

  1. X.25
  2. Frame Relay
  3. SMDS
  4. ATM

image from book

15. 

Which of the following answers is true about the difference between FTP and TFTP?

  1. FTP does not have a directory-browsing capability, whereas TFTP does.
  2. FTP enables print job spooling, whereas TFTP does not.
  3. TFTP is less secure because session authentication does not occur.
  4. FTP is less secure because session authentication does not occur.

image from book

16. 

Which of the following statements is correct regarding VLANs?

  1. A VLAN restricts flooding to only those ports included in the VLAN.
  2. A VLAN is a network segmented physically, not logically.
  3. A VLAN is less secure when implemented in conjunction with private port switching.
  4. A closed VLAN configuration is the least secure VLAN configuration.

image from book

17. 

Which of the following statements about a VPN tunnel is incorrect?

  1. It can be created by implementing only IPSec devices.
  2. It can be created by installing software or hardware agents on the client or network.
  3. It can be created by implementing key and certificate exchange systems.
  4. It can be created by implementing node authentication systems.

image from book

18. 

Which of the following can create a server-spoofing attack?

  1. DNS poisoning
  2. C2MYAZZ
  3. Snort
  4. BO2K

image from book

19. 

What is a server cluster?

  1. A primary server that mirrors its data to a secondary server
  2. A group of independent servers that are managed as a single system
  3. A tape array backup implementation
  4. A group of WORM optical jukeboxes

image from book

20. 

Which of the following attack types does not exploit TCP vulnerabilities?

  1. Sequence Number attack
  2. SYN attack
  3. Ping of Death
  4. land.c attack

image from book

21. 

What is probing used for?

  1. To induce a user into taking an incorrect action
  2. To give an attacker a road map of the network
  3. To use up all of a target’s resources
  4. To covertly listen to transmissions

image from book

22. 

Which of the following firewall types uses a dynamic state table to inspect the content of packets?

  1. A packet-filtering firewall
  2. An application-level firewall
  3. A circuit-level firewall
  4. A stateful-inspection firewall

image from book

23. 

To what does logon abuse refer?

  1. Breaking into a network primarily from an external source
  2. Legitimate users accessing networked services that would normally be restricted to them
  3. Nonbusiness or personal use of the Internet
  4. Intrusions via dial-up or asynchronous external network connections

image from book

24. 

What type of firewall architecture employs two network cards and a single screening router?

  1. A screened-host firewall
  2. A dual-homed host firewall
  3. A screened-subnet firewall
  4. An application-level proxy server

image from book

25. 

To what does covert channel eavesdropping refer?

  1. Using a hidden, unauthorized network connection to communicate unauthorized information
  2. Nonbusiness or personal use of the Internet
  3. Socially engineering passwords from an ISP
  4. The use of two-factor passwords

image from book

26. 

What is one of the most common drawbacks to using a dual-homed host firewall?

  1. The examination of the packet at the Network Layer introduces latency.
  2. The examination of the packet at the Application Layer introduces latency.
  3. The ACLs must be manually maintained on the host.
  4. Internal routing may accidentally become enabled.

image from book

27. 

Which is not a property of a bridge?

  1. It forwards the data to all other segments if the destination is not on the local segment.
  2. It operates at Layer 2, the Data Link Layer.
  3. It operates at Layer 3, the Network Layer.
  4. It can create a broadcast storm.

image from book

28. 

Which IEEE protocol defines the Spanning Tree protocol?

  1. IEEE 802.5
  2. IEEE 802.3
  3. IEEE 802.11
  4. IEEE 802.1D

image from book

29. 

What does the Data Encapsulation in the OSI model do?

  1. It creates seven distinct layers.
  2. It wraps data from one layer around a data packet from an adjoining layer.
  3. It provides best-effort delivery of a data packet.
  4. It makes the network transmission deterministic.

image from book

30. 

Which of the following choices is not an element of IPSec?

  1. Authentication Header
  2. Layer Two Tunneling Protocol
  3. Security Association
  4. Encapsulating Security Payload

image from book

31. 

Which of the following network attacks would not be considered a Denial of Service attack?

  1. Ping of Death
  2. Smurf
  3. Brute Force
  4. TCP SYN

image from book

32. 

Which statement is not true about the SOCKS protocol?

  1. It is sometimes referred to as an application-level proxy.
  2. It uses an ESP for authentication and encryption.
  3. It operates in the Transport Layer of the OSI model.
  4. Network applications need to be SOCKS-ified to operate.

image from book

33. 

Which of the following choices is not a way to get Windows NT passwords?

  1. Obtain the backup SAM from the repair directory.
  2. Boot the NT server with a floppy containing an alternate operating system.
  3. Obtain root access to the /etc/passwd file.
  4. Use pwdump2 to dump the password hashes directly from the registry.

image from book

34. 

Which type of routing commonly broadcasts its routing table information to all other routers every minute?

  1. Static
  2. Distance Vector
  3. Link State
  4. Dynamic Control Protocol

image from book

35. 

A back door into a network refers to what?

  1. Socially engineering passwords from a subject
  2. Mechanisms created by hackers to gain network access at a later time
  3. Undocumented instructions used by programmers to debug applications
  4. Monitoring programs implemented on dummy applications to lure intruders

image from book

36. 

What is the protocol that supports sending and receiving e-mail?

  1. SNMP
  2. SMTP
  3. ICMP
  4. RARP

image from book

37. 

Which of the following protocols does not pertain to e-mail?

  1. SMTP
  2. POP
  3. CHAP
  4. IMAP

image from book

38. 

Which of the following does not relate to analog dial-up hacking?

  1. War dialing
  2. War walking
  3. Demon dialing
  4. ToneLoc

image from book

39. 

Which of the following is the earliest and the most commonly found Interior Gateway Protocol?

  1. RIP
  2. OSPF
  3. IGRP
  4. EAP

image from book

40. 

What is the Network Layer of the OSI reference model primarily responsible for?

  1. Internetwork packet routing
  2. LAN bridging
  3. SMTP Gateway services
  4. Signal regeneration and repeating

image from book

41. 

Which of the following is not a true statement about Network Address Translation (NAT)?

  1. NAT is used when corporations want to use private addressing ranges for internal networks.
  2. NAT is designed to mask the true IP addresses of internal systems.
  3. Private addresses can easily be routed globally.
  4. NAT translates private IP addresses to registered “real” IP addresses.

answer: c private addresses are not easily routable.

42. 

In the DoD reference model, which layer conforms to the OSI Transport Layer?

  1. Process/Application Layer
  2. Host-to-Host Layer
  3. Internet Layer
  4. Network Access Layer

image from book

43. 

The IP address 178.22.90.1 is considered to be in which class of address?

  1. Class A
  2. Class B
  3. Class C
  4. Class D

image from book

44. 

What does TFTP stand for?

  1. Trivial File Transport Protocol
  2. Transport for TCP/IP
  3. Trivial File Transfer Protocol
  4. Transport File Transfer Protocol

answer: c the other acronyms do not exist.

45. 

Which IEEE protocol offers two different protocols to address security issues with 802.11 products?

  1. IEEE 802.11e
  2. IEEE 802.11f
  3. IEEE 802.11g
  4. IEEE 802.11i

image from book

46. 

Which new wireless IEEE protocol combines multiple input, multiple output (MIMO) technology with multiple antennas to achieve raw data rates from 100 Mbps to 600 Mbps?

  1. IEEE 802.11h
  2. IEEE 802.11i
  3. IEEE 802.11n
  4. IEEE 802.16

image from book

47. 

Which of the following choices is the best description of bluejacking?

  1. A shareware program for locating WLAN SSIDs
  2. A hacker determining an AP’s broadcast SSID
  3. A Bluetooth wireless hack that exploits BT’s discover mode
  4. HTML tailored to the small screens and limited resources of a wireless handheld

image from book

48. 

Which choice is not a common ability of a keylogger?

  1. Log all Web sites visited
  2. Interact with potential hackers in such a way as to capture the details of their attacks
  3. Record all keystrokes
  4. Log every application executed

image from book

49. 

Which choice is the best description of a spambot?

  1. A program designed to collect e-mail addresses from the Internet in order to send advertising messages
  2. A pop-up window that asks users to download a program to their computer’s hard drive
  3. A program in which malicious code is contained inside apparently harmless programming
  4. A program that surreptitiously allows access to a computer’s resources via a network connection

image from book

Answers

1. 

Answer: b

A BNC refers to a Bayonet Neil Concelman RG58 connector for 10Base2. Fiber-optic cable has three basic physical elements: the core, the cladding, and the jacket. The core is the innermost transmission medium, which can be glass or plastic. The next outer layer, the cladding, is also made of glass or plastic, but it has different properties and helps to reflect the light back into the core. The outermost layer, the jacket, provides protection from heat, moisture, and other environmental elements.

2. 

Answer: b

Answer a refers to 10Base2; answer c refers to 10BaseF; and answer d refers to 100BaseT.

3. 

Answer: b

Unicast (answer a) describes a packet sent from a single source to a single destination. Answer c (broadcast) describes a packet sent to all nodes on the network segment. Answer d (anycast) refers to communication between any sender and the nearest of a group of receivers in a network.

4. 

Answer: a

The first three bytes (or first half) of the six-byte MAC address is the manufacturer’s identifier. This can be a good troubleshooting aid if a network device is acting up, because it will isolate the brand of the failing device. The other answers are distracters.

5. 

Answer: b

Coax consists of a hollow outer cylindrical conductor surrounding a single, inner wire conductor. Answer a describes UTP. Answer c is false because coax requires fixed spacing between connections, and answer d describes fiber-optic cable.

6. 

Answer: b

The other three address ranges can be used for Network Address Translation (NAT). Although NAT is, in itself, not a very effective security measure, a large network can benefit from using NAT with Dynamic Host Configuration Protocol (DHCP) to help prevent certain internal routing information from being exposed. The address 127.0.0.1 is called the loopback address.

7. 

Answer: b

The other answers are all properties of analog or digital signals.

8. 

Answer: d

The Secure Sockets Layer (SSL) sits between higher-level application functions and the TCP/IP stack and provides security to applications. It includes a variety of encryption algorithms to secure transmitted data, but the functionality must be integrated into the application. Answer a refers to the Secure/Multipurpose Internet Mail Extension (S/MIME). Most major email clients support S/MIME today. Answer b describes Secure Shell (SSH). Answer c refers to IPSec. IPSec enables security to be built directly into the TCP/IP stack, without requiring application modification.

9. 

Answer: a

IEEE 802.11a specifies high-speed wireless connectivity in the 5 GHz band using Orthogonal Frequency Division Multiplexing with data rates up to 54 Mbps. Answer b, IEEE 802.11b, specifies high-speed wireless connectivity in the 2.4 GHz ISM band up to 11 Mbps. Answer c, IEEE 802.11g, is a proposed standard that offers wireless transmission over relatively short distances at speeds from 20 Mbps up to 54 Mbps and operates in the 2.4 GHz range (and is therefore expected to be backward-compatible with existing 802.11b-based networks). Answer d, IEEE 802.15, defines Wireless Personal Area Networks (WPAN), such as Bluetooth, in the 2.4-2.5 GHz band.

10. 

Answer: a

The Address Resolution Protocol (ARP) sends a broadcast asking for the host with a specified IP address to reply with its MAC, or hardware address. This information is kept in the ARP Cache. The Reverse Address Resolution Protocol (RARP), answer b, is commonly used on diskless machines when the MAC is known but not the IP address. It asks a RARP server to provide a valid IP address, which is somewhat the reverse of ARP. The Internet Control Message Protocol (ICMP), answer c, is a management protocol for IP. The Trivial File Transfer Protocol (TFTP), answer d, is a stripped-down version of the File Transfer Protocol (FTP).

11. 

Answer: b

IP operates at the Network Layer of the OSI model and at the Internet layer of the TCP/IP model. FTP operates at the Application layer of the TCP/IP model, which is roughly similar to the top three layers of the OSI model: the Application, Presentation, and Session Layers. TCP and UDP both operate at the OSI Transport Layer, which is similar to the TCP/IP host-to-host layer.

12. 

Answer: c

Nodes on an IEEE 802.11b wireless LANs can communicate in one of two modes: ad hoc or infrastructure. In ad hoc mode, the wireless nodes communicate directly with each other, without establishing a connection to an access point on a wired LAN. In infrastructure mode, the wireless nodes communicate to an access point, which operates similarly to a bridge or router and manages traffic between the wireless network and the wired network.

13. 

Answer: a

As opposed to the Transmission Control Protocol (TCP), the User Datagram Protocol (UDP) is a connectionless protocol. It does not sequence the packets or acknowledge the receipt of packets and is referred to as an unreliable protocol.

14. 

Answer: c

Switched Multimegabit Data Service (SMDS) is a high-speed, connectionless, packet-switching public network service that extends LAN-like performance to a metropolitan area network (MAN) or a wide area network (WAN). It’s generally delivered over a SONET ring with a maximum effective service radius of around 30 miles. X.25, answer a, defines an interface to the first commercially successful connection-oriented packet-switching network, in which the packets travel over virtual circuits. Frame Relay, answer b, was a successor to X.25 and offers a connection-oriented packet-switching network. Asynchronous Transfer Mode (ATM), answer d, was developed from an outgrowth of ISDN standards and is a fast-packet, connection-oriented, cell-switching technology.

15. 

Answer: c

The Trivial File Transfer Protocol (TFTP) is considered less secure than the File Transfer Protocol (FTP) because authentication does not occur during session establishment.

16. 

Answer: a

A virtual local area network (VLAN) allows ports on the same or different switches to be grouped so that traffic is confined to members of that group only, and it restricts broadcast, unicast, and multicast traffic. Answer b is incorrect because a VLAN is segmented logically, rather than physically. Answer c is incorrect; when a VLAN is implemented with private port, or single-user, switching, it provides fairly stringent security because broadcast vulnerabilities are minimized. Answer d is incorrect, as a closed VLAN authenticates a user to an access control list on a central authentication server, where they are assigned authorization parameters to determine their level of network access.

17. 

Answer: a

IPSec-compatible and non-IPSec compatible devices are used to create VPNs. The other three answers are all ways in which VPNs can be created.

18. 

Answer: b

C2MYAZZ is a utility that enables server spoofing to implement a session hijacking or man-in-the-middle exploit. It intercepts a client LANMAN authentication logon and obtains the session’s logon credentials and password combination transparently to the user. DNS poisoning (answer a) is also known as cache poisoning. It is the process of distributing incorrect IP address information for a specific host with the intent to divert traffic from its true destination. Snort (answer c) is a utility used for network sniffing, is the process of gathering traffic from a network by capturing the data as it passes and storing it to analyze later. Back Orifice 2000 (BO2K), answer d, is an application-level Trojan horse used to give an attacker backdoor network access.

19. 

Answer: b

A server cluster is a group of servers that appears to be a single server to the user. Answer a refers to redundant servers.

20. 

Answer: c

The Ping of Death exploits the fragmentation vulnerability of large ICMP ECHO request packets by sending an illegal packet with more than 65K of data, creating a buffer overflow. A TCP sequence number attack (answer a) exploits the nonrandom predictable pattern of TCP connection sequence numbers to spoof a session. A TCP SYN attack (answer b) is a DoS attack that exploits the TCP three-way handshake. The attacker rapidly generates randomly sourced SYN packets filling the target’s connection queue before the connection can timeout. A land.c attack (answer d) is also a DoS attack that exploits TCP SYN packets. The attacker sends a packet that gives both the source and destination as the target’s address and uses the same source and destination port.

21. 

Answer: b

Probing is a procedure whereby the intruder runs programs that scan the network to create a network map for later intrusion. Answer a is spoofing, answer c is the objective of a DoS attack, and answer d describes passive eavesdropping.

22. 

Answer: d

A stateful-inspection firewall intercepts incoming packets at the Network level and then uses an Inspection Engine to extract state-related information from upper layers. It maintains the information in a dynamic state table and evaluates subsequent connection attempts. A packet-filtering firewall (answer a) is the simplest type of firewall commonly implemented on routers. It operates at the Network layer and offers good performance but is the least secure. An application-level firewall or application-layer gateway (answer b) is more secure because it examines the packet at the Application layer but at the expense of performance. A circuit-level firewall (answer c) is similar to the application-level firewall in that it functions as a proxy server, but it differs in that special proxy application software is not needed.

23. 

Answer: b

Logon abuse entails an otherwise proper user attempting to access areas of the network that are deemed off-limits. Answer a is called network intrusion, and d refers to backdoor remote access.

24. 

Answer: a

Like a dual-homed host, a screened-host firewall uses two network cards to connect to the trusted and untrusted networks, but it adds a screening router between the host and the untrusted network. A dualhomed host (answer b) has two NICs but not necessarily a screening router. A screened-subnet firewall, (answer c) also uses two NICs but has two screening routers with the host acting as a proxy server on its own network segment. One screening router controls traffic local to the network while the second monitors and controls incoming and outgoing Internet traffic. Answer d, application-level proxy, is unrelated to this question.

25. 

Answer: a

A covert channel is a connection intentionally created to transmit unauthorized information from inside a trusted network to a partner at an outside, untrusted node. Answer c is called masquerading.

26. 

Answer: d

A dual-homed host uses two NICs to attach to two separate networks, commonly a trusted network and an untrusted network. It’s important that the internal routing function of the host be disabled to create an Application-layer chokepoint and filter packets. Many systems come with routing enabled by default, such as IP forwarding, which makes the firewall useless. The other answers are distracters.

27. 

Answer: c

A bridge operates at Layer 2 and therefore does not use IP addressing to make routing decisions.

28. 

Answer: d

The 802.1D spanning tree protocol is an Ethernet link-management protocol that provides link redundancy while preventing routing loops. Because only one active path can exist for an Ethernet network to route properly, the STP algorithm calculates and manages the best loop-free path through the network. IEEE 802.5 (answer a) specifies a token-passing ring access method for LANs. IEEE 802.3 (answer b) specifies an Ethernet bus topology using Carrier Sense Multiple Access Control/ Carrier Detect (CSMA/CD). IEEE 802.11 (answer c) is the IEEE standard that specifies 1 Mbps and 2 Mbps wireless connectivity in the 2.4 MHz ISM (Industrial, Scientific, Medical) band.

29. 

Answer: b

Data Encapsulation attaches information from one layer to the packet as it travels from an adjoining layer. The OSI-layered architecture model creates seven layers. The TCP/IP protocol UDP provides best effort packet delivery, and a token-passing transmission scheme creates a deterministic network because it is possible to compute the maximum predictable delay.

30. 

Answer: b

The Layer Two Tunneling Protocol (L2TP) is a protocol that allows a host to establish a virtual connection. Although L2TP - an enhancement to Layer Two Forwarding Protocol (L2F), which supports some features of the Point to Point Tunneling Protocol (PPTP) - may coexist with IPSec, it is not natively an IPSec component. The Authentication Header (AH), answer a, is an authenticating protocol that uses a hash signature in the packet header to validate the integrity of the packet data and the authenticity of the sender. The Security Association (SA), answer c, is a component of the IPSec architecture that contains the information the IPSec device needs to process incoming and outbound IPSec packets. IPSec devices embed a value called the Security Parameter Index (SPI) in the header to associate a datagram with its SA and to store SAs in a Security Association Database (SAD). The Encapsulating Security Payload (ESP), answer d, is an authenticating and encrypting protocol that provides integrity, source authentication, and confidentiality services.

31. 

Answer: c

A brute force attack is an attempt to use all combinations of key patterns to decipher a message. The other three attacks are commonly used to create a Denial of Service (DoS). Ping of Death (answer a) exploits ICMP by sending an illegal ECHO packet of >65K octets of data, which can cause an overflow of system variables and lead to a system crash. SMURF (answer b) is a type of attack using spoofed ICMP ECHO requests to broadcast addresses, which the routers attempt to propagate, congesting the network. Three participants are required for a SMURF attack: the attacker, the amplifying network, and the victim. A TCP SYN flood attack (answer d) generates phony TCP SYN packets from random IP addresses at a rapid rate to fill up the connection queue and stop the system from accepting legitimate users.

32. 

Answer: b

The Encapsulating Security Payload (ESP) is a component of IPSec. Socket Security (SOCKS) is a Transport-layer, secure networking proxy protocol. SOCKS replaces the standard network systems calls with its own calls. These calls open connections to a SOCKS proxy server for client authentication, transparently to the user. Common network utilities, like Telnet or FTP, need to be SOCKS-ified or have their network calls altered to recognize SOCKS proxy calls.

33. 

Answer: c

The /etc/passwd file is a Unix system file. The NT Security Accounts Manager, SAM, contains the usernames and encrypted passwords of all local (and domain, if the server is a domain controller) users. The SAM uses an older, weaker LanManager hash that can be broken easily by tools like L0phtcrack. Physical access to the NT server and the rdisks must be controlled. The “Sam._” file in the repair directory must be deleted after creation of an rdisk. Pwdump and pwdump2 are utilities that allow someone with Administrator rights to target the Local Security Authority Subsystem, isass.exe, from a remote system.

34. 

Answer: b

Distance vector routing uses the Routing Information Protocol (RIP) to maintain a dynamic table of routing information that is updated regularly. It is the oldest and most common type of dynamic routing. Static routing (answer a) defines a specific route in a configuration file on the router and does not require the routers to exchange route information dynamically. Link state routers (answer c) function like distance vector routers but use first-hand information when building routing tables only by maintaining a copy of every other router’s Link State Protocol (LSP) frame. This helps to eliminate routing errors and considerably lessens convergence time. Answer d is a distracter.

35. 

Answer: b

Back doors are very hard to trace, as an intruder will often create several avenues into a network to be exploited later. The only real way to be sure these avenues are closed after an attack is to restore the operating system from the original media, apply the patches, and restore all data and applications. Social engineering (answer a) is a technique used to manipulate users into revealing information like passwords. An undocumented hook into an application to assist programmers with debugging (answer c) is known as a trap door. It serves as a back door into an application rather than a network. Although intended innocently, these can be exploited by intruders. Answer d is a “honey pot” or “padded cell.” A honey pot uses a dummy server with bogus applications as a decoy for intruders.

36. 

Answer: b

Simple Mail Transport Protocol (SMTP) queues and transfers e-mail. SNMP stands for Simple Network Management Protocol. ICMP stands for Internet Control Message Protocol. RARP stands for Reverse Address Resolution Protocol.

37. 

Answer: c

The Challenge Handshake Authentication Protocol (CHAP) is used at the startup of a remote link to verify the identity of a remote node. The Simple Mail Transfer Protocol (RFCs 821 and 1869), answer a, is used by a server to deliver email over the Internet. The Post Office Protocol (RFC 1939), answer b, enables users to read their email by downloading it from a remote server onto their local computer. The Internet Message Access Protocol (RFC 2060), answer d, allows users to read their email on a remote server without downloading the mail locally.

38. 

Answer: b

War walking (or war driving) refers to scanning for 802.11-based wireless network information by either driving or walking with a laptop, a wireless adapter in promiscuous mode, some type of scanning software such as NetStumbler or AiroPeek, and a Global Positioning System (GPS). War dialing (answer a) is a method used to hack into computers by using a software program to automatically call a large pool of telephone numbers to search for those that have a modem attached. Demon dialing, similar to war dialing (answer c) is a tool used to attack one modem using brute force to guess the password and gain access. Tone-Loc (answer d) was one of the first war-dialing tools used by phone phreakers.

39. 

Answer: a

The Routing Information Protocol (RIP) bases its routing path on the distance (number of hops) to the destination. RIP maintains optimum routing paths by sending out routing update messages if the network topology changes. For example, if a router finds that a particular link is faulty, it will update its routing table and then send a copy of the modified table to each of its neighbors. Open Shortest Path First (OSPF), answer b, is a link-state hierarchical routing algorithm intended as a successor to RIP. It features least-cost routing, multipath routing, and load balancing. The Internet Gateway Routing Protocol (IGRP), answer c, is a Cisco protocol that uses a composite metric as its routing metric, including bandwidth, delay, reliability, loading, and maximum transmission unit. The Extensible Authentication Protocol (EAP), answer d, is a general protocol for PPP authentication that supports multiple remote authentication mechanisms.

40. 

Answer: a

Although many routers can perform most of the functions above, the OSI Network Layer is primarily responsible for routing. Bridging (answer b) is a Data Link Layer function. Gateways (answer c) most commonly function at the higher layers. Signal regeneration and repeating (Answer d) are primarily Physical Layer functions.

41. 

Answer: c

Private addresses are not easily routable.

42. 

Answer: b

In the DoD reference model, the Host-to-Host layer parallels the function of the OSI’s Transport Layer. This layer contains the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP). The DoD Process/Application layer, (answer a) corresponds to the OSI’s top three layers: the Application, Presentation, and Session Layers. The DoD Internet layer (answer c) corresponds to the OSI’s Network Layer, and the DoD Network Access layer (answer d) is the equivalent of the Data Link and Physical Layers of the OSI model.

43. 

Answer: b

The class A address range is 1.0.0.0 to 126.255.255.255. The class B address range is 128.0.0.0 to 191.255.255.255. The class C address range is from 192.0.0.0 to 223.255.255.255. The class D address range is 244.0.0.0 to 239.255.255.255 and is used for multicast packets.

44. 

Answer: c

The other acronyms do not exist.

45. 

Answer: d

The 802.11i standard addresses security flaws in 802.11 products and presents an approach offering two different protocols: the TKIP protocol and the CCM protocol (CCMP).

46. 

Answer: c

802.11n is a new standard operating in the 5GHz range, combining multiple antennas, faster encoding, and an optional doubling of spectrum to achieve raw data rates from 100 Mbps up to 600 Mbps. The standard employs multiple input, multiple output (MIMO) technology to achieve this speed.

47. 

Answer: c.

Bluejacking is a Bluetooth wireless hack that exploits BT’s discover mode to drop code unnoticed on the victim’s unit.

48. 

Answer: b.

A honey pot is configured to interact with potential hackers in such a way as to capture the details of their attacks. The other answers are all common uses for a keylogger.

49. 

Answer: a

A spambot is a program designed to collect, or harvest, e-mail addresses from the Internet in order to build mailing lists for sending spam. Choice b describes a pop-up download. Choice c describes a Trojan horse, and choice d describes a remote access Trojan.

1. 

The Secure Hash Algorithm (SHA) is specified in the:

  1. Data Encryption Standard
  2. Digital Signature Standard
  3. Digital Encryption Standard
  4. Advanced Encryption Standard

image from book

2. 

What does Secure Sockets Layer (SSL)/Transaction Security Layer (TSL) do?

  1. Implements confidentiality, authentication, and integrity above the Transport Layer
  2. Implements confidentiality, authentication, and integrity below the Transport Layer
  3. Implements only confidentiality above the Transport Layer
  4. Implements only confidentiality below the Transport Layer

image from book

3. 

What are MD4 and MD5?

  1. Symmetric encryption algorithms
  2. Asymmetric encryption algorithms
  3. Hashing algorithms
  4. Digital certificates

image from book

4. 

Elliptic curves, which are applied to public-key cryptography, employ modular exponentiation, which characterizes the:

  1. Elliptic curve discrete logarithm problem
  2. Prime factors of very large numbers
  3. Elliptic curve modular addition
  4. Knapsack problem

image from book

5. 

Which algorithm is used in the Clipper Chip?

  1. IDEA
  2. DES
  3. Skipjack
  4. 3 DES

answer: c the correct answer is c. answers a, b, and d are other symmetric-key algorithms.

6. 

The hashing algorithm in the Digital Signature Standard (DSS) generates a message digest of:

  1. 120 bits
  2. 160 bits
  3. 56 bits
  4. 130 bits

image from book

7. 

The protocol of the Wireless Application Protocol (WAP), which performs functions similar to SSL in the TCP/IP protocol stack, is called the:

  1. Wireless Application Environment (WAE)
  2. Wireless Session Protocol (WSP)
  3. Wireless Transaction Protocol (WTP)
  4. Wireless Transport Layer Security Protocol (WTLS)

image from book

8. 

A Security Parameter Index (SPI) and the identity of the security protocol (AH or ESP) are the components of:

  1. SSL
  2. IPSec
  3. S-HTTP
  4. SSH-1

image from book

9. 

When two different keys encrypt a plaintext message into the same ciphertext, this situation is known as:

  1. Public-key cryptography
  2. Cryptanalysis
  3. Key clustering
  4. Hashing

image from book

10. 

What is the result of the Exclusive Or operation, 1 XOR 0?

  1. 1
  2. 0
  3. Indeterminate
  4. 10

image from book

11. 

A block cipher:

  1. Encrypts by operating on a continuous data stream
  2. Is an asymmetric-key algorithm
  3. Converts variable-length plaintext into fixed-length ciphertext
  4. Breaks a message into fixed length units for encryption

image from book

12. 

In most security protocols that support confidentiality, integrity, and authentication:

  1. Public-key cryptography is used to create digital signatures.
  2. Private-key cryptography is used to create digital signatures.
  3. DES is used to create digital signatures.
  4. Digital signatures are not implemented.

image from book

13. 

Which of the following is an example of a symmetric-key algorithm?

  1. Rijndael
  2. RSA
  3. Diffie-Hellman
  4. Knapsack

answer: a the correct answer is a. the other answers are examples of asymmetric-key systems.

14. 

Which of the following is a problem with symmetric-key encryption?

  1. It is slower than asymmetric-key encryption.
  2. Most algorithms are kept proprietary.
  3. Work factor is not a function of the key size.
  4. It provides secure distribution of the secret key.

image from book

15. 

Which of the following is an example of an asymmetric-key algorithm?

  1. IDEA
  2. DES
  3. 3 DES
  4. Elliptic Curve

answer: d the answer d is correct. all the other answers refer to symmetric-key algorithms.

16. 

In public-key cryptography:

  1. Only the private key can encrypt, and only the public key can decrypt.
  2. Only the public key can encrypt, and only the private key can decrypt.
  3. The public key is used to encrypt and decrypt.
  4. If the public key encrypts, only the private key can decrypt.

image from book

17. 

In a hybrid cryptographic system, usually:

  1. Public-key cryptography is used for the encryption of the message.
  2. Private-key cryptography is used for the encryption of the message.
  3. Neither public-key nor private-key cryptography is used.
  4. Digital certificates cannot be used.

image from book

18. 

What is the block length of the Rijndael Cipher?

  1. 64 bits
  2. 128 bits
  3. Variable
  4. 256 bits

answer: c the correct answer is c. the other answers with fixed numbers are incorrect.

19. 

A polyalphabetic cipher is also known as:

  1. One-time pad
  2. Vigenère cipher
  3. Steganography
  4. Vernam cipher

image from book

20. 

The classic Caesar cipher is a:

  1. Polyalphabetic cipher
  2. Monoalphabetic cipher
  3. Transposition cipher
  4. Code group

image from book

21. 

In steganography:

  1. Private-key algorithms are used.
  2. Public-key algorithms are used.
  3. Both public- and private-key algorithms are used.
  4. The fact that the message exists is not known.

image from book

22. 

What is the key length of the Rijndael Block Cipher?

  1. 56 or 64 bits
  2. 512 bits
  3. 128, 192, or 256 bits
  4. 512 or 1024 bits

image from book

23. 

In a block cipher, diffusion:

  1. Conceals the connection between the ciphertext and plaintext
  2. Spreads the influence of a plaintext character over many ciphertext characters
  3. Is usually implemented by nonlinear S-boxes
  4. Cannot be accomplished

image from book

24. 

The NIST Advanced Encryption Standard uses the:

  1. 3 DES algorithm
  2. Rijndael algorithm
  3. DES algorithm
  4. IDEA algorithm

answer: b the correct answer is b. by definition, the others are incorrect.

25. 

The modes of DES do not include:

  1. Electronic Code Book
  2. Cipher Block Chaining
  3. Variable Block Feedback
  4. Output Feedback

answer: c the correct answer is c. there is no such encipherment mode.

26. 

Which of the following is true?

  1. The work factor of triple DES is the same as for double DES.
  2. The work factor of single DES is the same as for triple DES.
  3. The work factor of double DES is the same as for single DES.
  4. No successful attacks have been reported against double DES.

image from book

27. 

The Rijndael Cipher employs a round transformation that is composed of three layers of distinct, invertible transformations. These transformations are also defined as uniform, which means that every bit of the State is treated the same. Which of the following is not one of these layers?

  1. The nonlinear layer, which is the parallel application of S-boxes that have the optimum worst-case nonlinearity properties
  2. The linear mixing layer, which provides a guarantee of the high diffusion of multiple rounds
  3. The key addition layer, which is an Exclusive OR of the Round Key to the intermediate State
  4. The key inversion layer, which provides confusion through the multiple rounds

answer: d the answer d is correct. this answer is a distracter and does not exist.

28. 

The Escrowed Encryption Standard describes the:

  1. Rijndael Cipher
  2. Clipper Chip
  3. Fair Public Key Cryptosystem
  4. Digital certificates

image from book

29. 

Theoretically, quantum computing offers the possibility of factoring the products of large prime numbers and calculating discrete logarithms in polynomial time. These calculations can be accomplished in such a compressed time frame because:

  1. Information can be transformed into quantum light waves that travel through fiber optic channels. Computations can be performed on the associated data by passing the light waves through various types of optical filters and solid-state materials with varying indices of refraction, thus drastically increasing the throughput over conventional computations.
  2. A quantum bit in a quantum computer is actually a linear superposition of both the one and zero states and, therefore, can theoretically represent both values in parallel. This phenomenon allows computation that usually takes exponential time to be accomplished in polynomial time because different values of the binary pattern of the solution can be calculated simultaneously.
  3. A quantum computer takes advantage of quantum tunneling in molecular scale transistors. This mode permits ultrahigh-speed switching to take place, thus exponentially increasing the speed of computations.
  4. A quantum computer exploits the time-space relationship that changes as particles approach the speed of light. At that interface, the resistance of conducting materials effectively is zero and exponential-speed computations are possible.

image from book

30. 

Which of the following characteristics does a one-time pad have if used properly?

  1. It can be used more than once.
  2. The key does not have to be random.
  3. It is unbreakable.
  4. The key has to be of greater length than the message to be encrypted.

image from book

31. 

The DES key is:

  1. 128 bits
  2. 64 bits
  3. 56 bits
  4. 512 bits

image from book

32. 

In a digitally signed message transmission using a hash function:

  1. The message digest is encrypted in the private key of the sender.
  2. The message digest is encrypted in the public key of the sender.
  3. The message is encrypted in the private key of the sender.
  4. The message is encrypted in the public key of the sender.

image from book

33. 

The strength of RSA public-key encryption is based on the:

  1. Difficulty in finding logarithms in a finite field
  2. Difficulty of multiplying two large prime numbers
  3. Fact that only one key is used
  4. Difficulty in finding the prime factors of very large numbers

image from book

34. 

Elliptic curve cryptosystems:

  1. Have a higher strength per bit than RSA.
  2. Have a lower strength per bit than RSA.
  3. Cannot be used to implement digital signatures.
  4. Cannot be used to implement encryption.

image from book

35. 

Which of the following is not a fundamental component of Identity-Based Encryption (IBE)?

  1. Bilinear mapping
  2. Weil Pairing
  3. Multiplication of points on an elliptic curve
  4. A symmetrical session key

image from book

Answers

1. 

Answer: b

The correct answer is b. Answer a refers to DES, a symmetric encryption algorithm; answer c is a distracter - there is no such term; answer d is the Advanced Encryption Standard, which has replaced DES and is now the Rijndael algorithm.

2. 

Answer: a

The correct answer is a by definition. Answer b is incorrect because SSL/TLS operates above the Transport Layer; answer c is incorrect because authentication and integrity are provided also, and answer d is incorrect because it cites only confidentiality and SSL/TLS operates above the Transport Layer.

3. 

Answer: c

The correct answer is c. Answers a and b are incorrect because they are general types of encryption systems, and answer d is incorrect because hashing algorithms are not digital certificates.

4. 

Answer: a

The correct answer is a. Modular exponentiation in elliptic curves is the analog of the modular discrete logarithm problem. Answer b is incorrect because prime factors are involved with RSA public-key systems; answer c is incorrect because modular addition in elliptic curves is the analog of modular multiplication; and answer d is incorrect because the knapsack problem is not an elliptic curve problem.

5. 

Answer: c

The correct answer is c. Answers a, b, and d are other symmetric-key algorithms.

6. 

Answer: b

7. 

Answer: d

The answer d is correct. SSL performs security functions in TCP/IP. The other answers refer to protocols in the WAP protocol stack also, but their primary functions are not security.

8. 

Answer: b

The correct answer is b. The SPI, AH and/or ESP, and the destination IP address are components of an IPSec Security Association (SA). The other answers describe protocols other than IPSec.

9. 

Answer: c

The answer c is correct. Answer a describes a type of cryptographic system using a public and a private key; answer b is the art/science of breaking ciphers; answer d is the conversion of a message of variable length into a fixed-length message digest.

10. 

Answer: a

An XOR operation results in a 0 if the two input bits are identical and a 1 if one of the bits is a 1 and the other is a 0.

11. 

Answer: d

The answer d is correct. Answer a describes a stream cipher; answer b is incorrect because a block cipher applies to symmetric-key algorithms; and answer c describes a hashing operation.

12. 

Answer: a

The answer a is correct. Answer b is incorrect because private-key cryptography does not create digital signatures; answer c is incorrect because DES is a private-key system and, therefore, follows the same logic as in b; and answer d is incorrect because digital signatures are implemented to obtain authentication and integrity.

13. 

Answer: a

The correct answer is a. The other answers are examples of asymmetric-key systems.

14. 

Answer: d

The answer d is correct. Answer a is incorrect because the opposite is true; answer b is incorrect because most symmetric-key algorithms are published; and answer c is incorrect because work factor is a function of key size. The larger the key is, the larger the work factor.

15. 

Answer: d

The answer d is correct. All the other answers refer to symmetric-key algorithms.

16. 

Answer: d

The answer d is correct. Answers a and b are incorrect because if one key encrypts, the other can decrypt. Answer c is incorrect because if the public key encrypts, it cannot decrypt.

17. 

Answer: b

The answer b is correct. Answer a is incorrect because public-key cryptography is usually used for the encryption and transmission of the secret session key. Answer c is incorrect because both public- and private-key encryption are used, and answer d is incorrect because digital certificates can be used (and normally are used).

18. 

Answer: c

The correct answer is c. The other answers with fixed numbers are incorrect.

19. 

Answer: b

The answer b is correct. Answer a is incorrect because a one-time pad uses a random key with length equal to the plaintext message and is used only once. Answer c is the process of sending a message with no indication that a message even exists. Answer d is incorrect because it applies to stream ciphers that are XORed with a random key string.

20. 

Answer: b

The answer b is correct. The Caesar cipher uses one alphabet shifted three places. Answers a and c are incorrect because in a polyalphabetic cipher (answer a), multiple alphabets are used, and in a transposition cipher (answer c), the letters of the message are transposed. Answer d is incorrect because code groups deal with words and phrases and ciphers deal with bits or letters.

21. 

Answer: d

The correct answer is d. The other answers are incorrect because neither algorithm is used.

22. 

Answer: c

23. 

Answer: b

The answer b is correct. Answer a defines confusion; answer c defines how confusion is accomplished; and answer d is incorrect because it can be accomplished.

24. 

Answer: b

The correct answer is b. By definition, the others are incorrect.

25. 

Answer: c

The correct answer is c. There is no such encipherment mode.

26. 

Answer: c

The answer c is correct. The Meet-in-the-Middle attack has been successfully applied to double DES, and the work factor is equivalent to that of single DES. Thus, answer d is incorrect. Answer a is false because the work factor of triple DES is greater than that for double DES. In triple DES, three levels of encryption and/or decryption are applied to the message. The work factor of double DES is equivalent to the work factor of single DES. Answer b is false because the work factor of single DES is less than for triple DES.

27. 

Answer: d

The answer d is correct. This answer is a distracter and does not exist.

28. 

Answer: b

29. 

Answer: b

In digital computers, a bit is in either a one or a zero state. In a quantum computer, through linear superposition, a quantum bit can be in both states, essentially simultaneously. Thus, computations consisting of trial evaluations of binary patterns can take place simultaneously in exponential time. The probability of obtaining a correct result is increased through a phenomenon called constructive interference of light, while the probability of obtaining an incorrect result is decreased through destructive interference. Answer a describes optical computing that is effective in applying Fourier and other transformations to data to perform high-speed computations. Light representing large volumes of data passing through properly shaped physical objects can be subjected to mathematical transformations and recombined to provide the appropriate results. However, this mode of computation is not defined as quantum computing. Answers c and d are diversionary answers that do not describe quantum computing.

30. 

Answer: c

If the one-time-pad is used only once and its corresponding key is truly random and does not have repeating characters, it is unbreakable. Answer a is incorrect because if used properly, the one-time-pad should be used only once. Answer b is incorrect because the key should be random. Answer d is incorrect because the key has to be of the same length as the message.

31. 

Answer: c

32. 

Answer: a

The hash function generates a message digest. The message digest is encrypted with the private key of the sender. Thus, if the message can be opened with the sender’s public key, which is known to all, the message must have come from the sender. The message is not encrypted with the public key because the message is usually longer than the message digest and would take more computing resources to encrypt and decrypt. Because the message digest uniquely characterizes the message, it can be used to verify the identity of the sender.

Answers b and d will not work because a message encrypted in the public key of the sender can be read only by using the private key of the sender. Because the sender is the only one who knows this key, no one else can read the message. Answer c is incorrect because the message is not encrypted; the message digest is encrypted.

33. 

Answer: d

The correct answer is d. Answer a applies to public-key algorithms such as Diffie-Hellman and Elliptic Curve. Answer b is incorrect because it is easy to multiply two large prime numbers. Answer c refers to symmetric-key encryption.

34. 

Answer: a

It is more difficult to compute elliptic curve discrete logarithms than conventional discrete logarithms or factoring. Smaller key sizes in the elliptic curve implementation can yield higher levels of security. Therefore, answer b is incorrect. Answers c and d are incorrect because elliptic curve cryptosystems can be used for digital signatures and encryption.

35. 

Answer: d

IBE is based on using an arbitrary string as an individual’s public key. It is based on public-key cryptography; therefore, a symmetric key is not involved in the process.

1. 

What does the Bell-LaPadula model not allow?

  1. Subjects to read from a higher level of security relative to their level of security
  2. Subjects to read from a lower level of security relative to their level of security
  3. Subjects to write to a higher level of security relative to their level of security
  4. Subjects to read at their same level of security

answer: a the answer a is correct. the other options are not prohibited by the model.

2. 

In the * (star) security property of the Bell-LaPadula model:

  1. Subjects cannot read from a higher level of security relative to their level of security.
  2. Subjects cannot read from a lower level of security relative to their level of security.
  3. Subjects cannot write to a lower level of security relative to their level of security.
  4. Subjects cannot read from their same level of security.

answer: c the correct answer is c by definition of the star property.

3. 

The Clark-Wilson model focuses on data’s:

  1. Integrity
  2. Confidentiality
  3. Availability
  4. Format

answer: a the answer a is correct. the clark-wilson model is an integrity model.

4. 

The * (star) property of the Biba model states that:

  1. Subjects cannot write to a lower level of integrity relative to their level of integrity.
  2. Subjects cannot write to a higher level of integrity relative to their level of integrity.
  3. Subjects cannot read from a lower level of integrity relative to their level of integrity.
  4. Subjects cannot read from a higher level of integrity relative to their level of integrity.

image from book

5. 

Which of the following does the Clark-Wilson model not involve?

  1. Constrained data items
  2. Transformational procedures
  3. Confidentiality items
  4. Well-formed transactions

answer: c the answer c is correct. answers a, b, and d are parts of the clark-wilson model.

6. 

The Take-Grant model:

  1. Focuses on confidentiality
  2. Specifies the rights that a subject can transfer to an object
  3. Specifies the levels of integrity
  4. Specifies the levels of availability

image from book

7. 

The Biba model addresses:

  1. Data disclosure
  2. Transformation procedures
  3. Constrained data items
  4. Unauthorized modification of data

image from book

8. 

Mandatory access controls first appear in the Trusted Computer System Evaluation Criteria (TCSEC) at the rating of:

  1. D
  2. C
  3. B
  4. A

image from book

9. 

In the access control matrix, the rows are:

  1. Access Control Lists (ACLs)
  2. Tuples
  3. Domains
  4. Capability lists

image from book

10. 

What information security model formalizes the U.S. Department of Defense multilevel security policy?

  1. Clark-Wilson
  2. Stark-Wilson
  3. Biba
  4. Bell-LaPadula

image from book

11. 

A Trusted Computing Base (TCB) is defined as:

  1. The total combination of protection mechanisms within a computer system that is trusted to enforce a security policy
  2. The boundary separating the trusted mechanisms from the remainder of the system
  3. A trusted path that permits a user to access resources
  4. A system that employs the necessary hardware and software assurance measures to enable the processing of multiple levels of classified or sensitive information to occur

image from book

12. 

Memory space insulated from other running processes in a multiprocessing system is part of a:

  1. Protection domain
  2. Security perimeter
  3. Least upper bound
  4. Constrained data item

image from book

13. 

The boundary separating the TCB from the remainder of the system is called the:

  1. Star property
  2. Simple security property
  3. Discretionary control boundary
  4. Security perimeter

image from book

14. 

The system component that enforces access controls on an object is the:

  1. Security perimeter
  2. Trusted domain
  3. Reference monitor
  4. Access control matrix

image from book

15. 

Which one the following is not one of the three major parts of the Common Criteria (CC)?

  1. Introduction and General Model
  2. Security Evaluation Requirements
  3. Security Functional Requirements
  4. Security Assurance Requirements

image from book

16. 

A computer system that employs the necessary hardware and software assurance measures to enable it to process multiple levels of classified or sensitive information is called a:

  1. Closed system
  2. Open system
  3. Trusted system
  4. Safe system

image from book

17. 

For fault tolerance to operate, a system must be:

  1. Capable of detecting and correcting the fault
  2. Capable only of detecting the fault
  3. Capable of terminating operations in a safe mode
  4. Capable of a cold start

image from book

18. 

Which of the following choices describes the four phases of the National Information Assurance Certification and Accreditation Process (NIACAP)?

  1. Definition, Verification, Validation, and Confirmation
  2. Definition, Verification, Validation, and Post Accreditation
  3. Verification, Validation, Authentication, and Post Accreditation
  4. Definition, Authentication, Verification, and Post Accreditation

image from book

19. 

In the Common Criteria, an implementation-independent statement of security needs for a set of IT security products that could be built is called a:

  1. Security Target (ST)
  2. Package
  3. Protection Profile (PP)
  4. Target of Evaluation (TOE)

image from book

20. 

The termination of selected, noncritical processing when a hardware or software failure occurs and is detected is referred to as:

  1. Fail-safe
  2. Fault-tolerant
  3. Fail-soft
  4. An exception

image from book

21. 

Which one of the following is not a component of a CC Protection Profile?

  1. Target of Evaluation (TOE) description
  2. Threats against the product that must be addressed
  3. Product-specific security requirements
  4. Security objectives

image from book

22. 

Content-dependent control makes access decisions based on:

  1. The object’s data
  2. The object’s environment
  3. The object’s owner
  4. The object’s view

image from book

23. 

The term failover refers to:

  1. Switching to a duplicate, “hot” backup component
  2. Terminating processing in a controlled fashion
  3. Resiliency
  4. A fail-soft system

image from book

24. 

Primary storage is:

  1. Memory directly addressable by the CPU for storage of instructions and data that are associated with the program being executed
  2. Memory, such as magnetic disks, that provides nonvolatile storage
  3. Memory used in conjunction with real memory to present a CPU with a larger, apparent address space
  4. Memory in which information must be obtained by sequentially searching from the beginning of the memory space

image from book

25. 

In the Common Criteria, a Protection Profile:

  1. Specifies the mandatory protection in the product to be evaluated
  2. Is also known as the Target of Evaluation (TOE)
  3. Is also known as the Orange Book
  4. Specifies the security requirements and protections of the products to be evaluated

image from book

26. 

Context-dependent control uses which of the following to make decisions?

  1. Subject or object attributes or environmental characteristics
  2. Data
  3. Formal models
  4. Operating system characteristics

image from book

27. 

The secure path between a user and the Trusted Computing Base (TCB) is called:

  1. Trusted distribution
  2. Trusted path
  3. Trusted facility management
  4. The security perimeter

image from book

28. 

In a ring protection system, where is the security kernel usually located?

  1. Highest ring number
  2. Arbitrarily placed
  3. Lowest ring number
  4. Middle ring number

image from book

29. 

Increasing performance in a computer by overlapping the steps of different instructions is called:

  1. A reduced instruction set computer
  2. A complex instruction set computer
  3. Vector processing
  4. Pipelining

image from book

30. 

Random-access memory is:

  1. Nonvolatile
  2. Sequentially addressable
  3. Programmed by using fusible links
  4. Volatile

image from book

31. 

In the National Information Assurance Certification and Accreditation Process (NIACAP), a type accreditation performs which one of the following functions?

  1. Evaluates a major application or general support system
  2. Verifies the evolving or modified system’s compliance with the information agreed on in the System Security Authorization Agreement (SSAA)
  3. Evaluates an application or system that is distributed to a number of different locations
  4. Evaluates the applications and systems at a specific, self-contained location

image from book

32. 

Processes are placed in a ring structure according to:

  1. Least privilege
  2. Separation of duty
  3. Owner classification
  4. First in, first out

image from book

33. 

The MULTICS operating system is a classic example of:

  1. An open system
  2. Object orientation
  3. Database security
  4. Ring protection system

answer: d multics is based on the ring protection architecture.

34. 

What are the hardware, firmware, and software elements of a Trusted Computing Base (TCB) that implement the reference monitor concept called?

  1. The trusted path
  2. A security kernel
  3. An Operating System (OS)
  4. A trusted computing system

image from book

Answers

1. 

Answer: a

The answer a is correct. The other options are not prohibited by the model.

2. 

Answer: c

The correct answer is c by definition of the star property.

3. 

Answer: a

The answer a is correct. The Clark-Wilson model is an integrity model.

4. 

Answer: b

5. 

Answer: c

The answer c is correct. Answers a, b, and d are parts of the Clark-Wilson model.

6. 

Answer: b

7. 

Answer: d

The answer d is correct. The Biba model is an integrity model. Answer a is associated with confidentiality. Answers b and c are specific to the Clark-Wilson model.

8. 

Answer: c

9. 

Answer: d

The answer d is correct. Answer a is incorrect because the access control list is not a row in the access control matrix. Answer b is incorrect because a tuple is a row in the table of a relational database. Answer c is incorrect because a domain is the set of allowable values a column or attribute can take in a relational database.

10. 

Answer: d

The answer d is correct. The Bell-LaPadula model addresses the confidentiality of classified material. Answers a and c are integrity models, and answer b is a distracter.

11. 

Answer: a

The answer a is correct. Answer b is the security perimeter. Answer c is the definition of a trusted path. Answer d is the definition of a trusted computer system.

12. 

Answer: a

13. 

Answer: d

The answer d is correct. Answers a and b deal with security models, and answer c is a distracter.

14. 

Answer: c

15. 

Answer: b

The correct answer is b, a distracter. Answer a is Part 1 of the CC. It defines general concepts and principles of information security and defines the contents of the Protection Profile (PP), Security Target (ST), and the Package. The Security Functional Requirements, answer c, are Part 2 of the CC, which contains a catalog of well-defined standard means of expressing security requirements of IT products and systems. Answer d is Part 3 of the CC and comprises a catalog of a set of standard assurance components.

16. 

Answer: c

The correct answer is c, by definition of a trusted system. Answers a and b refer to open, standard information on a product as opposed to a closed or proprietary product. Answer d is a distracter.

17. 

Answer: a

The correct answer is a, the two conditions required for a fault-tolerant system. Answer b is a distracter. Answer c is the definition of fail-safe, and answer d refers to starting after a system shutdown.

18. 

Answer: b

19. 

Answer: c

The answer c is correct. Answer a, ST, is a statement of security claims for a particular IT product or system. A Package, answer b, is defined in the CC as “an intermediate combination of security requirement compo-nents.” A TOE, answer d, is “an IT product or system to be evaluated.”

20. 

Answer: c

21. 

Answer: c

The answer c is correct. Product-specific security requirements for the product or system are contained in the Security Target (ST). Additional items in the PP are:

  • TOE security environment description
  • Assumptions about the security aspects of the product’s expected use
  • Organizational security policies or rules
  • Application notes
  • Rationale

22. 

Answer: a

The answer a is correct. Answer b is context-dependent control. Answers c and d are distracters.

23. 

Answer: a

Failover means switching to a “hot” backup system that maintains duplicate states with the primary system. Answer b refers to fail-safe, and answers c and d refer to fail-soft.

24. 

Answer: a

The answer a is correct. Answer b refers to secondary storage. Answer c refers to virtual memory, and answer d refers to sequential memory.

25. 

Answer: d

The answer d is correct. Answer a is a distracter. Answer b is the product to be evaluated. Answer c refers to TCSEC.

26. 

Answer: a

The answer a is correct. Answer b refers to content-dependent characteristics, and answers c and d are distracters.

27. 

Answer: b

Answer a, trusted distribution, ensures that valid and secure versions of software have been received correctly. Trusted facility management, answer c, is concerned with the proper operation of trusted facilities as well as system administration and configuration. Answer d, the security perimeter, is the boundary that separates the TCB from the remainder of the system. Recall that the TCB is the totality of protection mechanisms within a computer system that are trusted to enforce a security policy.

28. 

Answer: c

29. 

Answer: d

30. 

Answer: d

RAM is volatile. The other answers are incorrect because RAM is volatile, randomly accessible, and not programmed by fusible links.

31. 

Answer: c

Answer a is the NIACAP system accreditation. Answer b is the Phase 2 or Verification phase of the Defense Information Technology Security Certification and Accreditation Process (DITSCAP). The objective is to use the SSAA to establish an evolving yet binding agreement on the level of security required before the system development begins or changes to a system are made. After accreditation, the SSAA becomes the baseline security configuration document. Answer d is the NIACAP site accreditation.

32. 

Answer: a

The correct answer is a. A process is placed in the ring that gives it the minimum privileges necessary to perform its functions.

33. 

Answer: d

MULTICS is based on the ring protection architecture.

34. 

Answer: b

1. 

Which of the following places the four systems security modes of operation in order, from the most secure to the least?

  1. System-High Mode, Dedicated Mode, Compartmented Mode, and Multilevel Mode
  2. Dedicated Mode, System-High Mode, Compartmented Mode, and Multilevel Mode
  3. Dedicated Mode, System-High Mode, Multilevel Mode, and Compartmented Mode
  4. System-High Mode, Compartmented Mode, Dedicated Mode, and Multilevel Mode

answer: b dedicated mode, system-high mode, compartmented mode, and multilevel mode

2. 

Why is security an issue when a system is booted into single-user mode?

  1. The operating system is started without the security front-end loaded.
  2. The users cannot log in to the system, and they will complain.
  3. Proper forensics cannot be executed while in single-user mode.
  4. Backup tapes cannot be restored while in single-user mode.

image from book

3. 

An audit trail is an example of what type of control?

  1. Deterrent control
  2. Preventative control
  3. Detective control
  4. Application control

image from book

4. 

Which of the following media controls is the best choice to prevent data remanence on magnetic tapes or floppy disks?

  1. Overwriting the media with new application data
  2. Degaussing the media
  3. Applying a concentration of hydroiodic acid (55% to 58% solution) to the gamma ferric oxide disk surface
  4. Making sure the disk is recirculated as quickly as possible to prevent object reuse

image from book

5. 

Which of the following choices is not a security goal of an audit mechanism?

  1. To deter perpetrators’ attempts to bypass the system protection mechanisms
  2. To review employee production output records
  3. To review patterns of access to individual objects
  4. To discover when a user assumes a functionality with privileges greater than his own

image from book

6. 

Which of the following tasks would normally be a function of the security administrator, not the system administrator?

  1. Installing system software
  2. Adding and removing system users
  3. Reviewing audit data
  4. Managing print queues

image from book

7. 

Which of the following is a reason to institute output controls?

  1. To preserve the integrity of the data in the system while changes are being made to the configuration
  2. To protect the output’s confidentiality
  3. To detect irregularities in the software’s operation
  4. To recover damage after an identified system failure

image from book

8. 

Which of the following statements is not correct about reviewing user accounts?

  1. User account reviews cannot be conducted by outside auditors.
  2. User account reviews can examine conformity with the concept of least privilege.
  3. User account reviews may be conducted on a systemwide basis.
  4. User account reviews may be conducted on an application-by-application basis.

image from book

9. 

Which of the following terms most accurately describes the trusted computing base (TCB)?

  1. A computer that controls all access to objects by subjects
  2. A piece of information that represents the security level of an object
  3. Formal proofs used to demonstrate the consistency between a system’s specification and a security model
  4. The totality of protection mechanisms within a computer system

image from book

10. 

Which of the following statements is accurate about the concept of object reuse?

  1. Object reuse protects against physical attacks on the storage medium.
  2. Object reuse ensures that users do not obtain residual information from system resources.
  3. Object reuse applies to removable media only.
  4. Object reuse controls the granting of access rights to objects.

image from book

11. 

Using prenumbered forms to initiate a transaction is an example of what type of control?

  1. Deterrent control
  2. Preventative control
  3. Detective control
  4. Application control

image from book

12. 

Which of the following choices is the best description of operational assurance?

  1. Operational assurance is the process of examining audit logs to reveal usage that identifies misuse.
  2. Operational assurance has the benefit of containing and repairing damage from incidents.
  3. Operational assurance is the process of reviewing an operational system to see that security controls are functioning correctly.
  4. Operational assurance is the process of performing pre-employment background screening.

image from book

13. 

Which of the following is not a proper media control?

  1. The data media should be logged to provide a physical inventory control.
  2. All data storage media should be accurately marked.
  3. A proper storage environment should be provided for the media.
  4. The media that is reused in a sensitive environment does not need sanitization.

image from book

14. 

Which of the following choices is considered the highest level of operator privilege?

  1. Read/Write
  2. Read Only
  3. Access Change
  4. Write Only

image from book

15. 

Which of the following choices below most accurately describes a covert storage channel?

  1. A process that manipulates observable system resources in a way that affects response time
  2. An information transfer path within a system
  3. A communication channel that allows a process to transfer information in a manner that violates the system’s security policy
  4. An information transfer that involves the direct or indirect writing of a storage location by one process and the direct or indirect reading of the storage location by another process

image from book

16. 

Which of the following would not be a common element of a transaction trail?

  1. The date and time of the transaction
  2. Who processed the transaction
  3. Why the transaction was processed
  4. At which terminal the transaction was processed

image from book

17. 

Which of the following would not be considered a benefit of employing incident-handling capability?

  1. An individual acting alone would not be able to subvert a security process or control.
  2. It enhances internal communications and the readiness of the organization to respond to incidents.
  3. It assists an organization in preventing damage from future incidents.
  4. Security training personnel would have a better understanding of users’ knowledge of security issues.

image from book

18. 

Which of the following is the best description of an audit trail?

  1. Audit trails are used to detect penetration of a computer system and to reveal usage that identifies misuse.
  2. An audit trail is a device that permits simultaneous data processing of two or more security levels without risk of compromise.
  3. An audit trail mediates all access to objects within the network by subjects within the network.
  4. Audit trails are used to prevent access to sensitive systems by unauthorized personnel.

image from book

19. 

Which of the following best describes the function of change control?

  1. To ensure that system changes are implemented in an orderly manner
  2. To guarantee that an operator is given only the privileges needed for the task
  3. To guarantee that transaction records are retained IAW compliance requirements
  4. To assign parts of security-sensitive tasks to more than one individual

image from book

20. 

Which of the following is not an example of intentionally inappropriate operator activity?

  1. Making errors when manually inputting transactions
  2. Using the company’s system to store pornography
  3. Conducting private business on the company system
  4. Using unauthorized access levels to violate information confidentiality

image from book

21. 

Which book of the Rainbow Series addresses the Trusted Computer System Evaluation Criteria (TCSEC)?

  1. Red Book
  2. Orange Book
  3. Green Book
  4. Purple Book

image from book

22. 

Which term best describes the concept of least privilege?

  1. Each user is granted the lowest clearance required for his or her tasks.
  2. A formal separation of command, program, and interface functions.
  3. A combination of classification and categories that represents the sensitivity of information.
  4. Active monitoring of facility entry access points.

image from book

23. 

Which of the following best describes a threat as defined in the Operations Security domain?

  1. A potential incident that could cause harm
  2. A weakness in a system that could be exploited
  3. A company resource that could be lost due to an incident
  4. The minimization of loss associated with an incident

image from book

24. 

Which of the following is not a common element of user account administration?

  1. Periodically verifying the legitimacy of current accounts and access authorizations
  2. Authorizing the request for a user’s system account
  3. Tracking users and their respective access authorizations
  4. Establishing, issuing, and closing user accounts

image from book

25. 

Which of the following is not an example of using a social engineering technique to gain physical access to a secure facility?

  1. Asserting authority or pulling rank
  2. Intimidating or threatening
  3. Praising or flattering
  4. Employing the salami fraud (see Appendix A)

image from book

26. 

Which statement about covert channel analysis is not true?

  1. It is an operational assurance requirement that is specified in the Orange Book.
  2. It is required for B2 class systems in order to protect against covert storage channels.
  3. It is required for B2 class systems to protect against covert timing channels.
  4. It is required for B3 class systems to protect against both covert storage and covert timing channels.

image from book

27. 

“Separation of duties” embodies what principle?

  1. An operator does not know more about the system than the minimum required to do the job.
  2. Two operators are required to work in tandem to perform a task.
  3. The operators’ duties are frequently rotated.
  4. The operators have different duties to prevent one person from compromising the system.

image from book

28. 

Convert Channel Analysis, Trusted Facility Management, and Trusted Recovery are parts of which book in the TCSEC Rainbow Series?

  1. Red Book
  2. Orange Book
  3. Green Book
  4. Dark Green Book

image from book

29. 

How do covert timing channels convey information?

  1. By changing a system’s stored data characteristics
  2. By generating noise and traffic with the data
  3. By performing a covert channel analysis
  4. By modifying the timing of a system resource in some measurable way

image from book

30. 

Which of the following would be the best description of a clipping level?

  1. A baseline of user errors above which violations will be recorded
  2. A listing of every error made by users to initiate violation processing
  3. Variance detection of too many people with unrestricted access
  4. Changes a system’s stored data characteristics

image from book

31. 

Which of the following backup methods will probably require the backup operator to use the most number of tapes for a complete system restoration if a different tape is used every night in a five-day rotation?

  1. Full
  2. Differential
  3. Incremental
  4. Ad hoc

image from book

32. 

Which level of RAID is commonly referred to as disk mirroring?

  1. RAID 0
  2. RAID 1
  3. RAID 3
  4. RAID 5

image from book

33. 

Which is not a common element of an e-mail?

  1. Header
  2. Content
  3. VBScript
  4. Attachment(s)

image from book

34. 

Which of the following choices is the best description of a fax encryptor?

  1. An individual user who encrypts fax documents
  2. A encryption mechanism that encrypts all fax transmissions at the Data Link Layer
  3. An application that encrypts all printed output
  4. An application that encrypts faxes at the desktop

image from book

35. 

Which of the following statements is true about e-mail headers?

  1. E-mail headers can never be spoofed.
  2. Fraudulent e-mail is easily identified by the headers.
  3. The header may point back to the hijacked spambot.
  4. The header will always point back to the original spammer.

image from book

Answers

1. 

Answer: b

Dedicated Mode, System-High Mode, Compartmented Mode, and Multilevel Mode

2. 

Answer: a

When the operator boots the system in single-user mode, the user front-end security controls are not loaded. This mode should be used only for recovery and maintenance procedures, and all operations should be logged and audited.

3. 

Answer: c

An audit trail is a record of events to piece together what has happened and allow enforcement of individual accountability by creating a reconstruction of events. They can be used to assist in the proper implementation of the other controls, however.

4. 

Answer: b

Degaussing is recommended as the best method for purging most magnetic media. Answer a is not recommended because the application may not completely overwrite the old data properly. Answer c is a rarely used method of media destruction, and acid solutions should be used in a well-ventilated area only by qualified personnel. Answer d is wrong.

5. 

Answer: b

Answer b is a distracter; the other answers reflect proper security goals of an audit mechanism.

6. 

Answer: c

Reviewing audit data should be a function separate from the day-to-day administration of the system.

7. 

Answer: b

In addition to being used as a transaction control verification mechanism, output controls are used to ensure that output, such as printed reports, is distributed securely. Answer a is an example of change control, c is an example of application controls, and d is an example of recovery controls.

8. 

Answer: a

Reviews can be conducted by, among others, in-house systems personnel (a self-audit), the organization’s internal audit staff, or external auditors.

9. 

Answer: d

The Trusted Computing Base (TCB) represents totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination of which is responsible for enforcing a security policy. Answer a describes the reference monitor concept, answer b refers to a sensitivity label, and answer c describes formal verification.

10. 

Answer: b

Object reuse mechanisms ensure system resources are allocated and assigned among authorized users in a way that prevents the leak of sensitive information, and they ensure that the authorized user of the system does not obtain residual information from system resources. Answer a is incorrect, answer c is incorrect, and answer d refers to authorization: the granting of access rights to a user, program, or process.

11. 

Answer: b

Prenumbered forms are an example of preventative controls. They can also be considered a transaction control and input control.

12. 

Answer: c

Operational assurance is the process of reviewing an operational system to see that security controls, both automated and manual, are functioning correctly and effectively. Operational assurance addresses whether the system’s technical features are being bypassed or have vulnerabilities and whether required procedures are being followed. Answer a is a description of an audit trail review, answer b is a description of a benefit of incident handling, and answer d describes a personnel control.

13. 

Answer: d

Sanitization is the process of removing information from used data media to prevent data remanence. Different media require different types of sanitization. All the others are examples of proper media controls.

14. 

Answer: c

The three common levels of operator privileges, based on the concept of “least privilege,” are:

  • Read Only - Lowest level, view data only
  • Read/Write - View and modify data
  • Access Change - Highest level, right to change data/operator permissions

Answer d is a distracter.

15. 

Answer: d

A covert storage channel typically involves a finite resource (e.g., sectors on a disk) that is shared by two subjects at different security levels. Answer a is a partial description of a covert timing channel, and answer b is a generic definition of a channel. A channel may also refer to the mechanism by which the path is affected. Answer c is a higher-level definition of a covert channel. While a covert storage channel fits this definition generically, answer d is the proper specific definition.

16. 

Answer: c

Why the transaction was processed is not initially a concern of the audit log, but it will be investigated later. The other three elements are all important information that the audit log of the transaction should record.

17. 

Answer: a

The primary benefits of employing an incident-handling capability are containing and repairing damage from incidents and preventing future damage. Answer a is a benefit of employing “separation of duties” controls.

18. 

Answer: a

An audit trail is a set of records that collectively provide documentary evidence of processing used to aid in tracing from original transactions forward to related records and reports and/or backward from records and reports to their component source transactions. Answer b is a description of a multilevel device, and answer c refers to a network reference monitor. Answer d is incorrect because audit trails are detective, and answer d describes a preventative process - access control.

19. 

Answer: a

Answer b describes least privilege, answer c describes record retention, and answer d describes separation of duties.

20. 

Answer: a

Although operator error (answer a) is most certainly an example of a threat to a system’s integrity, it is considered unintentional loss, not an intentional activity.

21. 

Answer: b

22. 

Answer: a

The least privilege principle requires that each subject in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks. Answer b describes separation of privilege, answer c describes a security level, and answer d is a distracter.

23. 

Answer: a

Answer b describes a vulnerability, answer c describes an asset, and answer d describes risk management.

24. 

Answer: b

For proper separation of duties, the function of user account establishment and maintenance should be separated from the function of initiating and authorizing the creation of the account. User account management focuses on identification, authentication, and access authorizations.

25. 

Answer: d

Answers a, b, and c denote common tactics used by an intruder to gain either physical access or system access. The salami fraud is an automated fraud technique. In the salami fraud, a programmer will create or alter a program to move small amounts of money into his personal bank account. The amounts are intended to be so small as to be unnoticed, such as rounding in foreign currency exchange transactions; hence the name, a reference to slicing a salami.

26. 

Answer: c

Orange Book B2 class systems do not need to be protected from covert timing channels. Covert channel analysis must be performed for B2-level class systems to protect against only covert storage channels. B3 class systems need to be protected from both covert storage channels and covert timing channels.

27. 

Answer: d

Separation of duties means that the operators are prevented from generating and verifying transactions alone, for example. A task might be divided into different smaller tasks to accomplish this, or in the case of an operator with multiple duties, the operator makes a logical, functional job change when performing such conflicting duties. Answer a is need-to-know, answer b is dual-control, and c is job rotation.

28. 

Answer: b

The Red Book (answer a) is the Trusted Network Interpretation (TNI) summary of network requirements (described in the Telecommunications and Network Security domain); the Green Book (answer c) is the Department of Defense (DoD) Password Management Guideline; and the Dark Green Book (answer d) is The Guide to Understanding Data Remanence in Automated Information Systems.

29. 

Answer: d

A covert timing channel alters the timing of parts of the system to enable it to be used to communicate information covertly (outside the normal security function). Answer a is the description of the use of a covert storage channel, answer b is a technique to combat the use of covert channels, and answer c is the Orange Book requirement for B3, B2, and A1 evaluated systems.

30. 

Answer: a

This description of a clipping level is the best. Answer b is not correct because one reason to create clipping levels is to prevent auditors from having to examine every error. Answer c is a common use for clipping levels but is not a definition. Answer d is a distracter.

31. 

Answer: c

Most backup methods use the Archive file attribute to determine whether the file should be backed up. The backup software determines which files need to be backed up by checking to see whether the Archive file attribute has been set and then resets the Archive bit value to null after the backup procedure. The Incremental backup method backs up only files that have been created or modified since the last backup was made because the Archive file attribute is reset. This can result in the backup operator needing several tapes to do a complete restoration, because every tape with changed files as well as the last full backup tape will need to be restored.

A full or complete backup (answer a) backs up all files in all directories stored on the server regardless of when the last backup was made and whether the files have already been backed up. The Archive file attribute is changed to mark that the files have been backed up, and the tape or tapes will have all data and applications on it. This is an incorrect answer for this question, however, as it’s assumed that answers b and c will additionally require differential or incremental tapes.

The Differential backup method (answer b) backs up only files that have been created or modified since the last backup was made, like an incremental backup. However, the difference between an incremental backup and a differential backup is that the Archive file attribute is not reset after the differential backup is completed; therefore, the changed file is backed up every time the differential backup is run. The backup set grows in size until the next full backup as these files continue to be backed up during each subsequent differential backup. The advantage of this backup method is that the backup operator should need only the full backup and the one differential backup to restore the system.

Answer d is a distracter.

32. 

Answer: b

Redundant Array of Inexpensive Disks (RAID) is a method of enhancing hard disk fault tolerance, which can improve performance. RAID 1 maintains a complete copy of all data by duplicating each hard drive. Performance can suffer in some implementations of RAID 1, and twice as many drives are required. Novell developed a type of disk mirroring called disk duplexing, which uses multiple disk controller cards, increasing both performance and reliability. RAID 0 (answer a) gives some performance gains by striping the data across multiple drives but reduces fault tolerance, because the failure of any single drive disables the whole volume. RAID 3 (answer c) uses a dedicated error-correction disk called a parity drive, and it stripes the data across the other data drives. RAID 5 (answer d) uses all disks in the array for both data and error correction, increasing both storage capacity and performance.

33. 

Answer: c

E-mails have three basic parts: attachments, contents, and headers. Both the contents and attachments are areas of vulnerability.

34. 

Answer: b

A fax encryptor is a encryption mechanism that encrypts all fax transmissions at the Data Link layer and helps ensure that all incoming and outgoing fax data is encrypted at its source.

35. 

Answer: c

The header may point back to the hijacked spambot’s mail server. Email headers can be spoofed, fraudulent e-mail not always identified by the headers, and the header doesn’t always point back to the original spammer.

1. 

What is a data warehouse?

  1. A remote facility used for storing backup tapes
  2. A repository of information from heterogeneous databases
  3. A table in a relational database system
  4. A hot backup building

image from book

2. 

What does normalizing data in a data warehouse mean?

  1. Redundant data is removed.
  2. Numerical data is divided by a common factor.
  3. Data is converted to a symbolic representation.
  4. Data is restricted to a range of values.

answer: a the correct answer is a, removing redundant data.

3. 

What is a neural network?

  1. A hardware or software system that emulates the reasoning of a human expert
  2. A collection of computers that are focused on medical applications
  3. A series of networked PCs performing artificial intelligence tasks
  4. A hardware or software system that emulates the functioning of biological neurons

image from book

4. 

A neural network learns by using various algorithms to:

  1. Adjust the weights applied to the data
  2. Fire the rules in the knowledge base
  3. Emulate an inference engine
  4. Emulate the thinking of an expert

image from book

5. 

The SEI Software Capability Maturity Model is based on the premise that:

  1. Good software development is a function of the number of expert programmers in the organization.
  2. The maturity of an organization’s software processes cannot be measured.
  3. The quality of a software product is a direct function of the quality of its associated software development and maintenance processes.
  4. Software development is an art that cannot be measured by conventional means.

image from book

6. 

In configuration management, a configuration item is:

  1. The version of the operating system that is operating on the workstation that provides information security services
  2. A component whose state is to be recorded and against which changes are to be progressed
  3. The network architecture used by the organization
  4. A series of files that contain sensitive information

image from book

7. 

In an object-oriented system, polymorphism denotes:

  1. Objects of many different classes that are related by some common superclass; thus, any object denoted by this name can respond to some common set of operations in a different way.
  2. Objects of many different classes that are related by some common superclass; thus, all objects denoted by this name can respond to some common set of operations in identical fashion.
  3. Objects of the same class; thus, any object denoted by this name can respond to some common set of operations in the same way.
  4. Objects of many different classes that are unrelated but respond to some common set of operations in the same way.

image from book

8. 

The simplistic model of software life cycle development assumes that:

  1. Iteration will be required among the steps in the process.
  2. Each step can be completed and finalized without any effect from the later stages that may require rework.
  3. Each phase is identical to a completed milestone.
  4. Software development requires reworking and repeating some of the phases.

image from book

9. 

What is a method in an object-oriented system?

  1. The means of communication among objects
  2. A guide to the programming of objects
  3. The code defining the actions that the object performs in response to a message
  4. The situation where a class inherits the behavioral characteristics of more than one parent class

image from book

10. 

What does the Spiral model depict?

  1. A spiral that incorporates various phases of software development
  2. A spiral that models the behavior of biological neurons
  3. The operation of expert systems
  4. Information security checklists

image from book

11. 

In the software life cycle, verification:

  1. Evaluates the product in development against real-world requirements
  2. Evaluates the product in development against similar products
  3. Evaluates the product in development against general baselines
  4. Evaluates the product in development against the specification

image from book

12. 

In the software life cycle, validation:

  1. Refers to the work product satisfying the real-world requirements and concepts
  2. Refers to the work product satisfying derived specifications
  3. Refers to the work product satisfying software maturity levels
  4. Refers to the work product satisfying generally accepted principles

image from book

13. 

In the modified Waterfall model:

  1. Unlimited backward iteration is permitted.
  2. The model was reinterpreted to have phases end at project milestones.
  3. The model was reinterpreted to have phases begin at project milestones.
  4. Product verification and validation are not included.

image from book

14. 

Cyclic redundancy checks, structured walk-throughs, and hash totals are examples of what type of application controls?

  1. Preventive security controls
  2. Preventive consistency controls
  3. Detective accuracy controls
  4. Corrective consistency controls

image from book

15. 

In a system life cycle, information security controls should be:

  1. Designed during the product implementation phase
  2. Implemented prior to validation
  3. Part of the feasibility phase
  4. Specified after the coding phase

image from book

16. 

The software maintenance phase controls consist of:

  1. Request control, change control, and release control
  2. Request control, configuration control, and change control
  3. Change control, security control, and access control
  4. Request control, release control, and access control

image from book

17. 

In configuration management, what is a software library?

  1. A set of versions of the component configuration items
  2. A controlled area accessible only to approved users who are restricted to the use of an approved procedure
  3. A repository of backup tapes
  4. A collection of software build lists

image from book

18. 

What is configuration control?

  1. Identifying and documenting the functional and physical characteristics of each configuration item
  2. Controlling changes to the configuration items and issuing versions of configuration items from the software library
  3. Recording the processing of changes
  4. Controlling the quality of the configuration management procedures

image from book

19. 

What is searching for data correlations in the data warehouse called?

  1. Data warehousing
  2. Data mining
  3. A data dictionary
  4. Configuration management

image from book

20. 

The security term that is concerned with the same primary key existing at different classification levels in the same database is:

  1. Polymorphism
  2. Normalization
  3. Inheritance
  4. Polyinstantiation

image from book

21. 

What is a data dictionary?

  1. A database for system developers
  2. A database of security terms
  3. A library of objects
  4. A validation reference source

image from book

22. 

Which of the following is an example of mobile code?

  1. Embedded code in control systems
  2. Embedded code in PCs
  3. Java and ActiveX code downloaded into a Web browser from the World Wide Web (WWW)
  4. Code derived following the Spiral model

image from book

23. 

Which of the following is not true regarding software unit testing?

  1. The test data is part of the specifications.
  2. Correct test output results should be developed and known beforehand.
  3. Live or actual field data is recommended for use in the testing procedures.
  4. Testing should check for out-of-range values and other bounds conditions.

image from book

24. 

The definition “the science and art of specifying, designing, implementing, and evolving programs, documentation, and operating procedures whereby computers can be made useful to people” is that of:

  1. Structured analysis/structured design (SA/SD)
  2. Software engineering
  3. An object-oriented system
  4. Functional programming

image from book

25. 

In software engineering, the term verification is defined as:

  1. Establishing the truth of correspondence between a software product and its specification
  2. A complete, validated specification of the required functions, interfaces, and performance for the software product
  3. Establishing the fitness or worth of a software product for its operational mission
  4. A complete, verified specification of the overall hardware-software architecture, control structure, and data structure for the product

image from book

26. 

The discipline of identifying the components of a continually evolving system for the purposes of controlling changes to those components and maintaining integrity and traceability throughout the life cycle is called:

  1. Change control
  2. Request control
  3. Release control
  4. Configuration management

image from book

27. 

The basic version of the Construction Cost Model (COCOMO), which proposes quantitative life cycle relationships, performs what function?

  1. It estimates software development effort based on user function categories.
  2. It estimates software development effort and cost as a function of the size of the software product in source instructions.
  3. It estimates software development effort and cost as a function of the size of the software product in source instructions modified by manpower buildup and productivity factors.
  4. It estimates software development effort and cost as a function of the size of the software product in source instructions modified by hardware and input functions.

image from book

28. 

A refinement to the basic Waterfall model that states that software should be developed in increments of functional capability is called:

  1. Functional refinement
  2. Functional development
  3. Incremental refinement
  4. Incremental development

image from book

29. 

The Spiral model of the software development process uses which of the following metrics relative to the spiral?

  1. The radial dimension represents the cost of each phase.
  2. The radial dimension represents progress made in completing each cycle.
  3. The angular dimension represents cumulative cost.
  4. The radial dimension represents cumulative cost.

image from book

30. 

In the Capability Maturity Model (CMM) for software, the definition “describes the range of expected results that can be achieved by following a software process” is that of:

  1. Structured analysis/structured design (SA/SD)
  2. Software process capability
  3. Software process performance
  4. Software process maturity

image from book

Answers

1. 

Answer: b

A data warehouse is a repository of information from heterogeneous databases. Answers a and d describe physical facilities for backup and recovery of information systems, and answer c describes a relation in a relational database.

2. 

Answer: a

The correct answer is a, removing redundant data.

3. 

Answer: d

A neural network is a hardware or software system that emulates the functioning of biological neurons. Answer a refers to an expert system, and answers b and c are distracters.

4. 

Answer: a

A neural network learns by using various algorithms to adjust the weights applied to the data. Answers b, c, and d are terminology referenced in expert systems.

5. 

Answer: c

The quality of a software product is a direct function of the quality of its associated software development and maintenance processes. Answer a is false because the SEI Software CMM relates the production of good software to having the proper processes in place in an organization and not to expert programs or heroes. Answer b is false because the Software CMM provides means to measure the maturity of an organization’s software processes. Answer d is false for the same reason as answer b.

6. 

Answer: b

A configuration item is a component whose state is to be recorded and against which changes are to be progressed. Answers a, c, and d are incorrect by the definition of a configuration item.

7. 

Answer: a

Polymorphism refers to objects of many different classes that are related by some common superclass that are able to respond to some common set of operations, defined for the superclass, in different ways depending on their particular subclasses. Answers b, c, and d are incorrect by the definition of polymorphism.

8. 

Answer: b

The simplistic model assumes that each step can be completed and finalized without any effect from the later stages that might require rework. Answer a is incorrect because no iteration is allowed for in the model. Answer c is incorrect because it applies to the modified Waterfall model. Answer d is incorrect because no iteration or reworking is considered in the model.

9. 

Answer: c

A method in an object-oriented system is the code that defines the actions that the object performs in response to a message. Answer a is incorrect because it defines a message. Answer b is a distracter, and answer d refers to multiple inheritance.

10. 

Answer: a

The spiral in the Spiral model incorporates various phases of software development. The other answers are distracters.

11. 

Answer: d

In the software life cycle, verification evaluates the product in development against the specification. Answer a defines validation. Answers b and c are distracters.

12. 

Answer: a

In the software life cycle, validation is the work product satisfying the real-world requirements and concepts. The other answers are distracters.

13. 

Answer: b

The modified Waterfall model was reinterpreted to have phases end at project milestones. Answer a is false because unlimited backward iteration is not permitted in the modified Waterfall model. Answer c is a distracter, and answer d is false because verification and validation are included.

14. 

Answer: c

Cyclic redundancy checks, structured walkthroughs, and hash totals are examples of detective accuracy controls. The other answers do not apply by the definition of the types of controls.

15. 

Answer: c

In the system life cycle, information security controls should be part of the feasibility phase. The other answers are incorrect because the basic premise of information system security is that controls should be included in the earliest phases of the software life cycle and not added later in the cycle or as an afterthought.

16. 

Answer: a

The software maintenance phase controls consist of request control, change control, and release control, by definition. The other answers are, therefore, incorrect.

17. 

Answer: b

In configuration management, a software library is a controlled area, accessible only to approved users who are restricted to the use of approved procedure. Answer a is incorrect because it defines a build list. Answer c is incorrect because it defines a backup storage facility. Answer d is a distracter.

18. 

Answer: b

Configuration control consists of controlling changes to the configuration items and issuing versions of configuration items from the software library. Answer a is the definition of configuration identification. Answer c is the definition of configuration status accounting, and answer d is the definition of configuration audit.

19. 

Answer: b

Searching for data correlations in the data warehouse is called data mining. Answer a is incorrect because data warehousing is creating a repository of information from heterogeneous databases that is available to users for making queries. Answer c is incorrect because a data dictionary is a database for system developers. Answer d is incorrect because configuration management is the discipline of identifying the components of a continually evolving system for the purposes of controlling changes to those components and maintaining integrity and traceability throughout the life cycle.

20. 

Answer: d

The security term that is concerned with the same primary key existing at different classification levels in the same database is polyinstantiation. Answer a is incorrect because polymorphism is defined as objects of many different classes that are related by some common superclass so that any object denoted by this name is able to respond in its own way to some common set of operations. Answer b is incorrect because normalization refers to removing redundant or incorrect data from a database. Answer c is incorrect because inheritance refers to methods from a class inherited by a subclass.

21. 

Answer: a

A data dictionary is a database for system developers. Answers b, c, and d are distracters.

22. 

Answer: c

Examples of mobile code are Java applets and ActiveX controls downloaded into a Web browser from the World Wide Web. Answers a, b, and d are incorrect because they are types of code that are not related to mobile code.

23. 

Answer: c

Live or actual field data are not recommended for use in testing, because they do not thoroughly test all normal and abnormal situations, and the test results are not known beforehand. Answers a, b, and d are true of testing.

24. 

Answer: b

The definition of software engineering in answer b is a combination of popular definitions of engineering and software. One definition of engineering is “the application of science and mathematics to the design and construction of artifacts that are useful to people.” A definition of software is that it “consists of the programs, documentation and operating procedures by which computers can be made useful to people.” Answer a, SA/SD, deals with developing specifications that are abstractions of the problem to be solved and are not tied to any specific programming languages. Thus, SA/SD, through data flow diagrams (DFDs), shows the main processing entities and the data flow between them without any connection to a specific programming language implementation.

An object-oriented system (answer c) is a group of independent objects that can be requested to perform certain operations or exhibit specific behaviors. These objects cooperate to provide the system’s required functionality. The objects have an identity and can be created as the program executes (dynamic lifetime). To provide the desired characteristics of object-oriented systems, the objects are encapsulated (i.e., they can be accessed only through messages sent to them to request performance of their defined operations). The object can be viewed as a black box whose internal details are hidden from outside observation and cannot normally be modified. Objects also exhibit the substitution property, which means that objects providing compatible operations can be substituted for each other. In summary, an object-oriented system contains objects that exhibit the following properties:

  • Identity - Each object has a name that is used to designate that object.
  • Encapsulation - An object can be accessed only through messages to perform its defined operations.
  • Substitution - Objects that perform compatible operations can be substituted for each other.
  • Dynamic lifetimes - Objects can be created as the program executes.

Answer d, functional programming, uses only mathematical functions to perform computations and solve problems. This approach is based on the assumption that any algorithm can be described as a mathematical function. Functional languages have the characteristics that:

  • They support functions and allow them to be manipulated by being passed as arguments and stored in data structures.
  • Functional abstraction is the only method of procedural abstraction.

25. 

Answer: a

In the Waterfall model (W. W. Royce, “Managing the Development of Large Software Systems: Concepts and Techniques,” Proceedings, WESCON, August 1970), answer b defines the term requirements. Similarly, answer c defines the term validation, and answer d is the definition of product design. In summary, the steps of the Waterfall model are:

  • System feasibility
  • Software plans and requirements
  • Product design
  • Detailed design
  • Code
  • Integration
  • Implementation
  • Operations and maintenance

In this model, each phase finishes with a verification and validation (V&V) task that is designed to eliminate as many problems as possible in the results of that phase.

26. 

Answer: d

Answer d is correct, as is demonstrated in Configuration Management of Computer-Based Systems (British Standards Institution, 1984). Answers a, b, and c are components of the maintenance activity of software life cycle models. In general, one can look at the maintenance phase as the progression from request control, through change control, to release control. Request control (answer b) is involved with the users’ requests for changes to the software. Change control (answer a) involves the analysis and understanding of the existing code, the design of changes, and the corresponding test procedures. Release control (answer c) involves deciding which requests are to be implemented in the new release, performing the changes, and conducting testing.

27. 

Answer: b

The Basic COCOMO Model, set forth in Software Engineering Economics, B. W. Boehm (Prentice-Hall, 1981), proposes two equations that compute the number of man-months and the development schedule in months needed to develop a software product, given the number of thousands of delivered source instructions (KDSI) in the product.

In addition, Boehm has developed an intermediate COCOMO Model that takes into account hardware constraints, personnel quality, use of modern tools, and other attributes and their aggregate impact on overall project costs. A detailed COCOMO Model, also by Boehm, accounts for the effects of the additional factors used in the intermediate model on the costs of individual project phases.

Answer b describes a function point measurement model that does not require the user to estimate the number of delivered source instructions. The software development effort is determined using the follow-ing five user functions:

  • External input types
  • External output types
  • Logical internal file types
  • External interface file types
  • External inquiry types

These functions are tallied and weighted according to complexity and used to determine the software development effort.

Answer c describes the Rayleigh curve applied to software development cost and effort estimation. A prominent model using this approach is the Software Life Cycle Model (SLIM) estimating method. In this method, estimates based on the number of lines of source code are modified by the following two factors:

  • The manpower buildup index (MBI), which estimates the rate of buildup of staff on the project
  • A productivity factor (PF), which is based on the technology used

Answer d is a distracter.

28. 

Answer: d

The advantages of incremental development include the ease of testing increments of functional capability and the opportunity to incorporate user experience into a successively refined product. Answers a, b, and c are distracters.

29. 

Answer: d

The radial dimension represents cumulative cost, and the angular dimension represents progress made in completing each cycle of the spiral. The Spiral model is actually a meta-model for software development processes. A summary of the stages in the spiral is as follows:

  • The spiral begins in the top, left-hand quadrant by determining the objectives of the portion of the product being developed, the alternative means of implementing this portion of the product, and the constraints imposed on the application of the alternatives.
  • Next, the risks of the alternatives are evaluated based on the objectives and constraints. Following this step, the relative balances of the perceived risks are determined.
  • The spiral then proceeds to the lower right-hand quadrant where the development phases of the projects begin. A major review completes each cycle, and then the process begins anew for succeeding phases of the project. Typical succeeding phases are software product design, integration and test plan development, additional risk analyses, operational prototype, detailed design, code, unit test, acceptance test, and implementation.

Answers a, b, and c are distracters.

30. 

Answer: b

A software process is a set of activities, methods, and practices that are used to develop and maintain software and associated products. Software process capability is a means of predicting the outcome of the next software project conducted by an organization. Software process performance (answer c) is the result achieved by following a software process. Thus, software capability is aimed at expected results while software performance is focused on results that have been achieved. Software process maturity (answer d) is the extent to which a software process is:

  • Defined
  • Managed
  • Measured
  • Controlled
  • Effective

Software process maturity, then, provides for the potential for growth in capability of an organization. An immature organization develops software in a crisis mode, usually exceeds budgets and time schedules, and develops software processes in an ad hoc fashion during the project. In a mature organization, the software process is effectively communicated to staff, the required processes are documented and consistent, software quality is evaluated, and roles and responsibilities are understood for the project.

Answer a is a distracter, but it is discussed in question 24.

1. 

Which of the following choices is the first priority in an emergency?

  1. Communicating to employees’ families the status of the emergency
  2. Notifying external support resources for recovery and restoration
  3. Protecting the health and safety of everyone in the facility
  4. Warning customers and contractors of a potential interruption of service

image from book

2. 

Which of the following choices is not considered an appropriate role for senior management in the business continuity and disaster recovery process?

  1. Delegate recovery roles
  2. Publicly praise successes
  3. Closely control media and analyst communications
  4. Assess the adequacy of information security during the disaster recovery

image from book

3. 

Why is it so important to test disaster recovery plans frequently?

  1. The businesses that provide subscription services may have changed ownership.
  2. A plan is not considered viable until a test has been performed.
  3. Employees may get bored with the planning process.
  4. Natural disasters can change frequently.

image from book

4. 

Which of the following types of tests of disaster recovery/emergency management plans is considered the most cost-effective and efficient way to identify areas of overlap in the plan before conducting more demanding training exercises?

  1. Full-scale exercise
  2. Walk-through drill
  3. Table-top exercise test
  4. Evacuation drill

image from book

5. 

Which type of backup subscription service will allow a business to recover quickest?

  1. A hot site
  2. A mobile or rolling backup service
  3. A cold site
  4. A warm site

image from book

6. 

Which of the following represents the most important first step in creating a business resumption plan?

  1. Performing a risk analysis
  2. Obtaining senior management support
  3. Analyzing the business impact
  4. Planning recovery strategies

image from book

7. 

What could be a major disadvantage to a mutual aid or reciprocal type of backup service agreement?

  1. It is free or at a low cost to the organization.
  2. The use of prefabricated buildings makes recovery easier.
  3. In a major emergency, the site may not have the capacity to handle the operations required.
  4. Annual testing by the Info Tech department is required to maintain the site.

image from book

8. 

In developing an emergency or recovery plan, which of the following would not be considered a short-term objective?

  1. Priorities for restoration
  2. Acceptable downtime before restoration
  3. Minimum resources needed to accomplish the restoration
  4. The organization’s strategic plan

answer: d the organization s strategic plan is considered a long-term goal.

9. 

When is the disaster considered to be officially over?

  1. When the danger has passed and the disaster has been contained
  2. When the organization has processing up and running at the alternate site
  3. When all the elements of the business have returned to normal functioning at the original site
  4. When all employees have been financially reimbursed for their expenses

image from book

10. 

When should the public and media be informed about a disaster?

  1. Whenever site emergencies extend beyond the facility
  2. When any emergency occurs at the facility, internally or externally
  3. When the public’s health or safety is in danger
  4. When the disaster has been contained

image from book

11. 

What is the number one priority of disaster response?

  1. Resuming transaction processing
  2. Personnel safety
  3. Protecting the hardware
  4. Protecting the software

image from book

12. 

Which of the following is the best description of the criticality prioritization goal of the Business Impact Assessment (BIA) process?

  1. The identification and prioritization of every critical business unit process
  2. The identification of the resource requirements of the critical business unit processes
  3. The estimation of the maximum downtime the business can tolerate
  4. The presentation of the documentation of the results of the BIA

image from book

13. 

Which of the following most accurately describes a business impact analysis (BIA)?

  1. A program that implements the strategic goals of the organization
  2. A management-level analysis that identifies the impact of losing an entity’s resources
  3. A prearranged agreement between two or more entities to provide assistance
  4. Activities designed to return an organization to an acceptable operating condition

image from book

14. 

What is considered the major disadvantage to employing a hot site for disaster recovery?

  1. Exclusivity is assured for processing at the site.
  2. Maintaining the site is expensive.
  3. The site is immediately available for recovery.
  4. Annual testing is required to maintain the site.

image from book

15. 

Which of the following is not considered an appropriate role for Financial Management in the business continuity and disaster recovery process?

  1. Tracking the recovery costs
  2. Monitoring employee morale and guarding against employee burnout
  3. Formally notifying insurers of claims
  4. Reassessing cash flow projections

image from book

16. 

Which of the following is the most accurate description of a warm site?

  1. A backup processing facility with adequate electrical wiring and air conditioning but no hardware or software installed
  2. A backup processing facility with most hardware and software installed, which can be operational within a matter of days
  3. A backup processing facility with all hardware and software installed and 100 percent compatible with the original site, operational within hours
  4. A mobile trailer with portable generators and air conditioning

image from book

17. 

Which of the following is not one of the five disaster recovery plan testing types?

  1. Simulation
  2. Checklist
  3. Mobile
  4. Full Interruption

image from book

18. 

Which of the following choices is an example of a potential hazard due to a technological event, rather than a human event?

  1. Sabotage
  2. Financial collapse
  3. Mass hysteria
  4. Enemy attack

image from book

19. 

Which of the following is not considered an element of a backup alternative?

  1. Electronic vaulting
  2. Remote journaling
  3. Warm site
  4. Checklist

image from book

20. 

Which of the following choices refers to a business asset?

  1. Events or situations that could cause a financial or operational impact to the organization
  2. Protection devices or procedures in place that reduce the effects of threats
  3. Competitive advantage, credibility, or goodwill
  4. Personnel compensation and retirement programs

image from book

21. 

Which of the following statements is not correct regarding the role of the recovery team during the disaster?

  1. The recovery team must be the same as the salvage team, because they perform the same function.
  2. The recovery team is often separate from the salvage team, because they perform different duties.
  3. The recovery team’s primary task is to get predefined critical business functions operating at the alternate processing site.
  4. The recovery team will need full access to all backup media.

image from book

22. 

Which of the following choices is incorrect regarding when a BCP, DRP, or emergency management plan should be evaluated and modified?

  1. Never; once it has been fully tested, it should not be changed.
  2. Annually, in a scheduled review.
  3. After training drills, tests, or exercises.
  4. After an emergency or disaster response.

image from book

23. 

When should security isolation of the incident scene start?

  1. Immediately after the emergency is discovered
  2. As soon as the disaster plan is implemented
  3. After all personnel have been evacuated
  4. When hazardous materials have been discovered at the site

image from book

24. 

Which of the following is not a recommended step to take when resuming normal operations after an emergency?

  1. Reoccupy the damaged building as soon as possible.
  2. Account for all damage-related costs.
  3. Protect undamaged property.
  4. Conduct an investigation.

image from book

25. 

Which of the following would not be a good reason to test the disaster recovery plan?

  1. Testing verifies the processing capability of the alternate backup site.
  2. Testing allows processing to continue at the database shadowing facility.
  3. Testing prepares and trains the personnel to execute their emergency duties.
  4. Testing identifies deficiencies in the recovery procedures.

answer: b the other three answers are good reasons to test the disaster recovery plan.

26. 

Which of the following statements is not true about the post-disaster salvage team?

  1. The salvage team must return to the site as soon as possible regardless of the residual physical danger.
  2. The salvage team manages the cleaning of equipment after smoke damage.
  3. The salvage team identifies sources of expertise to employ in the recovery of equipment or supplies.
  4. The salvage team may be given the authority to declare when operations can resume at the disaster site.

image from book

27. 

Which of the following is the most accurate statement about the results of the disaster recovery plan test?

  1. If no deficiencies were found during the test, then the plan is probably perfect.
  2. The results of the test should be kept secret.
  3. If no deficiencies were found during the test, then the test was probably flawed.
  4. The plan should not be changed no matter what the results of the test.

image from book

28. 

Which statement is true regarding the disbursement of funds during and after a disruptive event?

  1. Because access to funds is rarely an issue during a disaster, no special arrangements need to be made.
  2. No one but the finance department should ever disburse funds during or after a disruptive event.
  3. In the event senior-level or financial management is unable to disburse funds normally, the company will need to file for bankruptcy.
  4. Authorized, signed checks should be stored securely off-site for access by lower-level managers in the event senior-level or financial management is unable to disburse funds normally.

image from book

29. 

Which statement is true regarding company/employee relations during and after a disaster?

  1. The organization has a responsibility to continue salaries or other funding to the employees and families affected by the disaster.
  2. The organization’s responsibility to the employee’s families ends when the disaster stops the business from functioning.
  3. Employees should seek any means of obtaining compensation after a disaster, including fraudulent ones.
  4. Senior-level executives are the only employees who should receive continuing salaries during the disruptive event.

image from book

30. 

Which of the following choices is the correct definition of a Mutual Aid Agreement?

  1. A management-level analysis that identifies the impact of losing an entity’s resources
  2. An appraisal or determination of the effects of a disaster on human, physical, economic, and natural resources
  3. A prearranged agreement to render assistance to the parties of the agreement
  4. Activities taken to eliminate or reduce the degree of risk to life and property

image from book

31. 

Which of the following most accurately describes a business continuity program?

  1. An ongoing process to ensure that the necessary steps are taken to identify the impact of potential losses and maintain viable recovery
  2. A program that implements the mission, vision, and strategic goals of the organization
  3. A determination of the effects of a disaster on human, physical, economic, and natural resources
  4. A standard that allows for rapid recovery during system interruption and data loss

image from book

32. 

Which of the following would best describe a cold backup site?

  1. A computer facility with electrical power and HVAC, all needed applications installed and configured on the file/print servers, and enough workstations present to begin processing
  2. A computer facility with electrical power and HVAC but with no workstations or servers on-site prior to the event and no applications installed
  3. A computer facility with no electrical power or HVAC
  4. A computer facility available with electrical power and HVAC and some file/print servers, although the applications are not installed or configured, and all the needed workstations may not be on site or ready to begin processing

image from book

33. 

Which of the following would best describe a tertiary site?

  1. A computer facility with no electrical power
  2. A secondary backup site
  3. Remote journaling
  4. A mobile trailer with portable generators

image from book

Answers

1. 

Answer: c

Life safety, or protecting the health and safety of everyone in the facility, is the first priority in an emergency or disaster.

2. 

Answer: d

The tactical assessment of information security is a role of information management or technology management, not senior management.

3. 

Answer: b

A plan is not considered functioning and viable until a test has been performed. An untested plan sitting on a shelf is useless and might even have the reverse effect of creating a false sense of security. Although the other answers, especially a, are good reasons to test, b is the primary reason.

4. 

Answer: c

In a table-top exercise, members of the emergency management group meet in a conference room setting to discuss their responsibilities and how they would react to emergency scenarios.

5. 

Answer: a

Warm and cold sites require more work after the event occurs to get them to full operating functionality. A mobile backup site might be useful for specific types of minor outages, but a hot site is still the main choice of backup processing site.

6. 

Answer: b

The business resumption, or business continuity plan, must have total, highly visible senior management support.

7. 

Answer: c

The site might not have the capacity to handle the operations required during a major disruptive event. Mutual aid might be a good system for sharing resources during a small or isolated outage, but a major natural or other type of disaster can create serious resource contention between the two organizations, both of which may be affected simultaneously.

8. 

Answer: d

The organization’s strategic plan is considered a long-term goal.

9. 

Answer: c

The disaster is officially over when all the elements of the business have returned to normal functioning at the original site. It’s important to remember that a threat to continuity exists when processing is being returned to its original site after salvage and cleanup has been done.

10. 

Answer: a

When an emergency occurs that could potentially have an impact outside the facility, the public must be informed, regardless of whether there is any immediate threat to public safety.

11. 

Answer: b

The number one function of all disaster response and recovery is the protection of the safety of people; all other concerns are vital to business continuity but are secondary to personnel safety.

12. 

Answer: a

The three primary goals of a BIA are criticality prioritization, maximum downtime estimation, and identification of critical resource requirements. Answer d is a distracter.

13. 

Answer: b

A business impact analysis (BIA) measures the effect of resource loss and escalating losses over time in order to provide the entity with reliable data upon which to base decisions on hazard mitigation and continuity planning. Answer a is a definition of a disaster/emergency management program. Answer c describes a mutual aid agreement. Answer d is the definition of a recovery program.

14. 

Answer: b

A hot site is commonly used for those extremely time-critical functions that the business must have up and running to continue operating, but the expense of duplicating and maintaining all the hardware, software, and application elements is a serious resource drain to most organizations.

15. 

Answer: b

Monitoring employee morale and guarding against employee burnout during a disaster recovery event is the proper role of human resources.

16. 

Answer: b

17. 

Answer: c

18. 

Answer: b

A financial collapse is considered a technological potential hazard, whereas the other three are human events.

19. 

Answer: d

A checklist is a type of disaster recovery plan test. Electronic vaulting is the batch transfer of backup data to an offsite location. Remote journaling is the parallel processing of transactions to an alternate site. A warm site is a backup processing alternative.

20. 

Answer: c

Answer a is a definition for a threat. Answer b is a description of mitigating factors that reduce the effect of a threat, such as an uninterruptible power supply (UPS), sprinkler systems, or generators. Answer d is a distracter.

21. 

Answer: a

The recovery team performs different functions from the salvage team. The recovery team’s primary mandate is to get critical processing reestablished at an alternate site. The salvage team’s primary mandate is to return the original processing site to normal processing environmental conditions.

22. 

Answer: a

Emergency management plans, business continuity plans, and disaster recovery plans should be regularly reviewed, evaluated, modified, and updated. At a minimum, the plan should be reviewed at an annual audit.

23. 

Answer: a

Isolation of the incident scene should begin as soon as the emergency has been discovered.

24. 

Answer: a

Reoccupying the site of a disaster or emergency should not be undertaken until a full safety inspection has been done, an investigation into the cause of the emergency has been completed, and all damaged property has been salvaged and restored.

25. 

Answer: b

The other three answers are good reasons to test the disaster recovery plan.

26. 

Answer: a

Salvage cannot begin until all physical danger has been removed or mitigated and emergency personnel have returned control of the site to the organization.

27. 

Answer: c

The purpose of the test is to find weaknesses in the plan. Every plan has weaknesses. After the test, all parties should be advised of the results, and the plan should be updated to reflect the new information.

28. 

Answer: d

Authorized, signed checks should be stored securely off-site for access by lower-level managers in the event senior-level or financial management is unable to disburse funds normally.

29. 

Answer: a

The organization has an inherent responsibility to its employees and their families during and after a disaster or other disruptive event. The company must be insured to the extent it can properly compensate its employees and families. Alternatively, employees do not have the right to obtain compensatory damages fraudulently if the organization cannot compensate.

30. 

Answer: c

A mutual aid agreement is used by two or more parties to provide for assistance if one of the parties experiences an emergency. Answer a describes a business continuity plan. Answer b describes a damage assessment, and answer d describes risk mitigation.

31. 

Answer: a

A business continuity program is an ongoing process supported by senior management and funded to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and recovery plans, and ensure continuity of services through personnel training, plan testing, and maintenance. Answer b describes a disaster/emergency management program. Answer c describes a damage assessment. Answer d is a distracter.

32. 

Answer: b

A computer facility with electrical power and HVAC, with workstations and servers not present (but available to be brought on-site when the event begins) and no applications installed, is a cold site. Answer a is a hot site, and d is a warm site. Answer c is just an empty room.

33. 

Answer: b

A “tertiary site” is a secondary backup site that can be used in case the primary backup site is not available.

1. 

According to the Internet Architecture Board (IAB), an activity that causes which of the following is considered a violation of ethical behavior on the Internet?

  1. Wasting resources
  2. Appropriating other people’s intellectual output
  3. Using a computer to steal
  4. Using a computer to bear false witness

image from book

2. 

Which of the following best defines social engineering?

  1. Illegal copying of software
  2. Gathering information from discarded manuals and printouts
  3. Using people skills to obtain proprietary information
  4. Destruction or alteration of data

image from book

3. 

Because the development of new technology usually outpaces the law, law enforcement uses which traditional laws to prosecute computer criminals?

  1. Malicious mischief
  2. Embezzlement, fraud, and wiretapping
  3. Immigration
  4. Conspiracy and elimination of competition

image from book

4. 

Which of the following is not a category of law under the Common Law System?

  1. Criminal law
  2. Civil law
  3. Administrative/regulatory law
  4. Derived law

image from book

5. 

A trade secret:

  1. Provides the owner with a legally enforceable right to exclude others from practicing the art covered for a specified time period
  2. Protects original works of authorship
  3. Secures and maintains the confidentiality of proprietary technical or business-related information that is adequately protected from disclosure by the owner
  4. Is a word, name, symbol, color, sound, product shape, or device used to identify goods and to distinguish them from those made or sold by others

image from book

6. 

Which of the following is not a European Union (EU) principle?

  1. Data should be collected in accordance with the law.
  2. Transmission of personal information to locations where equivalent personal data protection cannot be ensured is permissible.
  3. Data should be used only for the purposes for which it was collected and should be used only for a reasonable period of time.
  4. Information collected about an individual cannot be disclosed to other organizations or individuals unless authorized by law or by consent of the individual.

image from book

7. 

The Federal Sentencing Guidelines:

  1. Hold senior corporate officers personally liable if their organizations do not comply with the law
  2. Prohibit altering, damaging, or destroying information in a federal interest computer
  3. Prohibit eavesdropping or the interception of message contents
  4. Established a category of sensitive information called Sensitive But Unclassified (SBU)

image from book

8. 

What does the prudent-man rule require?

  1. Senior officials to post performance bonds for their actions
  2. Senior officials to perform their duties with the care that ordinary, prudent people would exercise under similar circumstances
  3. Senior officials to guarantee that all precautions have been taken and that no breaches of security can occur
  4. Senior officials to follow specified government standards

image from book

9. 

Information Warfare is:

  1. Attacking the information infrastructure of a nation to gain military or economic advantages
  2. Developing weapons systems based on artificial intelligence technology
  3. Generating and disseminating propaganda material
  4. Signal intelligence

image from book

10. 

The chain of evidence relates to:

  1. Securing laptops to desks during an investigation
  2. DNA testing
  3. Handling and controlling evidence
  4. Making a disk image

image from book

11. 

The Kennedy-Kassebaum Act is also known as:

  1. RICO
  2. OECD
  3. HIPAA
  4. EU Directive

answer: c the answer c is correct. the others refer to other laws or guidelines.

12. 

Which of the following refers to a U.S. government program that reduces or eliminates emanations from electronic equipment?

  1. CLIPPER
  2. ECHELON
  3. ECHO
  4. TEMPEST

image from book

13. 

Imprisonment is a possible sentence under:

  1. Civil (tort) law
  2. Criminal law
  3. Both civil and criminal law
  4. Neither civil nor criminal law

answer: b answer b is the only one of the choices in which imprisonment is possible.

14. 

Which one of the following conditions must be met if legal electronic monitoring of employees is conducted by an organization?

  1. Employees must be unaware of the monitoring activity.
  2. All employees must agree with the monitoring policy.
  3. Results of the monitoring cannot be used against the employee.
  4. The organization must have a policy stating that all employees are regularly notified that monitoring is being conducted.

image from book

15. 

Which of the following is a key principle in the evolution of computer crime laws in many countries?

  1. All members of the United Nations have agreed to uniformly define and prosecute computer crime.
  2. Existing laws against embezzlement, fraud, and wiretapping cannot be applied to computer crime.
  3. The definition of property is extended to include electronic information.
  4. Unauthorized acquisition of computer-based information without the intent to resell is not a crime.

image from book

16. 

The concept of due care states that senior organizational management must ensure that:

  1. All risks to an information system are eliminated.
  2. Certain requirements must be fulfilled in carrying out their responsibilities to the organization.
  3. Other management personnel are delegated the responsibility for information system security.
  4. The cost of implementing safeguards is greater than the potential resultant losses resulting from information security breaches.

image from book

17. 

Liability of senior organizational officials relative to the protection of the organization’s information systems is prosecutable under:

  1. Criminal law
  2. Civil law
  3. International law
  4. Financial law

image from book

18. 

Responsibility for handling computer crimes in the United States is assigned to:

  1. The Federal Bureau of Investigation (FBI) and the Secret Service
  2. The FBI only
  3. The National Security Agency (NSA)
  4. The Central Intelligence Agency (CIA)

answer: a the correct answer is a, making the other answers incorrect.

19. 

In general, computer-based evidence is considered:

  1. Conclusive
  2. Circumstantial
  3. Secondary
  4. Hearsay

image from book

20. 

Investigating and prosecuting computer crimes is made more difficult because:

  1. Backups may be difficult to find.
  2. Evidence is mostly intangible.
  3. Evidence cannot be preserved.
  4. Evidence is hearsay and can never be introduced into a court of law.

image from book

21. 

Which of the following criteria are used to evaluate suspects in the commission of a crime?

  1. Motive, Intent, and Ability
  2. Means, Object, and Motive
  3. Means, Intent, and Motive
  4. Motive, Means, and Opportunity

image from book

22. 

Which one of the following U.S. government entities was assigned the responsibility for improving government efficiency through the application of new technologies and for developing guidance on information security for government agencies by the Paperwork Reduction Act of 1980, 1995?

  1. The National Institute for Standards and Technology (NIST)
  2. The General Services Administration (GSA)
  3. The Office of Management and Budget (OMB)
  4. The National Security Agency (NSA)

image from book

23. 

What is enticement?

  1. Encouraging the commission of a crime when there was initially no intent to commit a crime
  2. Assisting in the commission of a crime
  3. Luring the perpetrator to an attractive area or presenting the perpetrator with a lucrative target after the crime has already been initiated
  4. Encouraging the commission of one crime over another

image from book

24. 

Which of the following is not a computer investigation issue?

  1. Evidence is easy to obtain.
  2. The time frame for investigation is compressed.
  3. An expert may be required to assist.
  4. The information is intangible.

image from book

25. 

Conducting a search without the delay of obtaining a warrant if destruction of evidence seems imminent is possible under:

  1. Federal Sentencing Guidelines
  2. Proximate Causation
  3. Exigent Circumstances
  4. Prudent-Man Rule

image from book

26. 

Which one of the following items is not true concerning the Platform for Privacy Preferences (P3P) developed by the World Wide Web Consortium (W3C)?

  1. It allows Web sites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents.
  2. It allows users to be informed of site practices in human-readable format.
  3. It does not provide the site privacy practices to users in machine-readable format.
  4. It automates decision making based on the site’s privacy practices when appropriate.

image from book

27. 

The 1996 Information Technology Management Reform Act (ITMRA), or Clinger-Cohen Act, did which one of the following?

  1. Relieved the General Services Administration of responsibility for procurement of automated systems and contract appeals and charged the Office of Management and Budget with providing guidance on information technology procurement
  2. Relieved the General Services Administration of responsibility for procurement of automated systems and contract appeals and charged the National Institute for Standards and Technology with providing guidance on information technology procurement
  3. Relieved the Office of Management and Budget of responsibility for procurement of automated systems and contract appeals and charged the General Services Administration with providing guidance on information technology procurement
  4. Relieved the General Services Administration of responsibility for procurement of automated systems and contract appeals and charged the National Security Agency with providing guidance on information technology procurement

answer: a the answer a is correct. the other answers are distracters.

28. 

Which one of the following U.S. Acts prohibits trading, manufacturing, or selling in any way that is intended to bypass copyright protection mechanisms?

  1. The 1999 Uniform Information Transactions Act (UCITA)
  2. The 1998 Digital Millennium Copyright Act (DMCA)
  3. The 1998 Sonny Bono Copyright Term Extension Act
  4. The 1987 U.S. Computer Security Act

image from book

29. 

Which of the following actions by the U.S. government is not permitted or required by the U.S. PATRIOT Act, signed into law on October 26, 2001?

  1. Subpoena of electronic records
  2. Monitoring of Internet communications
  3. Search and seizure of information on live systems (including routers and servers), backups, and archives
  4. Reporting of cash and wire transfers of $5,000 or more

image from book

30. 

Which Act required U.S. government agencies to do the following?

  • Manage information resources to protect privacy and security
  • Designate a senior official, reporting directly to the Secretary of the Treasury, to ensure that the responsibilities assigned by the Act are accomplished
  • Identify and afford security protections in conformance with the Computer Security Act of 1987 commensurate with the magnitude of harm and risk that may result from the misuse, loss, or unauthorized access relative to information collected by an agency or maintained on behalf of an agency
  • Implement and enforce applicable policies, procedures, standards, and guidelines on privacy, confidentiality, security, disclosures, and sharing of information collected or maintained by or for the agency
  1. 1994 U.S. Computer Abuse Amendments Act
  2. 1996, Title I, Economic Espionage Act
  3. 1987 U.S. Computer Security Act
  4. Paperwork Reduction Act of 1980, 1995

image from book

Answers

1. 

Answer: a

The correct answer is a. Answers b, c, and d are ethical considerations of other organizations.

2. 

Answer: c

The correct answer is c: using people skills to obtain proprietary information. Answer a is software piracy, answer b is dumpster diving, and answer d is a violation of integrity.

3. 

Answer: b

The answer b is correct. Answer a is not a law, answer c is not applicable because it applies to obtaining visas and so on, and answer d is not correct because the laws in answer b are more commonly used to prosecute computer crimes.

4. 

Answer: d

The correct answer, d, is a distracter. All the other answers are categories under common law.

5. 

Answer: c

Answer c defines a trade secret. Answer a refers to a patent. Answer b refers to a copyright. Answer d refers to a trademark.

6. 

Answer: b

The transmission of data to locations where equivalent personal data protection cannot be ensured is not permissible for the EU. The other answers are EU principles.

7. 

Answer: a

The answer a is correct. Answer b is part of the U.S. Computer Fraud and Abuse Act. Answer c is part of the U.S. Electronic Communications Privacy Act. Answer d is part of the U.S. Computer Security Act.

8. 

Answer: b

The answer b is correct. Answer a is a distracter and is not part of the prudent man rule. Answer c is incorrect because it is not possible to guarantee that breaches of security can never occur. Answer d is incorrect because the prudent-man rule does not refer to a specific government standard but relates to what other prudent persons would do.

9. 

Answer: a

The answer a is correct. Answer b is a distracter and has to do with weapon systems development. Answer c is not applicable. Answer d is the conventional acquisition of information from radio signals.

10. 

Answer: c

The answer c is correct. Answer a relates to physical security, answer b is a type of biological testing, and answer d is part of the act of gathering evidence.

11. 

Answer: c

The answer c is correct. The others refer to other laws or guidelines.

12. 

Answer: d

The answer d is correct. Answer a refers to the U.S. government Escrow Encryption Standard. Answer b refers to the large-scale monitoring of RF transmissions. Answer c is a distracter.

13. 

Answer: b

Answer b is the only one of the choices in which imprisonment is possible.

14. 

Answer: d

The answer d is correct. Answer a is incorrect because employees must be made aware of the monitoring if it is to be legal; answer b is incorrect because employees do not have to agree with the policy; and answer c is incorrect because the results of monitoring may be used against the employee if the corporate policy is violated.

15. 

Answer: c

The answer c is correct. Answer a is incorrect because all nations do not agree on the definition of computer crime and corresponding punishments. Answer b is incorrect because the existing laws can be applied against computer crime. Answer d is incorrect because in some countries, possession without intent to sell is considered a crime.

16. 

Answer: b

The answer b is correct. Answer a is incorrect because all risks to information systems cannot be eliminated; answer c is incorrect because senior management cannot delegate its responsibility for information system security under due care; and answer d is incorrect because the cost of implementing safeguards should be less than or equal to the potential resulting losses relative to the exercise of due care.

17. 

Answer: b

18. 

Answer: a

The correct answer is a, making the other answers incorrect.

19. 

Answer: d

The answer d is correct. Answer a refers to incontrovertible evidence; answer b refers to inference from other, intermediate facts; and answer c refers to a copy of evidence or oral description of its content.

20. 

Answer: b

The answer b is correct. Answer a is incorrect because if backups are done, they usually can be located. Answer c is incorrect because evidence can be preserved using the proper procedures. Answer d is incorrect because there are exceptions to the hearsay rule.

21. 

Answer: d

22. 

Answer: c

23. 

Answer: c

Answer c is the definition of enticement. Answer a is the definition of entrapment. Answers b and d are distracters.

24. 

Answer: a

The correct answer is a. In many instances, evidence is difficult to obtain in computer crime investigations. Answers b, c, and d are computer investigation issues.

25. 

Answer: c

The answer c is correct. The other answers refer to other principles, guidelines, or rules.

26. 

Answer: c

In addition to the capabilities in answers a, b, and d, P3P does provide the site privacy practices to users in machine-readable format.

27. 

Answer: a

The answer a is correct. The other answers are distracters.

28. 

Answer: b

Answers a and d are distracters. Answer c, the 1998 Sonny Bono Copyright Term Extension Act, amends the provisions concerning duration of copyright protection. The Act states that the terms of copyright are generally extended for an additional 20 years.

29. 

Answer: d

Wire and cash transfers of $10,000 or more in a single transaction must be reported to government officials. Actions in answers a, b, and c are permitted under the PATRIOT Act. In answers a and b, the government has new powers to subpoena electronic records and to monitor Internet traffic. In monitoring information, the government can require the assistance of ISPs and network operators. This monitoring can extend even into individual organizations. In the PATRIOT Act, Congress permits investigators to gather information about electronic mail without having to show probable cause that the person to be monitored had committed a crime or was intending to commit a crime. In answer c, the items cited now fall under existing search and seizure laws. A new twist is delayed notification of a search warrant. Under the PATRIOT Act, if it is suspected that notification of a search warrant would cause a suspect to flee, a search can be conducted before notification of a search warrant is given.

In a related matter, the United States and numerous other nations have signed the Council of Europe’s Cybercrime Convention. In the United States, participation in the Convention has to be ratified by the Senate. In essence, the Convention requires the signatory nations to spy on their own residents, even if the action being monitored is illegal in the country in which the monitoring is taking place.

30. 

Answer: d

1. 

Which of the following is not a type of motion-detection system?

  1. Ultrasonic-detection system
  2. Microwave-detection system
  3. Host-based intrusion-detection system
  4. Sonic-detection system

image from book

2. 

Which of the following is a type of personnel control that helps prevent piggybacking?

  1. Mantraps
  2. Back doors
  3. Brute force
  4. Maintenance hooks

image from book

3. 

Which of the following choices most accurately describes the prime benefit of using guards?

  1. Human guards are less expensive than guard dogs.
  2. Guards can exercise discretionary judgment in a way that automated systems can’t.
  3. Automated systems have a greater reliability rate than guards.
  4. Guard dogs cannot discern an intruder’s intent.

image from book

4. 

The recommended optimal relative humidity range for computer operations is:

  1. 10%–30%
  2. 30%–40%
  3. 40%–60%
  4. 60%–80%

image from book

5. 

How many times should a diskette be formatted to comply with TCSEC Orange Book object reuse recommendations?

  1. Three
  2. Five
  3. Seven
  4. Nine

image from book

6. 

Which of the following more closely describes the combustibles in a Class B-rated fire?

  1. Paper
  2. Gas
  3. Liquid
  4. Electrical

image from book

7. 

Which of the following is not the proper suppression medium for a Class B fire?

  1. CO2
  2. Soda Acid
  3. Halon
  4. Water

image from book

8. 

What does an audit trail or access log usually not record?

  1. How often a diskette was formatted
  2. Who attempted access
  3. The date and time of the access attempt
  4. Whether the attempt was successful

answer: a the other three answers are common elements of an access log or audit trail.

9. 

A brownout can be defined as a:

  1. Prolonged power loss
  2. Momentary low voltage
  3. Prolonged low voltage
  4. Momentary high voltage

image from book

10. 

Which of the following statements is not accurate about smoke damage to electronic equipment?

  1. Smoke exposure during a fire for a relatively short period does little immediate damage.
  2. Continuing power to the smoke-exposed equipment can increase the damage.
  3. Moisture and oxygen corrosion constitute the main damage to the equipment.
  4. The primary damage done by smoke exposure is immediate.

image from book

11. 

A surge can be defined as a(n):

  1. Prolonged high voltage
  2. Initial surge of power at start
  3. Momentary power loss
  4. Steady interfering disturbance

image from book

12. 

Which is not a type of a fire detector?

  1. Heat-sensing
  2. Gas-discharge
  3. Flame-actuated
  4. Smoke-actuated

answer: b gas-discharge is a type of fire extinguishing system, not a fire detection system.

13. 

Which of the following is not considered an acceptable replacement for Halon discharge systems?

  1. FA200
  2. Inergen (IG541)
  3. Halon 1301
  4. Argon (IG55)

image from book

14. 

Which type of fire extinguishing method contains standing water in the pipe and therefore generally does not enable a manual shutdown of systems before discharge?

  1. Dry pipe
  2. Wet pipe
  3. Preaction
  4. Deluge

image from book

15. 

Which of the following types of control is not an example of a physical security access control?

  1. Retinal scanner
  2. Guard dog
  3. Five-key programmable lock
  4. Audit trail

image from book

16. 

Which is not a recommended way to dispose of unwanted used data media?

  1. Destroying CD-ROMs
  2. Formatting diskettes seven or more times
  3. Shredding paper reports by cleared personnel
  4. Copying new data over existing data on diskettes

image from book

17. 

According to the NFPA, which of the following choices is not a recommended risk factor to consider when determining the need for protecting the computing environment from fire?

  1. Life safety aspects of the computing function or process
  2. Fire threat of the installation to occupants or exposed property
  3. Distance of the computing facility from a fire station
  4. Economic loss of the equipment’s value

image from book

18. 

Which of the following choices is not an example of a halocarbon agent?

  1. HFC-23
  2. FC-3-1-10
  3. IG-541
  4. HCFC-22

answer: c ig-541 is an inert gas agent, not a halocarbon agent.

19. 

Which of the following statements most accurately describes a dry pipe sprinkler system?

  1. Dry pipe is the most commonly used sprinkler system.
  2. Dry pipe contains air pressure.
  3. Dry pipe sounds an alarm and delays water release.
  4. Dry pipe may contain carbon dioxide.

image from book

20. 

The theft of a laptop poses a threat to which tenet of the C.I.A. triad?

  1. Confidentiality
  2. Integrity
  3. Availability
  4. All of the above

image from book

21. 

Which is a benefit of a guard over an automated control?

  1. Guards can use discriminating judgment.
  2. Guards are cheaper.
  3. Guards do not need training.
  4. Guards do not need pre-employment screening.

image from book

22. 

Which is not considered a preventative security measure?

  1. Fences
  2. Guards
  3. Audit trails
  4. Preset locks

image from book

23. 

Which is not a PC security control device?

  1. A cable lock
  2. A switch control
  3. A port control
  4. A file cabinet lock

image from book

24. 

Which of the following is not an example of a clean fire-extinguishing agent?

  1. CO2
  2. IG-55
  3. IG-01
  4. HCFC-22

image from book

25. 

What is the recommended height of perimeter fencing to keep out casual trespassers?

  1. 1′ to 2′ high
  2. 3′ to 4′ high
  3. 6′ to 7′ high
  4. 8′ to 12′ high

image from book

26. 

Why should extensive exterior perimeter lighting of entrances or parking areas be installed?

  1. To enable programmable locks to be used
  2. To create two-factor authentication
  3. To discourage prowlers or casual intruders
  4. To prevent data remanence

answer: c the other answers have nothing to do with lighting.

27. 

Which of the following is not a form of data erasure?

  1. Clearing
  2. Remanence
  3. Purging
  4. Destruction

image from book

28. 

Which is not considered a physical intrusion detection method?

  1. Audio motion detector
  2. Photoelectric sensor
  3. Wave pattern motion detector
  4. Line supervision

image from book

29. 

Which of the following statements represents the best reason to control the humidity in computer operations areas?

  1. Computer operators do not perform at their peak if the humidity is too high.
  2. Electrostatic discharges can harm electronic equipment.
  3. Static electricity destroys the electrical efficiency of the circuits.
  4. If the air is too dry, electroplating of conductors may occur.

image from book

30. 

Which of the following terms refers to a standard used in determining the fire safety of a computer room?

  1. Noncombustible
  2. Fire-resistant
  3. Fire retardant
  4. Nonflammable

image from book

31. 

Which of the following choices is not a common use for a proximity smart card?

  1. Verifying on-line purchases
  2. Vehicle identification
  3. Public transportation
  4. Airline ticketing

image from book

32. 

Which of the following is the best description of PIDAS fencing?

  1. PIDAS fencing must be at least 6 feet high.
  2. PIDAS fencing often has a high rate of false alarms.
  3. PIDAS fencing employs bright Fresnel lighting.
  4. PIDAS fencing is impossible to cut through.

image from book

33. 

Which of the following statements about bollards is incorrect?

  1. Bollards sometimes house exterior lighting.
  2. Bollards are primarily designed to deter vehicles being driven into a building.
  3. Bollards are used to authenticate users via smart cards.
  4. Bollards are small concrete pillars.

image from book

Answers

1. 

Answer: c

Host-based intrusion-detection systems are used to detect unauthorized logical access to network resources, not the physical presence of an intruder.

2. 

Answer: a

The other three answers are not personnel or physical controls but are technical threats or vulnerabilities. Back doors (answer b) commonly refers to Trojan horses used covertly to give an attacker backdoor network access. Hackers install back doors to gain network access at a later time. Brute force (answer c) is a cryptographic attack attempting to use all combinations of key patterns to decipher a message. Maintenance hooks (answer d) are undocumented openings into an application to assist programmers with debugging. Although intended innocently, these can be exploited by intruders.

3. 

Answer: b

The prime advantage to using human guards is that they can exercise discretionary judgment when the need arises. For example, during an emergency guards can switch roles from access control to evacuation support, something guard dogs or automated systems cannot.

4. 

Answer: c

40% to 60% relative humidity is recommended for safe computer operations. Too low humidity can create static discharge problems, and too high humidity can create condensation and electrical contact problems.

5. 

Answer: c

Most computer certification and accreditation standards recommend that diskettes be formatted seven times to prevent any possibility of data remanence.

6. 

Answer: c

Paper is described as a common combustible and is therefore rated a class A fire. An electrical fire is rated Class C. Gas is not defined as a combustible.

7. 

Answer: d

Water is not a proper suppression medium for a class B fire. The other three are commonly used.

8. 

Answer: a

The other three answers are common elements of an access log or audit trail.

9. 

Answer: c

Answer a, prolonged power loss, is a blackout; answer b, momentary low voltage, is a sag; and d, momentary high voltage, is a spike.

10. 

Answer: d

Immediate smoke exposure to electronic equipment does little damage. However, the particulate residue left after the smoke has dissipated contains active by-products that corrode metal contact surfaces in the presence of moisture and oxygen.

11. 

Answer: a

Answer b, initial surge of power at start or power on, is called an inrush; c, momentary power loss, is a fault; and d, a steady interfering disturbance, is called noise.

12. 

Answer: b

Gas-discharge is a type of fire extinguishing system, not a fire detection system.

13. 

Answer: c

Existing installations are encouraged to replace Halon 1301 with one of the substitutes listed.

14. 

Answer: b

The other three are variations on a dry pipe discharge method with the water not standing in the pipe until a fire is detected.

15. 

Answer: d

16. 

Answer: d

While this method might overwrite the older files, recoverable data might exist past the file end marker of the new file if the new data file is smaller than the older data file.

17. 

Answer: c

Although the distance of the computing facility from a fire station should be considered when initially determining the physical location of a computing facility (as should police and hospital proximity), it is not considered a primary factor in determining the need for internal fire suppression systems.

18. 

Answer: c

IG-541 is an inert gas agent, not a halocarbon agent.

19. 

Answer: b

In a dry pipe system, air pressure is maintained until the sprinkler head seal is ruptured. Answer a is incorrect because wet pipe is the most commonly used sprinkler system, dry pipe is second. Answer c describes a preaction pipe, which sounds an alarm and delays the water release. A preaction pipe may or may not be a dry pipe, but not all dry pipes are preaction. Answer d is incorrect because a dry pipe is a water release system.

20. 

Answer: d

Confidentiality, because the data can now be read by someone outside of a monitored environment; availability, because the user has lost the computing ability provided by the unit; and integrity, because the data residing on and any telecommunications from the portable are now suspect.

21. 

Answer: a

Guards can use discriminating judgment. Guards are typically more expensive than automated controls, need training as to the protection requirements of the specific site, and need to be screened and bonded.

22. 

Answer: c

Audit trails are detective rather than preventative, because they are used to piece together the information of an intrusion or intrusion attempt after the fact.

23. 

Answer: d

A cable lock is used to attach the PC to a desk; a switch control is used to prevent powering a unit off; and a port control (such as a diskette drive lock) is used to prevent data from being downloaded from the PC.

24. 

Answer: a

CO2, carbon dioxide, leaves a corrosive residue and is therefore not recommended for computer facility fire suppression systems.

25. 

Answer: b

3′ to 4′-high fencing is considered minimal protection, for restricting only casual trespassers. Answers c and d are better protection against intentional intruders.

26. 

Answer: c

The other answers have nothing to do with lighting.

27. 

Answer: b

Remanance is what data erasure is intended to prevent. Clearing (answer a) refers to the overwriting of data media intended to be reused in the same organization. Purging (answer c) refers to degaussing or overwriting media intended to be removed from the organization. Destruction (answer d) refers to completely destroying the media.

28. 

Answer: d

Line supervision is the monitoring of the alarm signaling transmission medium to detect tampering. Audio detectors (answer a) monitor a room for any abnormal soundwave generation. Photoelectric sensors (answer b) receive a beam of light from a light-emitting device. Wave pattern motion detectors (answer c) generate a wave pattern and send an alarm if the pattern is disturbed.

29. 

Answer: b

Electrostatic discharges from static electricity can damage sensitive electronic equipment, even in small amounts.

30. 

Answer: b

Answer a, noncombustible, means material that will not aid or add appreciable heat to an ambient fire. Answer c, fire retardant, describes material that lessens or prevents the spread of a fire. Fire retardant coatings are designed to protect materials from fire exposure damage. Answer d, nonflammable, describes material that will not burn.

31. 

Answer: a

A proximity smart card is not commonly used for verifying on-line pur-chases. The other answers are all common uses of a proximity smart card.

32. 

Answer: b

Perimeter Intrusion Detection and Assessment System (PIDAS) fencing has intrusion detection sensors on the fence and attempts to detect an intruder scaling the fence or cutting through it. By initiating an alarm when the cable vibrates, however, PIDAS’s sensitivity can cause a high rate of false alarms, as the alarm is often triggered by animals or weather elements such as high wind.

33. 

Answer: c

Bollards are concrete pillars designed to deter drivers from driving vehicles into a building, and may contain exterior lighting to make them more functional and decorative.

1. 

Which of the following is not a standard phase in the System Authorization Process?

  1. Pre-certification
  2. Post-Authorization
  3. Post-Certification
  4. Certification

image from book

2. 

Which of the following would be an accurate description of the role of the ISSO in the C&A process?

  1. The ISSO determines whether a system is ready for certification and conducts the certification process.
  2. The operational interests of system users are vested in the ISSO.
  3. The ISSO coordinates all aspects of the system from initial concept, through development, to implementation and system maintenance.
  4. The ISSO is responsible to the DAA for ensuring that security is provided for and implemented throughout the life cycle.

image from book

3. 

The British Standard BS7799 was the basis for which of the following standards?

  1. ISO/IEC 154508
  2. ISO/IEC 17799
  3. ICO/ICE 17799
  4. Executive Order (E.O.) 13231

image from book

4. 

How many phases are defined in the DIACAP process?

  1. Three
  2. Four
  3. Five
  4. Six

image from book

5. 

Which is not a common responsibility of the user representative?

  1. The user representative is responsible for the secure operation of a certified and accredited IS.
  2. The user representative represents the user community.
  3. The user representative determines whether a system is ready for certification and conducts the certification process.
  4. The user representative functions as the liaison for the user community throughout the life cycle of the system.

image from book

6. 

Which statement is not true about the SAA?

  1. The SSAA is used throughout the entire process.
  2. The SSAA is a formal agreement among the DAA(s), certifier, user representative, and program manager.
  3. The SSAA is used only during Phase 3, Validation.
  4. The SSAA documents the conditions of the C&A for an IS.

image from book

7. 

Which C&A role is also referred to as the accreditor?

  1. IS program manager
  2. Designated Approving Authority (DAA)
  3. Certification agent
  4. User representative

answer: b the designated approving authority (daa) is also referred to as the accreditor.

8. 

Which is not a C&A role?

  1. IS program manager
  2. Certifier
  3. Vendor representative
  4. User representative

answer: c answer c is a distracter; the other answers are all c&a roles.

9. 

Which is not a NIACAP accreditation type?

  1. Site accreditation
  2. Process accreditation
  3. Type accreditation
  4. System accreditation

image from book

10. 

Which statement is not true about the Designated Approving Authority (DAA)?

  1. The DAA determines the existing level of residual risk and makes an accreditation recommendation.
  2. The DAA is the primary government official responsible for implementing system security.
  3. The DAA is an executive with the authority and ability to balance the needs of the system with the security risks.
  4. The DAA can grant an accreditation or an Interim Approval to Operate (IATO) or may determine that the system’s risks are not at an acceptable level and it is not ready to be operational.

image from book

11. 

Which statement is not true about the certification agent?

  1. The certifier provides the technical expertise to conduct the certification throughout the system’s life cycle based on the security requirements documented in the SSAA.
  2. The certifier determines the acceptable level of residual risk for a system.
  3. The certifier determines whether a system is ready for certification and conducts the certification process.
  4. The certifier should be independent from the organization responsible for the system development or operation.

image from book

12. 

What is the task of the certifier at the completion of the certification effort?

  1. To recommend to the DAA whether or not to accredit the system based on documented residual risk
  2. To provide details of the system and its life cycle management to the DAA
  3. To ensures that the security requirements are integrated in a way that will result in an acceptable level of risk
  4. To keep all NIACAP participants informed of life cycle actions, security requirements, and documented user needs

image from book

13. 

Which choice most accurately defines a user representative?

  1. The user representative is an executive with the authority and ability to balance the needs of the system with the security risks.
  2. The user representative is concerned with system availability, access, integrity, functionality, performance, and confidentiality as they relate to the mission environment.
  3. The user representative determines the acceptable level of residual risk for a system.
  4. The user representative is the primary government official responsible for implementing system security.

image from book

14. 

Which statement about certification and accreditation (C&A) is not correct?

  1. Certification is the comprehensive evaluation of the technical and nontechnical security features of an information system.
  2. C&A is optional for most federal agencies’ security systems.
  3. Accreditation is the formal declaration by a DAA approving an information system to operate.
  4. C&A consists of formal methods applied to ensure that the appropriate information system security safeguards are in place and that they are functioning per the specifications.

image from book

15. 

The DAA accreditation decision is made at the last step of which phase?

  1. Phase 1
  2. Phase 2
  3. Phase 3
  4. Phase 4

image from book

16. 

If the DAA does not accredit the system, what happens?

  1. The C&A process reverts to Phase 1.
  2. The C&A process moves on to Phase 4.
  3. The C&A project is ended.
  4. The C&A stays in Phase 3 until the system is accredited.

image from book

17. 

What is the main purpose of the post-accreditation phase?

  1. To initiate the risk management agreement process among the four principals: the DAA, certifier, program manager, and user representative
  2. To continue to operate and manage the system so that it will maintain an acceptable level of residual risk
  3. To ensure that the SSAA properly and clearly defines the approach and level of effort
  4. To collect information and documentation about the system, such as capabilities and functions the system will perform

image from book

18. 

How long does Phase 4 last?

  1. Until the initial certification analysis determines whether the IS is ready to be evaluated and tested
  2. Until the DAA reviews the SSAA and makes an accreditation determination
  3. Until the information system is removed from service, a major change is planned for the system, or a periodic compliance validation is required
  4. Until the responsible organizations adopt the SSAA and concur that those objectives have been reached

image from book

19. 

Which policy document determines that all federal government departments and agencies establish and implement programs mandating the certification and accreditation (C&A) of national security systems under their operational control?

  1. DoD 8510.1-M, “Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP) Application Manual,” July 31, 2000
  2. FIPS PUB102, “Guidelines for Computer Security Certification and Accreditation,” September 27, 1983
  3. NSTISS Instruction (NSTISSI) No. 1000, “National Information Assurance Certification and Accreditation Process (NIACAP),” April 2000
  4. NSTISS Policy (NSTISSP) No. 6, “National Policy on Certification and Accreditation of National Security Telecommunications and Information Systems,” April 8, 1994

image from book

20. 

Which of the following assessment methodologies defines a six-step comprehensive C&A?

  1. Federal Information Processing Standard (FIPS) 102
  2. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
  3. Federal Information Technology Security Assessment Framework (FITSAF)
  4. INFOSEC Assessment Methodology (IAM)

image from book

21. 

What is the order of phases in a DITSCAP assessment?

  1. Verification, Definition, Validation, and Post Accreditation
  2. Definition, Verification, Validation, and Post Accreditation
  3. Definition, Validation, Verification, and Post Accreditation
  4. Validation, Definition, Verification, and Post Accreditation

image from book

Answers

1. 

Answer: c

The correct answer is c, Post-Certification. The SAP comprises four phases:

  • Phase 1: Pre-certification
  • Phase 2: Certification
  • Phase 3: Authorization
  • Phase 4: Post-Authorization

2. 

Answer: d

The ISSO is responsible to the DAA for ensuring that security is provided for and implemented throughout the life cycle of an AS from the beginning of the system concept development phase through its design, development, operation, maintenance, and secure disposal.

3. 

Answer: b

The correct answer is b, ISO/IEC 17799. ISO/IEC 154508 defines the Common Criteria; ICO/ICE 17799 is nonexistent.

4. 

Answer: c

The DIACAP process is expected to consist of five phases: Initiate and Plan IA C&A; Implement and Validate Assigned IA Controls; Make Certification Determination and Accreditation Decisions; Maintain Authority to Operate and Conduct Reviews; Decommission System.

5. 

Answer: c

Determining whether a system is ready for certification and conducting the certification process are tasks for the certifier. As noted in the SSAA, the user representative:

  • Is responsible for the identification of operational requirements
  • Is responsible for the secure operation of a certified and accredited IS (answer a)
  • Represents the user community (answer b)
  • Assists in the C&A process
  • Functions as the liaison for the user community throughout the life cycle of the system (answer d)
  • Defines the system’s operations and functional requirements
  • Is responsible for ensuring that the user’s operational interests are maintained throughout system development, modification, integration, acquisition, and deployment

6. 

Answer: c

The SSAA is used throughout the entire C&A process. After accreditation, the SSAA becomes the baseline security configuration document and is maintained during Phase 4.

7. 

Answer: b

The Designated Approving Authority (DAA) is also referred to as the accreditor.

8. 

Answer: c

Answer c is a distracter; the other answers are all C&A roles.

9. 

Answer: b

Answer c is a distracter; the NIACAP applies to each of the other three accreditation types and may be tailored to meet the specific needs of the organization and IS. A site accreditation (answer a) evaluates the applications and systems at a specific, self-contained location. A type accreditation (answer b) evaluates an application or system that is distributed to multiple locations. A system accreditation (answer c) evaluates a major application or general support system.

10. 

Answer: a

The certifier, not the DAA, determines the existing level of residual risk and makes the accreditation recommendation. The DAA determines the acceptable, not existing, level of risk for a system. The other answers about the DAA are true.

11. 

Answer: b

The DAA, not the certifier, determines the acceptable level of residual risk for a system and must have the authority to oversee the budget and IS business operations of systems under his or her purview. The other statements about the certifier are true.

12. 

Answer: a

At the completion of the certification effort, the certifier reports the status of certification and makes a recommendation to the DAA. The other answers are tasks assigned to the program manager.

13. 

Answer: b

The operational interests of system users are vested in the user representative. In the C&A process, the user representative is concerned with system availability, access, integrity, functionality, performance, and confidentiality as they relate to the mission environment. Users and their representative are found at all levels of an agency. The other answers are qualities of the DAA.

14. 

Answer: b

NSTISSP No. 6 establishes the requirement for federal departments and agencies to implement a C&A process for national security systems. The requirements of the NSTISSI No. 6 apply to all U.S. government executive branch departments, agencies, and their contractors and consultants. The other three answers are correct statements about C&A.

15. 

Answer: c, Phase 3.

After receipt of the certifier’s recommendation, the DAA reviews the SSAA and makes an accreditation determination. This determination is added to the SSAA. The final SSAA accreditation package includes the certifier’s recommendation, the DAA authorization to operate, and supporting documentation. The SSAA must contain all information necessary to support the certifier’s recommended decision, including security findings, deficiencies, risks to operation, and actions to resolve any deficiencies.

16. 

Answer: a

If the decision is made to not authorize the system to operate, the NIACAP process reverts to Phase 1, and the DAA, certifier, program manager, and user representative must agree to proposed solutions to meet an acceptable level of risk. The decision must state the specific reasons for denial and, if possible, provide suggested solutions.

17. 

Answer: b

Phase 4, post-accreditation, contains activities required to continue to operate and manage the system so that it will maintain an acceptable level of residual risk. Post-accreditation activities must include ongoing maintenance of the SSAA, system operations, security operations, change management, and compliance validation. The other answers relate to Phase 1.

18. 

Answer: c

Phase 4 continues until the information system is removed from service (decommissioned), undergoes major revisions, or requires a periodic compliance validation. The other answers are distracters.

19. 

Answer: d

NSTISSP No. 6 determines that all federal government departments and agencies establish and implement programs mandating the certification and accreditation (C&A) of national security systems under their operational control. These C&A programs must ensure that information processed, stored, or transmitted by national security systems is adequately protected for confidentiality, integrity, and availability.

20. 

Answer: a

The Federal Information Processing Standard (FIPS) 102, the Guideline for Computer Security Certification and Accreditation, is a comprehensive guide explaining how to establish a C&A program and execute a complete C&A.

FIPS 102 details a 6-step approach:

  1. Planning
  2. Data collection
  3. Basic evaluation
  4. Detailed evaluation
  5. Report of findings
  6. Accreditation

21. 

Answer: b

The DITSCAP phases are:

  • Phase 1, Definition
  • Phase 2, Verification
  • Phase 3, Validation
  • Phase 4, Post Accreditation

1. 

Which one of the following documents requires the development and maintenance of minimum controls to protect Federal information and information systems?

  1. NIST SP 800-30, “Risk Management Guide for Information Technology Systems”
  2. SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems”
  3. The Federal Information Security Management Act (FISMA)
  4. FIPS Publication 199, “Standards for Security Categorization of Federal Information and Information Systems”

image from book

2. 

FISMA charges which one of the following agencies with the responsibility of overseeing the security policies and practices of all agencies of the executive branch of the Federal government?

  1. Office of Management and Budget (OMB)
  2. National Institute of Standards and Technology (NIST)
  3. National Security Agency (NSA)
  4. Department of Justice

answer: a fisma charges the director of omb with those responsibilities.

3. 

NIST Special Publication (SP) 800-53, “Recommended Security Controls for Federal Information Systems,” defines the term assurance as:

  1. The requirement that information and programs are changed only in a specified and authorized manner
  2. The measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual’s authorization to receive specific categories of information
  3. The grounds for confidence that the security controls implemented within an information system are effective in their application
  4. The requirement that private or confidential information not be disclosed to unauthorized individuals

answer: c answer c addresses how well security controls function.

4. 

Which one of the following publications requires Federal agencies to review the security controls in their information systems and perform security accreditation?

  1. FIPS –199, “Standard for Security Categorization of Federal Information and Information Systems”
  2. OMB Circular A-130, Appendix III
  3. NIST SP 800-53, “Recommended Security Controls for Federal Information Systems”
  4. NIST SP 800-30, “Risk Management Guide for Information Technology Systems”

answer: b omb circular a-130, appendix iii, imposes this requirement.

5. 

Which one of the following publications provides direction for each government agency in developing and implementing an agencywide information security program according to the FISMA requirements?

  1. NIST SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems”
  2. NIST SP 800-53, “Recommended Security Controls for Federal Information Systems”
  3. NIST SP 800-30, “Risk Management Guide for Information Technology Systems”
  4. DoD Directive 8500.2, “Information Assurance (IA) Implementation,” February 6, 2003

answer: a nist sp 800-37 provides this direction.

6. 

FISMA assigned the responsibility for developing standards to be used by all Federal agencies to categorize all information and information systems to which one of the following organizations?

  1. OMB
  2. NIST
  3. NSA
  4. DoD

image from book

7. 

Which publication categorizes information and information systems as part of the FISMA mandate?

  1. OMB Circular A-130, Appendix III
  2. NIST SP 800-53, “Recommended Security Controls for Federal Information Systems”
  3. NIST SP 800-30 “Risk Management Guide for Information Technology Systems”
  4. FIPS Publication 199, “Standards for Security Categorization of Federal Information and Information Systems”

image from book

8. 

FIPS Publication 199 defines three levels of potential impact to the compromise of confidentiality, integrity, and availability. These levels are:

  1. Minimum, Normal, Maximum
  2. Low, Moderate, High
  3. Unclassified, Confidential, Secret
  4. Confidential, Secret, Top Secret

image from book

9. 

Which one of the following best describes FIPS 199 security categories?

  1. A function of the potential strength of an information system when proper information assurance controls are applied
  2. A function of the potential weakness of an information system when proper information assurance controls are applied
  3. A function of the potential flexibility of an information system when different IT operations are performed
  4. A function of the potential impact on information or information systems as a result of threat realized exploiting a system vulnerability.

image from book

10. 

The general formula for categorization of an information type developed in FIPS Publication 199, “Standards for Security Categorization of Federal Information and Information Systems,” is which one of the following?

  1. SC information type = {(confidentiality, risk), (integrity, risk), (availability, risk)}
  2. SC information type = {(confidentiality, controls), (integrity, controls), (availability, controls)}
  3. SC information type = {(assurance, impact), (integrity, impact), (authentication, impact)}
  4. SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}

image from book

11. 

In order to determine the security category (SC) for an information system, the potential impact values assigned to the security objectives of confidential, integrity, and availability must be which one of the following?

  1. The maximum values assigned among the security categories that have been assigned to the different types of information residing on the system
  2. The minimum values assigned among the security categories that have been assigned to the different types of information residing on the system
  3. The average of the values assigned among the security categories that have been assigned to the different types of information residing on the system
  4. None of the above

image from book

12. 

NIST SP 800-30, “Risk Management Guide for Information Technology Systems,” defines a term as “either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.” Which one of the following items is the term in the definition?

  1. Risk
  2. Impact
  3. Threat source
  4. Assurance

image from book

13. 

Impact is defined by NIST SP 800-30 as which one of the following?

  1. The magnitude of the vulnerability
  2. The magnitude of harm that could be caused by a threat’s exercise of vulnerability
  3. The magnitude of the risk
  4. The quality of the security controls on the system

image from book

14. 

NIST SP 800-30 includes threat identification, control analysis, likelihood determination, impact analysis, and control recommendations as components of which one of the following activities?

  1. Penetration testing
  2. Intrusion detection
  3. Risk assessment
  4. Vulnerability assessment

image from book

15. 

Hackers, computer criminals, terrorists, floods, tornadoes, and strikes are examples of:

  1. Threat-sources
  2. Vulnerabilities
  3. Risks
  4. Intrusions

image from book

16. 

What NIST document provides a questionnaire and checklist through which systems can be evaluated for compliance against specific control objectives?

  1. SP 800-30, “Risk Management Guide for Information Technology Systems”
  2. SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems”
  3. SP 800-26, “Security Self-Assessment Guide for Information Technology Systems”
  4. FIPS Publication 199, “Standards for Security Categorization of Federal Information and Information Systems”

image from book

17. 

Initiation, development and acquisition, implementation and installation, operational maintenance, and disposal are components of what activity?

  1. The system development life cycle (SDLC)
  2. The system engineering life cycle
  3. The capability maturity model (CMM)
  4. Risk management life cycle

image from book

18. 

The term ST&E stands for:

  1. System test and evaluation
  2. Security, timing, and evaluation
  3. Security, test, and evaluation
  4. System timing and evaluation

image from book

19. 

Which one of the following lists describes different types of penetration tests?

  1. Zero-knowledge test, partial-knowledge test, full-knowledge test
  2. Hard test, soft test, moderate test
  3. Complete test, partial test, minimal test
  4. Technical test, cursory test, partial-knowledge test

answer: a the answer a is correct. the other answers are made-up distracters.

20. 

FIPS Publication 199 defines three levels of potential impact to the compromise of confidentiality, integrity, and availability. Which one of the following statements taken from FIPS 199 describes a moderate level of impact on confidentiality?

  1. The unauthorized disclosure of information could be expected to have a serious adverse affect on organizational operations, organizational assets, or individuals.
  2. The unauthorized modification or destruction of information could be expected to have a limited adverse affect on organizational operations, organizational assets, or individuals.
  3. The disruption of access to or the use of information or an information system could be expected to have a serious adverse affect on organizational operations, organizational assets, or individuals.
  4. The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse affect on organizational operations, organizational assets, or individuals.

image from book

21. 

The definition “All components of an information system to be accredited by an authorizing official and excludes separately accredited systems, to which the information system is connected” taken from NIST SP 800-37 refers to which one of the following terms?

  1. Assurance boundary
  2. Assurance perimeter
  3. Testing perimeter
  4. Accreditation boundary

image from book

22. 

Which activity referred to in OMB Circular A-130 has to consider legal liability issues resulting from omissions and errors, failure to exercise due care in the operation of an information system, and unauthorized disclosure, modification, or destruction of data?

  1. Risk avoidance
  2. Risk management
  3. Testing
  4. Dry run

image from book

23. 

What NIST Special Publication provides guidance in the selection and configuration of security controls for Federal information systems?

  1. NIST SP 800-42
  2. NIST SP 800-30
  3. NIST SP 800-53
  4. NIST SP 800-57

answer: c the correct answer is c, recommended security controls for federal information systems

24. 

Which one of the following NIST publications links to SP 800-53 and specifies minimum security requirements for information systems, including access control, awareness and training, configuration management, and personnel security?

  1. NIST SP 800-30, “Risk Management Guide for Information Technology Systems”
  2. NIST SP 800-53, “Recommended Security Controls for Federal Information Systems”
  3. NIST SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems”
  4. FIPS 200 standard, “Minimum Security Requirements for Federal Information and Federal Information Systems”

image from book

25. 

The Security Controls of NIST SP 800-53 are organized into which three classes?

  1. Physical, operational, technical
  2. Management, operational, technical
  3. Personnel, operational, technical
  4. Management, physical, technical

image from book

26. 

If AC represents the Access Control family in NIST SP 800-53, what does AC-15 denote?

  1. The 15th control of the Access Control Family
  2. The 15th class of the Access Control Family
  3. The 15th field of the Access Control Family
  4. None of the above

image from book

27. 

The control structure in NIST SP 800-53 comprises three parts. Which one of the following is the correct listing of the three parts?

  1. Management section, supplemental guidance section, control enhancements section
  2. Management section, technical section, control enhancements section
  3. Control section, technical section, control enhancements section
  4. Control section, supplemental guidance section, control enhancements section

image from book

28. 

A description of one element of the access control family listed in NIST SP 800-53 is LOW AC-17, MOD AC-17 (1) (2) (3), HIGH AC-17 (1) (2) (3) for low-impact, moderate-impact, and high-impact information systems, based on FIPS 199. What do the terms in parentheses represent?

  1. Basic controls implementing access control in the family
  2. Control enhancements adding to the functionality or increasing the strength of a basic control
  3. Basic controls implementing access control in the class
  4. The quality of the security controls on the system

image from book

29. 

The security certification and accreditation process comprises which one of the following sets of phases?

  1. Establishment, security certification, security accreditation, and continuous monitoring
  2. Initiation, security certification, security accreditation, and maintenance
  3. Initiation, security certification, security accreditation, and continuous monitoring
  4. Initiation, security certification, security accreditation, and operation

image from book

30. 

NIST SP 800-53 defines a term as “the grounds for confidence that the security controls implemented within an information system are effective in their application.” Which one of the following is that term?

  1. Threat source
  2. Vulnerability
  3. Assurance
  4. Evaluation

image from book

31. 

A set of security controls that is applicable to a number of information systems in an organization is called:

  1. Common security controls
  2. System-specific security controls
  3. Hybrid security controls
  4. Special security controls

image from book

32. 

In the certification and accreditation process, a plan must be developed that outlines the information system security requirements and associated planned and existing controls. This plan is called:

  1. Common security control plan
  2. The general project plan
  3. The system security plan
  4. The special control plan

image from book

33. 

The security accreditation package comprises which one of the following sets of items?

  1. The general project plan, security assessment report, plan of action, and milestones
  2. The system security plan, security assessment report, plan of action, and milestones
  3. The special security plan, security assessment report, plan of action, and milestones
  4. System security plan, technical operations report, plan of action, and milestones

image from book

Answers

1. 

Answer: c

Development and maintenance of these controls is one of the four prime directives of FISMA, Title III of the E-Government Act of 2002.

2. 

Answer: a

FISMA charges the Director of OMB with those responsibilities.

3. 

Answer: c

Answer c addresses how well security controls function.

4. 

Answer: b

OMB Circular A-130, Appendix III, imposes this requirement.

5. 

Answer: a

NIST SP 800-37 provides this direction.

6. 

Answer: b

The correct answer is b, NIST. FISMA also assigned to NIST the responsibility for developing guidelines recommending the types of information and information systems to be included in each security category and the minimum information security requirements.

7. 

Answer: d

8. 

Answer: b

9. 

Answer: d

10. 

Answer: d

11. 

Answer: a

12. 

Answer: c

13. 

Answer: b

14. 

Answer: c

15. 

Answer: a

16. 

Answer: c

17. 

Answer: a

18. 

Answer: c

19. 

Answer: a

The answer a is correct. The other answers are made-up distracters.

20. 

Answer: a

The answer a is correct. Answer b refers to a low impact on integrity, answer c refers to moderate impact on availability, and answer d refers to a high impact on confidentiality.

21. 

Answer: d

The correct answer is d, accreditation boundary. The other answers are made-up distracters.

22. 

Answer: b

23. 

Answer: c

The correct answer is c, “Recommended Security Controls for Federal Information Systems”

24. 

Answer: d

25. 

Answer: b

26. 

Answer: a

27. 

Answer: d

28. 

Answer: b

29. 

Answer: c

30. 

Answer: c

31. 

Answer: a

The correct answer is a, common security controls. Controls that are not defined as common to a number of information systems are defined as system-specific.

32. 

Answer: c

33. 

Answer: b

1. 

Which choice best describes DITSCAP Phase 1, Definition?

  1. The objective of Phase 1 is to ensure the fully integrated system will be ready for certification testing.
  2. The objective of Phase 1 is to produce the required evidence to support the DAA in making an informed decision to grant approval to operate the system (accreditation or Interim Approval to Operate [IATO]).
  3. The objective of Phase 1 is to agree on the security requirements, C&A boundary, schedule, level of effort, and resources required.
  4. The objective of Phase 1 is to ensure secure system management, operation, and maintenance to preserve an acceptable level of residual risk.

image from book

2. 

Which is not an activity in DITSCAP Phase 2?

  1. System Development and Integration
  2. Initial Certification Analysis
  3. Refine the SSAA
  4. Negotiation

answer: d negotiation is a phase 1 activity. the other three are the phase 2 activities.

3. 

Which is not an activity in DITSCAP Phase 1?

  1. Preparation
  2. Initial Certification Analysis
  3. Registration
  4. Negotiation

image from book

4. 

According to NIST 800-37, which of the following subtasks does not belong to the Security Certification Phase?

  1. Present the accreditation recommendation to the DAA
  2. Prepare the security certification documentation
  3. Gather the documentation
  4. Perform the security control assessment

image from book

5. 

Which of the following is not a good description of the goal of the C&A Certification Phase?

  1. To determine how well the information system security controls are implemented
  2. To determine whether the information system security controls are meeting the security requirements for the system
  3. To produce the required evidence to support the DAA in making an informed decision to grant approval to operate the system
  4. To determine whether the information system security controls are operating as intended

image from book

6. 

Which choice is not an objective of the security control assessment task?

  1. Document the results of the assessment
  2. Organize and track the security requirements of the target system to be accredited
  3. Prepare for the assessment of the security controls in the information system
  4. Conduct the assessment of the security controls

image from book

7. 

The acronym RTM refers to what?

  1. Resource Tracking Method
  2. Requirements Traceability Matrix
  3. Requirements Testing Matrix
  4. Requirements Testing Milestone

answer: b the acronym rtm refers to requirements traceability matrix.

8. 

The SSAA is the product of which DITSCAP phase?

  1. Phase 1
  2. Phase 2
  3. Phase 3
  4. Phase 4

answer: a the product of the ditscap phase 1 is the system security authorization agreement.

9. 

What is the primary purpose of the RTM?

  1. To establish an evolving yet binding agreement on the level of security required
  2. To organize and track the security requirements of the target system to be accredited
  3. To produce the required evidence to support the DAA in making an informed decision to grant approval to operate the system
  4. To determine whether the information system security controls are operating as intended

image from book

10. 

In which DITSCAP phase is the RTM developed?

  1. Phase 1
  2. Phase 2
  3. Phase 3
  4. Phase 4

image from book

11. 

What is the primary purpose of the SSAA?

  1. To determine whether the information system security controls are operating as intended
  2. To organize and track the security requirements of the target system to be accredited
  3. To determine how well the information system security controls are implemented
  4. To establish an evolving yet binding agreement on the level of security required before the system development begins or changes to a system are made

image from book

12. 

In which DITSCAP phase is the SSAA developed?

  1. Phase 1
  2. Phase 2
  3. Phase 3
  4. Phase 4

image from book

13. 

What is the overall goal of the DITSCAP Phase 2?

  1. To track whether and how all security requirements are being met by the system
  2. To prepare the Plan of Action and Milestones document
  3. To obtain a fully integrated system for certification testing and accreditation
  4. To assist in the development of test scripts for the ST&E

image from book

14. 

Which of the following is not an example of a DITSCAP Phase 2 process activity?

  1. Certification analysis
  2. System development
  3. Document Mission Need
  4. Continuing refinement of the SSAA

image from book

15. 

Which choice is not an example of an Initial Certification Analysis task?

  1. Verify that the system architecture complies with the architecture description in the SSAA
  2. Verify that change control and configuration management practices are in place
  3. Evaluate the integration of COTS or GOTS software
  4. Assist in the development of test scripts for the System Test and Evaluation (ST&E)

image from book

16. 

What is the purpose of the Initial Certification Analysis?

  1. To organize and track the security requirements of the target system to be accredited
  2. To support the documentation that all system security requirements have been met in the accreditation phase of the C&A
  3. To assist in the development of test scripts for the System Test and Evaluation (ST&E)
  4. To determine whether the system is ready to be evaluated and tested under Phase 3 of the Accreditation Phase

image from book

17. 

What role would commonly be in charge of preparing the Action Plan?

  1. The DAA
  2. The Information System Owner
  3. The Certification Agent
  4. The User Representative

answer: b the information system owner prepares the plan of action and milestones document.

18. 

What choice is the best description of the DAA?

  1. The interests of the system’s users are vested in the DAA.
  2. The DAA defines the system level security requirements.
  3. The DAA provides the technical expertise to conduct the certification.
  4. The DAA is responsible for carrying out the Chief Information Officer responsibilities under FISMA.

image from book

19. 

In what role resides the final accreditation decision?

  1. The DAA
  2. The Information System Owner
  3. The Certification Agent
  4. The User Representative

image from book

20. 

Which choice is not a use for the SSAA?

  1. To document the formal agreement among the DAA(s), the CA, the user representative, and the program manager
  2. To document a commander’s assumptions or intent in regard to an IS and how it relates to the concept of operations embodied in campaign plans and operational plans
  3. To document all requirements necessary for accreditation
  4. To document the DITSCAP plan

answer: b answer b is a description of the concept of conops.

Answers

1. 

Answer: c

Phase 1, Definition, is focused on understanding the IS business case, environment, and architecture to determine the security requirements and level of effort necessary to achieve certification and accreditation. The objective of Phase 1 is to agree on the security requirements, C&A boundary, schedule, level of effort, and resources required. Answer a describes the objectives of Phase 2. Answer b describes the objectives of Phase 3. Answer d describes the objectives of Phase 4.

2. 

Answer: d

Negotiation is a Phase 1 activity. The other three are the Phase 2 activities.

3. 

Answer: b

Initial Certification Analysis is a Phase 2 activity. The other three are the Phase 1 activities.

4. 

Answer: a

Presenting the accreditation recommendation to the DAA is a function of the Accreditation Phase.

5. 

Answer: c

Answer c describes the goal of the Accreditation Phase. The goal of the Certification Phase is to determine how well the information system security controls are implemented, if they are operating as intended, and if the controls are meeting the security requirements for the system.

6. 

Answer: b

The RTM is used to organize and track the security requirements of the target system to be accredited. The other three choices are all objectives of the security control assessment task.

7. 

Answer: b

The acronym RTM refers to Requirements Traceability Matrix.

8. 

Answer: a

The product of the DITSCAP Phase 1 is the System Security Authorization Agreement.

9. 

Answer: b

The RTM is used to organize and track the security requirements of the target system to be accredited. It is commonly part of the SSAA as an addendum.

10. 

Answer: a

In DITSCAP, the RTM is developed in the requirements gathering phase, which is a subtask of Phase 1.

11. 

Answer: d

The objective of the SSAA is to establish an evolving yet binding agreement on the level of security required before the system development begins or changes to a system are made. It’s a formal agreement between the DAA, the CA, the user representative, and the program manager.

12. 

Answer: a

The SSAA is developed in Phase 1 and updated in each phase as new information becomes available.

13. 

Answer: c

The goal of Phase 2 is to obtain a fully integrated system for certification testing and accreditation, to allow the process to proceed to Phase 3.

14. 

Answer: c

Phase 2 consists of those process activities that occur between the signing of the initial version of the SSAA and the formal C&A of the system. Document Mission Need is the first subtask of DITSCAP Phase 1.

15. 

Answer: d

“Assist in the development of test scripts for the System Test and Evaluation (ST&E)” is one of the purposes of the RTM.

16. 

Answer: d

The initial certification analysis determines whether the IS is ready to be evaluated and tested under Phase 3. The other three choices are uses for the RTM.

17. 

Answer: b

The Information System Owner prepares the Plan of Action and Milestones Document.

18. 

Answer: b

The DAA represents the interests of mission need, controls the operating environment, and defines the system level security requirements. Choice a describes the User Representative; choice c, the Certification Agent; and choice d, the Information Security Officer.

19. 

Answer: a

Only the DAA (or Authorizing Official) can grant the accreditation, grant an Interim Approval to Operate (IATO), or determine that the system’s risks are not at an acceptable level and it is not ready to be operational.

20. 

Answer: b

Answer b is a description of the concept of CONOPS.

1. 

What happens to the SSAA after the DITSCAP accreditation?

  1. The SSAA becomes the baseline security configuration document.
  2. The SSAA is discarded as the project is finished.
  3. The SSAA cannot be reviewed or changed.
  4. The ISSO can revise the SSAA independently.

image from book

2. 

Which choice best describes DITSCAP Phase 3, Accreditation?

  1. The objective of Phase 3 is to ensure that the fully integrated system will be ready for certification testing.
  2. The objective of Phase 3 is to agree on the security requirements, C&A boundary, schedule, level of effort, and resources required.
  3. The objective of Phase 3 is to ensure secure system management, operation, and maintenance to preserve an acceptable level of residual risk.
  4. The objective of Phase 3 is to produce the required evidence to support the DAA in making an informed decision to grant approval to operate the system (accreditation or Interim Approval to Operate [IATO]).

image from book

3. 

During which DITSCAP phase does the Security Test and Evaluation (ST&E) occur?

  1. Phase 1
  2. Phase 2
  3. Phase 3
  4. Phase 4

answer: c the security test and evaluation (st&e) is a major activity in phase 3.

4. 

What does DATO refer to?

  1. The information system is accredited without any restrictions or limitations.
  2. A determination that a DoD information system cannot operate.
  3. A limited authorization under specific terms and conditions.
  4. A temporary approval to conduct system testing.

image from book

5. 

Which of the following choices is the best description of IATO?

  1. A determination that a DoD information system cannot operate.
  2. The agency-level risk is unacceptably high for accreditation.
  3. The information system is accredited without any restrictions or limitations on its operation.
  4. A limited authorization under specific terms and conditions, which include corrective actions to be taken and a required timeframe for completion of those actions.

image from book

6. 

Which choice is the best description of the objective of the Security Accreditation Decision task?

  1. To accredit the information system without any restrictions or limitations on its operation
  2. To indicate the DAA’s accreditation decision
  3. To determine whether the agency-level risk is acceptable
  4. To approve revisions to the SSAA

image from book

7. 

Which choice is not a responsibility of the ISSO during DITSCAP Phase 4?

  1. Obtaining approval of security-relevant changes
  2. Documenting the implementation of security-relevant changes in the SSAA
  3. Approving revisions to the SSAA
  4. Determining the extent that a change affects the security posture of the information system

image from book

8. 

Which choice best describes the final security accreditation decision letter?

  1. The accreditation decision letter documents the implementation of security-relevant changes in the SSAA.
  2. The accreditation decision letter deems that the agency-level risk is unacceptably high.
  3. The accreditation decision letter indicates to the information system owner the DAA’s accreditation decision.
  4. The accreditation decision letter determines whether the remaining known vulnerabilities in the information system pose an acceptable level of risk.

image from book

9. 

Change management is initiated under which phase?

  1. Phase 1
  2. Phase 2
  3. Phase 3
  4. Phase 4

image from book

10. 

Why would the DAA issue an accreditation determination of Not Authorized (NA)?

  1. If the system requires more testing to determine the level of risk.
  2. If the DAA deems that the agency-level risk is unacceptably high.
  3. If the system is mission-critical and requires an interim authority to operate.
  4. The information system is always accredited without any restrictions or limitations on its operation.

image from book

11. 

Which choice is the best definition of the DIACAP Interim Approval to Test (IATT) accreditation determination?

  1. It’s a temporary approval to conduct system testing.
  2. It’s a temporary approval to operate.
  3. It’s a denial of approval to operate.
  4. No such accreditation determination exists.

image from book

12. 

Which of the following best describes the objective of the Security Test and Evaluation (ST&E)?

  1. The objective of the ST&E is to update the SSAA to include changes made during system development and the results of the certification analysis.
  2. The objective of the ST&E is to evaluate the integration of COTS software, hardware, and firmware.
  3. The objective of the ST&E is to verify that change control and configuration management practices are in place.
  4. The objective of the ST&E is to assess the technical implementation of the security design.

image from book

13. 

Who makes the final accreditation decision?

  1. ISSO
  2. CA
  3. Information System Owner
  4. DAA

image from book

14. 

Penetration Testing is part of which DITSCAP phase?

  1. Phase 1
  2. Phase 2
  3. Phase 3
  4. Phase 4

image from book

15. 

Which choice is the best description of the purpose of the Security Accreditation Phase?

  1. To assesses the system’s ability to withstand intentional attempts to circumvent system security features by exploiting technical security vulnerabilities
  2. To determine whether the remaining known vulnerabilities in the information system pose an acceptable level of risk
  3. To conduct a final risk assessment by the Information System Owner
  4. To help prepare the final security accreditation decision letter

image from book

16. 

SSAA maintenance continues under which phase?

  1. Phase 1
  2. Phase 2
  3. Phase 3
  4. Phase 4

image from book

17. 

How many determination options does the authorizing official have in a DIACAP process?

  1. 2
  2. 3
  3. 4
  4. 5

image from book

18. 

How many levels of certification does NIACAP specify to ensure that the appropriate C&A is performed for varying schedule and budget limitations?

  1. Two
  2. Three
  3. Four
  4. Five

image from book

19. 

Which choice is the best description of DIACAP residual risk?

  1. The remaining risk to the information system after risk mitigation has occurred.
  2. To assess the technical implementation of the security design.
  3. The information system is not authorized for operation and is not accredited.
  4. Authorization to operate the information system.

image from book

20. 

Which choice is not an accreditation decision the DITSCAP DAA can make?

  1. ATO
  2. IATO
  3. NCO
  4. NA

image from book

21. 

When does the DAA make the accreditation determination?

  1. After reviewing all the relevant information and consulting with key agency officials
  2. Before determining the acceptability of the risk to the agency
  3. After preparing the final security accreditation decision letter
  4. After the Information System Owner updates the system security plan

image from book

Answers

1. 

Answer: a

After accreditation, the SSAA becomes the baseline security configuration document. Phase 4 involves ongoing review of the SSAA to ensure it remains current. The user representative, DAA, certifier, and program manager must approve revisions to the SSAA. On approval, the necessary changes to the mission, environment, and architecture are documented in the SSAA.

2. 

Answer: d

Phase 3, Validation, validates compliance of the fully integrated system with the security policy and requirements stated in the SSAA. The objective of Phase 3 is to produce the required evidence to support the DAA in making an informed decision to grant approval to operate the system. Answer a describes the objectives of Phase 2. Answer b describes the objectives of Phase 1. Answer c describes the objectives of Phase 4.

3. 

Answer: c

The Security Test and Evaluation (ST&E) is a major activity in Phase 3.

4. 

Answer: b

DIACAP’s Denial of Approval to Operate (DATO) is a determination that a DoD information system cannot operate because of an inadequate IA design or failure to implement assigned IA controls.

5. 

Answer: d

If the DAA deems that the agency-level risk is unacceptable, but there is an important mission-related need to place the information system into operation, an Interim Authorization to Operate (IATO) may be issued.

The IATO is a limited authorization under specific terms and conditions, which include corrective actions to be taken by the information system owner and a required time frame for completion of those actions.

6. 

Answer: c

The objective of the Security Accreditation Decision task is to determine the risk to agency operations, agency assets, or individuals and determine whether the agency-level risk is acceptable.

7. 

Answer: c

The user representative, DAA, certifier, and program manager must approve revisions to the SSAA. The ISSO is responsible for:

  • Determining the extent that a change affects the security posture of either the information system or the computing environment
  • Obtaining approval of security-relevant changes
  • Documenting the implementation of that change in the SSAA and site operating procedures
  • Forwarding changes that significantly affect the system security posture to the DAA, certifier, user representative, and program manager

8. 

Answer: c

The accreditation decision letter indicates to the information system owner whether the system is authorized to operate (ATO), authorized to operate on an interim basis under strict terms and conditions (IATO), or not authorized to operate (NA).

9. 

Answer: d

After an IS is approved for operation in a specific computing environment, changes to the IS and the computing environment must be controlled. Although changes may adversely affect the overall security posture of the infrastructure and the IS, change is ongoing as it responds to the needs of the user and new technology developments. As the threats become more sophisticated or focused on a particular asset, countermeasures must be strengthened or added to provide adequate protection. Therefore, change management is required to maintain an acceptable level of residual risk.

10. 

Answer: b

If the DAA deems that the agency-level risk is unacceptable, the information system is not authorized for operation and is not accredited.

The DAA must consider many factors when deciding whether the risk is acceptable, such as balancing security considerations with mission and operational needs.

11. 

Answer: a

In DIACAP, the Interim Approval to Test (IATT) accreditation determination is temporary approval to conduct system testing based on an assessment of the implementation status of the assigned IA controls. Choice b describes IATO, and choice c describes DATO.

12. 

Answer: d

The objective of the ST&E is to assess the technical implementation of the security design; to ascertain that security software, hardware, and firmware features affecting confidentiality, integrity, availability, and accountability have been implemented as documented in the SSAA; and that the features perform properly. ST&E validates the correct implementation of identification and authentication, audit capabilities, access controls, object reuse, trusted recovery, and network connection rule compliance. The other answers are distracters.

13. 

Answer: d.

The DAA renders his or her accreditation decision after reviewing all the relevant information and consulting with key agency officials.

14. 

Answer: c

Penetration testing assesses the system’s ability to withstand intentional attempts to circumvent system security features by exploiting technical security vulnerabilities. Penetration testing may include insider and outsider penetration attempts based on common vulnerabilities for the technology being used.

15. 

Answer: b

The purpose of the Security Accreditation Phase is to determine whether the remaining known vulnerabilities in the information system pose an acceptable level of risk to agency operations, agency assets, or individuals.

16. 

Answer: d

Phase 4 involves ongoing review of the SSAA to ensure that it remains current. The user representative, DAA, certifier, and program manager must approve revisions to the SSAA. On approval, the necessary changes to the mission, environment, and architecture are documented in the SSAA.

17. 

Answer: c

In DIACAP, the DAA or other authorizing official issues one of four accreditation determinations:

  • Approval to Operate (ATO)
  • Interim Approval to Operate (IATO)
  • Interim Approval to Test (IATT)
  • Denial of Approval to Operate (DATO)

18. 

Answer: c

NIACAP has four levels of certification to ensure that the appropriate C&A is performed for varying schedule and budget limitations. To determine the appropriate level of certification, the certifier must analyze the system’s business functions; national, departmental, and agency security requirements; criticality of the system to the organizational mission; software products; computer infrastructure; the types of data processed by the system, and types of users. The levels are as follows:

  • Level 1 - Basic Security Review
  • Level 2 - Minimum Analysis
  • Level 3 - Detailed Analysis
  • Level 4 - Comprehensive Analysis

19. 

Answer: a

DIACAP describes residual risk as the risk remaining after risk mitigation has occurred (i.e., application of countermeasures, security controls, or the implementation of corrective actions).

20. 

Answer: c

The DITSCAP DAA issues one of three accreditation determinations: Authorization to Operate (ATO), Interim Authorization to Operate (IATO), or Not Authorized (NA).

21. 

Answer: a

The DAA renders the accreditation decision after reviewing all the relevant information and consulting with key agency officials.

1. 

“Continuously observing and evaluating the information system security controls during the system life cycle to determine whether changes have occurred that will negatively impact the system security” best describes which process in the certification and accreditation methodology?

  1. Continuous monitoring
  2. Continuous improvement
  3. Continuous management
  4. Continuous development

answer: a the answer a is correct. the other answers are distracters.

2. 

Which one of the following activities is not a component of the continuous monitoring process?

  1. Operation and maintenance
  2. Security control monitoring and impact analyses
  3. Status reporting and documentation
  4. Configuration management and control

image from book

3. 

Which one of the following publications provides details of the continuous monitoring process?

  1. NIST SP 800-14
  2. NIST SP 800-42
  3. NIST SP 800-37
  4. NIST SP 800-41

image from book

4. 

Which one of the following best describes when continuous monitoring takes place?

  1. Before the initial system certification
  2. After the initial system security accreditation
  3. Before and after the initial system security accreditation
  4. During the system design phase

image from book

5. 

Which one of the following questions is not asked as part of the continuous monitoring process?

  1. Could any of the changes to the information system affect the current, identified vulnerabilities in the system or introduce new vulnerabilities into the system?
  2. If new vulnerabilities are introduced into an information system, would the resulting risk to agency operations, agency assets, or individuals be unacceptable?
  3. What maintenance schedule should be followed during the operation/maintenance phase of the information system?
  4. When will the information system need to be reaccredited in accordance with federal or agency policy?

answer: c answers a, b, and d are the three questions asked in nist sp 800-37.

6. 

In configuration management and control, if necessary, updates have to be made to which of the following documents?

  1. System security plan
  2. System security plan and plan of action and milestones
  3. Plan of action and milestones
  4. System deficiency report and plan of action and milestones

image from book

7. 

Which one of the following documents should report progress made on the current outstanding items and address vulnerabilities in the information system discovered during the security impact analysis or security control monitoring?

  1. Plan of action and milestones
  2. System security plan
  3. System security plan and plan of action and milestones
  4. System deficiency plan

image from book

8. 

What process should be initiated when changes to the information system negatively impact the security of the system or when a period of time has elapsed as specified by agency or federal policy?

  1. Incident response
  2. Systems engineering
  3. Reaccreditation
  4. Reclassification of data

image from book

9. 

What course of action is recommended when it is not feasible or possible to continuously monitor the entirety of security controls in an information system?

  1. Begin the reaccreditation process
  2. Begin the recertification process
  3. Enter the system development life cycle (SDLC)
  4. Select subsets of controls and monitor them at intervals

image from book

10. 

Selecting controls to be monitored can be best aided by what document?

  1. FIPS 199
  2. NIST SP 800-37
  3. FISMA
  4. NIST SP 800-18

image from book

11. 

What document provides a standard approach to the assessment of NIST SP 800-53 security controls?

  1. FIPS 199
  2. NIST SP 800-53A
  3. NIST SP 800-30
  4. NIST SP 800-66

image from book

12. 

Appendix D of NIST SP 800-53A describes what three basic types of assessment methods?

  1. The interview, the examination, and testing
  2. The interview, the validation, and testing
  3. The interview, the examination, and remediation
  4. The interview, the verification, and testing

answer: a the answer a is correct. the other answers are made-up distracters.

13. 

NIST SP 800-53A defines which of the following three types of interviews, depending on the level of assessment conducted?

  1. Initial, substantial, comprehensive
  2. Abbreviated, substantial, comprehensive
  3. Abbreviated, moderate, comprehensive
  4. Abbreviated, substantial, detailed

answer: b the answer b is correct. the other answers are made-up distracters.

14. 

What NIST SP 800-53A assessment method is used to review, inspect, and analyze assessment objects such as polices, plans, requirements, designs, hardware, firmware, and security activities to determine the effectiveness of information system security controls?

  1. Verification
  2. Interview
  3. Examination
  4. Validation

answer: c the correct answer is c, examination, by definition.

15. 

Observing or conducting the operation of physical devices, hardware, software, and firmware and determining whether they exhibit the desired and expected behavior describes what type of SP 800-53A assessment method?

  1. Examination
  2. Testing
  3. Validation
  4. Remediation

image from book

16. 

In continuous monitoring, tracking of proposed or actual changes to the information system, including operating system patches, hardware, software, and firmware is called:

  1. Systems engineering
  2. The system development life cycle (SDLC)
  3. Configuration management and controls
  4. Security categorization

answer: c the correct answer is c, by definition.

17. 

Determination of the effect of changes to the information system on the security of the information system is called:

  1. Validation analysis
  2. Verification
  3. Impact analysis
  4. Continuous improvement

answer: c the correct answer is c, by definition.

18. 

Who is responsible for monitoring the information system environment for factors that can potentially negatively impact the security of the system and its accreditation?

  1. The information system owner
  2. Chief information officer (CIO)
  3. The user
  4. Accrediting officer

answer: a the correct answer is a, the information system owner.

19. 

Which of the following items are types of factors that can potentially negatively impact the security of the system and its accreditation?

  1. Legal
  2. Human-initiated
  3. Weather-related
  4. All the above

image from book

20. 

What guidance document is useful in determining the impact level of a particular threat on agency systems?

  1. FIPS 199
  2. NIST SP 800-53
  3. NIST SP 800-14
  4. NIST SP 800-41

image from book

21. 

Documentation is an important part of continuous monitoring. In this context, documentation comprises which of the following activities?

  1. Making changes to the security plan that address any changes or proposed changes to the information system
  2. Updating the plan of action and milestones
  3. Establishing the accreditation boundary
  4. a and b

image from book

22. 

As part of the documentation process, reports are usually sent to which of the following personnel in the agency?

  1. Authorizing official
  2. Authorizing official and senior agency information security officer
  3. Senior agency information security officer
  4. User

image from book

23. 

In continuous monitoring, what personnel will normally be using the updated plans in the documentation report to guide future assessment activities?

  1. The senior agency information security officer
  2. The authorizing official
  3. The information system owner and security assessor
  4. All the above

answer: d all these personnel will be involved in planning future assessment activities.

24. 

The frequency of generating the system security plan and the plan of action and milestones is at the discretion of which of the following personnel?

  1. The authorizing official
  2. The information system owner
  3. The agency information system security officer
  4. All the above

image from book

25. 

Generating the system security plan and plan of action and milestones should be done at what frequency?

  1. Every three months
  2. Reasonable intervals to ensure that significant changes to the security posture of the information system are reported
  3. At the discretion of the authorizing official
  4. Every three years

answer: b the frequency of plan generation is at the discretion of the information system owner.

26. 

Who determines whether a security reaccreditation is required after reviewing the plan of actions and milestones?

  1. The senior information system security officer
  2. The authorizing official
  3. The senior information security officer and the authorizing official
  4. The information system owner

image from book

27. 

The following events are used to determine whether which activity has to be initiated?

  • Modifications to the information system have negatively impacted the system security controls.
  • Modifications to the information system have introduced new vulnerabilities into the system.
  • A specified time period has elapsed, requiring the information system to be reauthorized in accordance with federal or agency policy (typically 3 years).
  • The risk to agency operations, agency assets, or individuals has been increased.
  1. Reaccreditation
  2. Maintenance
  3. Peer review
  4. Security categorization

answer: a any of these events makes reaccredidation necessary.

28. 

Continuous monitoring documentation reports are also used to meet which one of the following reporting requirements?

  1. NIST
  2. FISMA
  3. HIPAA
  4. FBI

image from book

29. 

Power failures, floods, earthquakes, and sabotage are examples of what types of events?

  1. Events that can potentially negatively impact the security of the system and its accreditation
  2. Events that cannot be taken into consideration during the impact analysis process
  3. Events that are out of one’s control and, therefore, cannot be accounted for in risk analysis
  4. Events for which the associated risk can be reduced to zero if proper precautions are taken

image from book

30. 

NIST SP 800-53A defines a form of testing as one that “assumes (some) explicit knowledge of the internal structure of the item under assessment (e.g., low-level design, source code implementation representation).” Which one of the following items is that form of testing?

  1. Validation
  2. Black-box
  3. Structural
  4. Evaluation

image from book

31. 

What are the types of assessment tests addressed in NIST SP 800-53A?

  1. Functional, structural, penetration
  2. Functional, evaluation, penetration
  3. Validation, structural, black-box
  4. Validation, structural, penetration

image from book

32. 

A test methodology in which assessors, using all available documentation (e.g., system design, source code, manuals) and working under no constraints, attempt to circumvent the security features of an information system is defined in NIST SP 800-53A as what type of test?

  1. Validation test
  2. Functional test
  3. Structural test
  4. Penetration test

image from book

33. 

In the continuous monitoring examination assessment method, three examination depth levels are defined in NIST SP 800-53A. The definition “examinations that consist of brief, high-level reviews, observations, or inspections of selected specifications, mechanisms, or activities associated with the security control being assessed using a limited body of evidence or documentation” refers to which one of the following examination assessment types?

  1. Functional
  2. Abbreviated
  3. Substantial
  4. Comprehensive

image from book

Answers

1. 

Answer: a

The answer a is correct. The other answers are distracters.

2. 

Answer: a

Operation/maintenance is a component of the system development life cycle (SDLC) and is not one of the elements of continuous monitoring.

3. 

Answer: c

Answer c, NIST SP 80-37 “Guide for the Security Certification and Accreditation of Federal Information Systems,” is correct. NIST 800-14, “Generally Accepted Principles and Practices for Securing Information Technology” (answer a) lists eight principles for securing information technology systems and 14 security practices. NIST SP 800-42 (answer b) is the “Guideline on Network Security Testing,” and NIST SP 800-41 (answer d) provides “Guidelines on Firewalls and Firewall Policy.”

4. 

Answer: b

Continuous monitoring is aimed at determining whether any changes have occurred to the information system security posture following the initial system certification.

5. 

Answer: c

Answers a, b, and d are the three questions asked in NIST SP 800-37.

6. 

Answer: b

The system security plan and the plan of action and milestones are the documents that may have to be updated. Answer d is a made up distracter.

7. 

Answer: a

8. 

Answer: c

The information system should be reaccredited because new vulnerabilities have been found that are not adequately protected by existing security control mechanisms.

9. 

Answer: d

The answer d is correct. Answers a and b are incorrect because, at this stage, it has not yet been determined whether new vulnerabilities have been exposed. The controls have to be monitored first. Answer c is a made-up distracter.

10. 

Answer: a

FIPS 199 security categories can be used to identify elements that are most critical to the organization and the corresponding security controls that, if compromised, would result in the most damage to the system.

11. 

Answer: b

NIST SP 800-53A (answer b) is the “ Guide for Assessing the Security Controls in Federal Information Systems.” FIPS 199 (answer a) provides guidelines for security categorizations; SP 800-30 (answer c) delineates guidelines for risk management; and NIST SP 800-66 (answer d,) is the “Introductory Resource Guide for Implementing the HIPAA Security Rule.”

12. 

Answer: a

The answer a is correct. The other answers are made-up distracters.

13. 

Answer: b

The answer b is correct. The other answers are made-up distracters.

14. 

Answer: c

The correct answer is c, examination, by definition.

15. 

Answer: b

The answer b, testing, is correct. Answer a, examination, is another SP 800-53A assessment method, and answers c and d are made-up distracters.

16. 

Answer: c

The correct answer is c, by definition.

17. 

Answer: c

The correct answer is c, by definition.

18. 

Answer: a

The correct answer is a, the information system owner.

19. 

Answer: d

20. 

Answer: a

FIPS 199, (answer is a) is the “Standard for Security Categorization of Federal Information Systems.” The categories of FIPS 199 provide the framework for determining the impact level of specific threats. NIST SP 800-53 (answer b) is the “Recommended Security Controls for Federal Information Systems; NIST 800-14 (answer c) is “Generally Accepted Principles and Practices for Securing Information Technology,” which lists eight principles for securing information technology systems and 14 security practices. NIST SP 800-41 (answer d) which provides “Guidelines on Firewalls and Firewall Policy.”

21. 

Answer: d

Documentation includes both making changes to the security plan that address any changes or proposed changes to the information system and updating the plan of action and milestones.

22. 

Answer: b

The documentation report should be sent to the authorizing official and senior agency information security officer on a regular basis.

23. 

Answer: d

All these personnel will be involved in planning future assessment activities.

24. 

Answer: b

The information system owner has discretion over how frequently these documents are generated.

25. 

Answer: b

The frequency of plan generation is at the discretion of the information system owner.

26. 

Answer: c

If the decision is that reaccreditation is necessary, the authorizing official will inform the information system owner of the decision.

27. 

Answer: a

Any of these events makes reaccredidation necessary.

28. 

Answer: b

29. 

Answer: a

The answer a is correct. Relative to answers b and c, these types of events are taken into account during impact analysis and risk analysis. Answer d is incorrect because risk can never be completely eliminated.

30. 

Answer: c

31. 

Answer: a

The answer a is correct. In the other answers, evaluation and validation types are made-up distracters. Black-box testing is another word for functional testing.

32. 

Answer: d

33. 

Answer: b

Appendix C

1. 

Which one of the following is not one of the types of information comprised in requirements?

  1. Environmental description
  2. Functionality
  3. Security constraints
  4. Design architecture

answer: d the design architecture derives from the system specifications.

2. 

What are the two major problem categories in the requirements analysis process?

  1. Essence and accidents
  2. Essence and system properties
  3. System properties and essence
  4. Maintainability and accidents

answer: a answers b, c, and d are distracters.

3. 

Which one of the high-level design processes includes verified design specifications, requirements traceability, control structures, and data structures?

  1. Design architecture
  2. Communications protocols
  3. Design constraints
  4. Functional descriptions

answer: a answers b, c, and d are distracters.

4. 

Which one of the following requirements categories stipulates customer-driven constraints such as hardware and software compatibility issues, operating systems, and protocols?

  1. Functional constraints
  2. Functionality
  3. Design constraints
  4. Project management

answer: c the answer is c, by definition.

5. 

Which one of the following activities is not an approach to developing design architecture?

  1. Functional decomposition
  2. Traceable decomposition
  3. Process-driven decomposition
  4. Object-oriented decomposition

answer: b answer b is a made-up distracter.

6. 

Which one of the following processes provides the necessary and sufficient information for the correct design and valid implementation of a system?

  1. Requirements analysis
  2. Design analysis
  3. Functional analysis
  4. Design architecture generation

answer: a answers b, c, and d are distracters.

7. 

The design architecture derives from which one of the following:

  1. High-level design processes
  2. Control analysis
  3. Impact analysis
  4. System specifications

image from book

8. 

Requirements analysis addresses which of the following issues?

  1. Functional requirements
  2. Functional and security requirements
  3. Security requirements
  4. Effectiveness

image from book

9. 

Which one of the following requirements addresses issues such as budget control, delivery schedules, training, and acceptance testing?

  1. Environmental descriptions
  2. Project management constraints
  3. Communications protocols
  4. Functional constraints

image from book

10. 

What is a critical component in verifying and validating the completed system?

  1. Requirements
  2. System architecture
  3. Design analyses
  4. Decomposition

image from book

Answers

1. 

Answer: d

The design architecture derives from the system specifications.

2. 

Answer: a

Answers b, c, and d are distracters.

3. 

Answer: a

Answers b, c, and d are distracters.

4. 

Answer: c

The answer is c, by definition.

5. 

Answer: b

Answer b is a made-up distracter.

6. 

Answer: a

Answers b, c, and d are distracters.

7. 

Answer: d

8. 

Answer: b

9. 

Answer: b

10. 

Answer: a

Appendix D

1. 

Which one of the following is not one of the five system life cycle planning phases as defined in NIST SP 800-14?

  1. Initiation phase
  2. Requirements phase
  3. Implementation phase
  4. Disposal phase

image from book

2. 

Which one of the following sets of activities best describes a subset of the Acquisition Cycle phases as given in NIST SP 800-64, “Security Considerations in the Information System Development Life Cycle”?

  1. Mission and business planning, acquisition planning, contract performance, disposal and contract closeout
  2. Initiation, mission and business planning, acquisition planning, contract performance
  3. Initiation, acquisition/development, contract performance, disposal and contract closeout
  4. Mission and business planning, acquisition/development, contract performance, disposal and contract closeout

image from book

3. 

The IATF document 3.1 stresses that information assurance relies on three critical components. Which one of the following answers correctly lists these components?

  1. People, documentation, technology
  2. People, Defense in Depth, technology
  3. People, evaluation, certification
  4. People, operations, technology

answer: d answers a, b, and c are distracters.

4. 

In the 14 Common IT Security Practices listed in NIST SP 800-14, one of the practices addresses having three types of policies in place. Which one of the following items is not one of these types of policies?

  1. A program policy
  2. An issue-specific policy
  3. A system-specific policy
  4. An enclave-specific policy

image from book

5. 

Risk management, as defined in NIST SP 800-30, comprises which three processes?

  1. Risk assessment, risk mitigation, and evaluation and assessment
  2. Risk identification, risk mitigation, and evaluation and assessment
  3. Risk assessment, risk impacts, and risk mitigation
  4. Risk assessment, risk mitigation, and risk identification

answer: a answers b, c, and d are distracters.

6. 

In the system development life cycle (SDLC), or system life cycle as it is sometimes called, in which one of the of the five phases are the system security features configured, enabled, tested, and verified?

  1. Operation/maintenance
  2. Development/acquisition
  3. Implementation
  4. Initiation

image from book

7. 

Which one of he following activities is performed in the Development/Acquisition phase of the SDLC?

  1. The scope of the IT system is documented.
  2. The IT system is developed, programmed, or otherwise constructed.
  3. The system performs its function.
  4. Information, hardware, or software is disposed of.

image from book

8. 

In NIST SP 800-30, risk is defined as a function of which set of the following items?

  1. Threat likelihood, vulnerabilities, and impact
  2. Threat likelihood, mission, and impact
  3. Vulnerabilities, mission and impact
  4. Threat likelihood, sensitivity, and impact

answer: a answers b, c, and d are distracters.

9. 

The risk assessment methodology described in NIST SP 800-30 comprises nine primary steps. Which one of the following is not one of these steps?

  1. System characterization
  2. Control analysis
  3. Impact analysis
  4. Accreditation boundaries

answer: d delineating accreditation boundaries is a subset of system characterization (answer a).

10. 

The Engineering Principles for Information Technology Security (EPITS), described in NIST SP 800-27, are which one of the following?

  1. A list of 33 system-level security principles to be considered in the design, development, and operation of an information system
  2. A list of eight principles and 14 practices derived from OECD guidelines
  3. Part of the Common Criteria (CC)
  4. Component of the Defense in Depth strategy

image from book

11. 

Which one of the following items is not one of the activities of the generic systems engineering (SE) process?

  1. Discover needs
  2. Define system requirements
  3. Obtain accreditation
  4. Assess effectiveness

image from book

12. 

The elements Discover information protection needs, Develop detailed security design, and Assess information protection effectiveness are part of what process?

  1. The systems engineering (SE) process
  2. The information systems security engineering process (ISSE)
  3. The system development life cycle (SDLC)
  4. The risk management process

image from book

13. 

In the ISSE process, information domains are defined under the Discover Information Protection Needs process. Which one of the following tasks is not associated the information domain?

  1. Identify the members of the domain.
  2. List the information entities that are under control in the domain.
  3. Identify the applicable privileges, roles, rules, and responsibilities of the users in the domain.
  4. Map security mechanisms to security design elements in the domain.

answer: d this task is performed under the develop detailed security design activity.

14. 

In the Discover Information Protection Needs activity of the ISSE process, the information systems security engineer must document the elements of this activity, including roles, responsibilities, threats, strengths, security services, and priorities. These items form the basis of which one of the following?

  1. Threat matrix
  2. Functional analysis
  3. Synthesis
  4. Information protection policy (IPP)

answer: d answers a through c are distracters.

15. 

As part of the Define System Security Requirements activity of the ISSE process, the information systems security engineer identifies and selects a solution set that can satisfy the requirements of the IPP. Which one of the following elements is not a component of the solution set?

  1. Functional decomposition
  2. Preliminary security concept of operations (CONOPS)
  3. System context
  4. System requirements

image from book

16. 

The information systems security engineer’s tasks of cataloging candidate commercial off-the-shelf (COTS) products, government off-the-shelf (GOTS) products, and custom security products are performed in which one of the following ISSE process activities?

  1. Define System Security Requirements
  2. Develop Detailed Security Design
  3. Implement System Security
  4. Design System Security Architecture

image from book

17. 

Which ISSE activity includes conducting unit testing of components, integration testing, and developing installation and operational procedures?

  1. Assess Information Protection Effectiveness
  2. Develop Detailed Security Design
  3. Implement System Security
  4. Design System Security Architecture

image from book

18. 

Security certification is performed in which phase of the SDLC?

  1. Implementation phase
  2. Validation phase
  3. Development/Acquisition phase
  4. Operations/Maintenance phase

image from book

19. 

The certification and accreditation process receives inputs from the ISSE process. These inputs are which one of the following items?

  1. Certification documentation
  2. Certification recommendations
  3. Accreditation decision
  4. Evidence and documentation

answer: d answers a, b, and c are outputs of the certification and accreditation process.

20. 

Which one of the following items is not part of an implementation-independent protection profile (PP) of the Common Criteria (CC)?

  1. Security objectives
  2. Information assurance requirements
  3. Security-related functional requirements
  4. Defense of the enclave boundary

answer: d defense of the enclave boundary is addressed in the defense-in-depth strategy.

21. 

Which one of the following is not one of the technology focus areas of the Defense in Depth strategy?

  1. Defend the certificate management
  2. Defend the network and infrastructure
  3. Defend the computing environment
  4. Defend the supporting infrastructure

image from book

22. 

Security categorization is part of which phase of the SDLC?

  1. Initiation
  2. Acquisition/Development
  3. Implementation
  4. Requirements

image from book

23. 

The Defense in Depth strategy identifies five types of attacks on information systems as listed in IATF document 3.1. Which one of the following types of attacks is not one of these five types?

  1. Passive
  2. Active
  3. Close-in
  4. Outsider

image from book

24. 

Which one of the following items is not an activity under the Acquisition/Development phase of the SDLC?

  1. Preliminary risk assessment
  2. Security functional requirements analysis
  3. Cost considerations and reporting
  4. Developmental security evaluation

image from book

25. 

Which one of the following types of enclaves is not one of those categorized in the U.S. federal and defense computing environments?

  1. Private
  2. Public
  3. Classified
  4. Secure

image from book

26. 

According to NIST SP 800-64, which phase of the SDLC includes the activities of functional statement of need, market research, cost-benefit analysis, and a cost analysis?

  1. Initiation
  2. Acquisition/Development
  3. Implementation
  4. Operations/Maintenance

image from book

27. 

Which one of the following models is an evolutionary model used to represent the acquisition management process?

  1. The acquisition process model
  2. The spiral model
  3. The waterfall model
  4. The acquisition/development model

image from book

28. 

In NIST SP 800-30, a threat is defined as which one of the following items?

  1. Intent and method targeted at the intentional exploit of a vulnerability
  2. The likelihood that a given threat source will exercise a particular potential vulnerability, and the resulting impact of that adverse event on the organization
  3. The potential for a threat source to exercise a specific vulnerability
  4. A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised and result in a security breach or a violation of the system’s security policy

image from book

29. 

Questionnaires, on-site interviews, review of documents, and automated scanning tools are primarily used to gather information for which one of the following steps of the risk assessment process?

  1. System characterization
  2. Risk determination
  3. Vulnerability identification
  4. Control analysis

image from book

30. 

In performing an impact analysis as part of the risk assessment process, three important factors should be considered in calculating the negative impact. Which one of the following items is not one of these factors?

  1. The sensitivity of the system and its data
  2. The management of the system
  3. The mission of the system
  4. The criticality of the system, determined by its value and the value of the data to the organization

Technical Management

answer: b technical management

31. 

Which statement about the SSE-CMM is incorrect?

  1. The SSE-CMM defines two dimensions that are used to measure the capability of an organization to perform specific activities.
  2. The domain dimension consists of all the practices that collectively define security engineering.
  3. The domain dimension represents practices that indicate process management and institutionalization capability.
  4. The capability dimension represents practices that indicate process management and institutionalization capability.

image from book

32. 

Which description of the SSE-CMM Level 5 Generic Practice is correct?

  1. Planned and Tracked
  2. Continuously Improving
  3. Quantitatively Controlled
  4. Performed Informally

image from book

33. 

Which statement about testing and evaluation is not true?

  1. A TEMP is required for most large programs.
  2. A DT&E is equivalent to Analytical, Type 1, and Type 2 testing.
  3. An OT&E is equivalent to Type 5 and Type 6 testing.
  4. An OT&E is equivalent to Type 3 and Type 4 testing.

image from book

34. 

Which attribute about the Level 1 SSE-CMM Generic Practice is correct?

  1. Performed Informally
  2. Planned and Tracked
  3. Well Defined
  4. Continuously Improving

image from book

35. 

Which of the following is not a true statement about good cost control?

  1. Cost control starts with the initiation of corrective action.
  2. Cost control requires good overall cost management.
  3. Cost control requires immediate initiation of corrective action.
  4. Cost control starts with the initial development of cost estimates for the program.

image from book

36. 

Which statement about the SE-CMM is not correct?

  1. The SE-CMM describes the essential elements of an organization’s systems engineering process that must exist in order to ensure good systems engineering.
  2. The SE-CMM provides a reference to compare existing systems engineering practices against the essential systems engineering elements described in the model.
  3. The SE-CMM goal is to improve the system or product engineering process.
  4. The SE-CMM was created to define, improve, and assess security engineering capability.

image from book

37. 

Which statement about system security testing and evaluation (ST&E) categories is correct?

  1. Type 1 testing is performed during the latter stages of the detail design and development phase.
  2. Type 2 testing is design evaluation conducted early in the system life cycle.
  3. Type 3 testing is performed during the latter stages of the detail design and development phase.
  4. Type 4 testing is conducted during the system operational use and life cycle support phase.

image from book

38. 

Which choice is not an activity in the cost control process?

  1. Identifying potential suppliers
  2. Developing a functional cost data collection capability
  3. Developing the costs as estimated for each task
  4. Creating a procedure for cost evaluation

image from book

39. 

Which choice does not describe a common outsourcing activity?

  1. Review of proposals
  2. Develop a functional cost reporting capability
  3. Contract negotiation
  4. Development of an RFP

image from book

40. 

Which choice is not an accurate description of an activity level of the WBS?

  1. Level 1 may be used as the basis for the authorization of the program work.
  2. Program budgets are usually prepared at Level 1.
  3. Level 2 identifies the various projects that must be completed.
  4. Program schedules are generally prepared at Level 3.

image from book

41. 

Which of the following is not a phase in the IDEAL model?

  1. Authorizing
  2. Learning
  3. Diagnosing
  4. Establishing

image from book

42. 

Which choice best describes systems engineering, as defined in the SSE-CMM?

  1. An integrated composite of people, products, and processes that provides a capability to satisfy a need or objective
  2. The selective application of scientific and engineering efforts to integrate the efforts of all engineering disciplines and specialties into the total engineering effort
  3. A narrative description of the work required for a given project
  4. The contracting with one or more outside suppliers for the procurement and acquisition of materials and services

image from book

43. 

Which of the following choices is not a benefit of the WBS?

  1. The WBS facilitates the initial allocation of budgets.
  2. The WBS facilitates the collection and reporting of costs.
  3. The system can easily be described through the logical breakout of its elements into work packages.
  4. The WBS integrates the efforts of all engineering disciplines and specialties into the total engineering effort.

image from book

44. 

Which choice is not an element of the Statement of Work (SOW)?

  1. An identification of the input requirements from other tasks
  2. A description of specific results to be achieved
  3. Management of security awareness, training, and education programs
  4. A proposed schedule for delivery of the product

image from book

45. 

Which of the following statements best describes the difference between a Type 1 testing and evaluation category and a Type 2 category?

  1. Type 1 testing is the evaluation of system components in the laboratory, designed to verify performance and physical characteristics.
  2. Type 2 testing is the evaluation of system components in the laboratory, designed to verify performance and physical characteristics.
  3. Type 1 testing establishes design evaluations conducted early in the system life cycle.
  4. Type 2 testing is conducted after initial system qualification and prior to the completion of the production or construction phase.

image from book

46. 

Which choice has the outsourcing activities listed in their proper order?

  1. Review and evaluation of supplier proposals, supplier monitoring and control, development of a Request for Proposal (RFP), and selection of suppliers
  2. Development of a Request for Proposal (RFP), review and evaluation of supplier proposals, supplier monitoring and control, and selection of suppliers
  3. Development of a Request for Proposal (RFP), review and evaluation of supplier proposals, selection of suppliers, and supplier monitoring and control
  4. Review and evaluation of supplier proposals, selection of suppliers, development of a Request for Proposal (RFP), and supplier monitoring and control

image from book

47. 

Which answer best describes a Statement of Work (SOW)?

  1. A narrative description of the work required for a given project
  2. An integrated composite of people, products, and processes that provides a capability to satisfy a need or objective
  3. The contracting with one or more outside suppliers for the procurement and acquisition of materials and services
  4. The development of a functional cost reporting capability

image from book

48. 

Which statement about SSE-CMM Base Practices is correct?

  1. BPs are mandatory characteristics that must exist within an implemented security engineering process before an organization can claim satisfaction in a given PA.
  2. BPs are ordered in degrees of maturity and are grouped to form and distinguish among five levels of security engineering maturity.
  3. BPs are ordered in degrees of maturity and are grouped to form and distinguish among 22 levels of security engineering maturity.
  4. BPs are optional characteristics that must exist within an implemented security engineering process before an organization can claim satisfaction in a given PA.

image from book

49. 

As per the SE-CMM, which definition of a system is incorrect?

  1. An interacting combination of elements that are viewed in relation to function
  2. A continuous cycle of evaluating the current status of an organization, making improvements, and repeating the cycle
  3. An assembly of things or parts forming a complex or unitary whole
  4. An integrated composite of people, products, and processes that provides a capability to satisfy a need or objective

image from book

50. 

Which of the following choices best describes the purpose of the Learning phase of the IDEAL model?

  1. The Learning phase is the implementation phase and requires the greatest level of effort of all the phases, in terms of both resources and time.
  2. The Learning phase is both the final stage of the initial process improvement cycle and the initial phase of the next process improvement effort.
  3. In the Learning phase, it is imperative that an understanding of the organization’s current and desired future state of process maturity be established.
  4. In the Learning phase, a detailed plan of action based on the goals of the effort and the recommendations developed during the Diagnosing phase is developed.

image from book

51. 

Which statement about the System Engineering Management Plan (SEMP) is not true?

  1. Development program planning and control is a SEMP element.
  2. The goal of SEMP is to establish a continuous cycle of evaluating the current status of the organization.
  3. The SEMP contains detailed statements of how the systems security engineering functions are to be carried out during development.
  4. The security systems engineering process is a SEMP element.

image from book

52. 

Which choice has the correct order of activities in the IDEAL model?

  1. Learning, Initiating, Diagnosing, Establishing, and Acting
  2. Initiating, Learning, Diagnosing, Establishing, and Acting
  3. Learning, Diagnosing, Initiating, Establishing, and Acting
  4. Initiating, Diagnosing, Establishing, Acting, and Learning

image from book

53. 

Which choice is an incorrect statement regarding the Systems Engineering Management Plan (SEMP)?

  1. The SEMP covers all management functions associated with the performance of security systems engineering activities for a given program.
  2. It starts as an outline and is updated as the security system development process goes on.
  3. It contains detailed statements of how the systems security engineering functions are to be carried out during development.
  4. The SEMP is a static document, intended to remain unchanged.

image from book

54. 

Which choice best describes an outsourced supplier?

  1. A broad class of external organizations that provide products, components, materials, and/or services to a producer or prime contractor
  2. An interacting combination of elements that are viewed in relation to function
  3. An integrated composite of people, products, and processes that provides a capability to satisfy a need or objective
  4. Practices that indicate process management and institutionalization capability

image from book

55. 

Which of the following statements best describes the main premise of process improvement?

  1. Major changes must be sponsored by senior management.
  2. The quality of services produced is a direct function of the quality of the associated development and maintenance processes.
  3. Focus on fixing the process, not assigning blame.
  4. All suppliers must be security vetted prior to contracting.

image from book

56. 

What is the main purpose of the Work Breakdown Structure (WBS)?

  1. It creates a hierarchical tree of work packages.
  2. It may be a contractual requirement in competitive bid system developments.
  3. It ensures the authorization for the program work.
  4. It ensures that all essential tasks are properly defined, assigned, scheduled, and controlled.

image from book

57. 

Which choice is not an activity in the Development Program Planning and Control element of the SEMP?

  1. System Test and Evaluation Strategy
  2. Scheduling and Cost Estimation
  3. Technical Performance Measurement
  4. Statement of Work

image from book

58. 

At what point in the project is the Work Breakdown Structure (WBS) usually created?

  1. After the generation of the SOW and the identification of the organizational structure
  2. After the development of a functional cost data collection and reporting capability
  3. After the costs for each task are estimated
  4. After the development of an RFP but before the identification of the organizational structure

image from book

59. 

Which choice accurately lists the five levels of security engineering maturity as defined by the SSE-CMM?

  1. Planned and Tracked, Well Defined, Performed Informally, Quantitatively Controlled, and Continuously Improving
  2. Planned and Tracked, Performed Informally, Well Defined, Quantitatively Controlled, and Continuously Improving
  3. Performed Informally, Planned and Tracked, Well Defined, Quantitatively Controlled, and Continuously Improving
  4. Performed Informally, Planned and Tracked, Quantitatively Controlled, Well Defined, and Continuously Improving

image from book

60. 

Which choice has the correct order of activities in the security system design testing process?

  1. Acquisition, Testing, Analysis, Planning, and Correction
  2. Acquisition, Planning, Testing, Analysis, and Correction
  3. Planning, Analysis, Testing, Acquisition, and Correction
  4. Planning, Acquisition, Testing, Analysis, and Correction

Certification and Accreditation

See Chapter 11 Assessment Questions.

U.S. Government Information Assurance Regulations

image from book

61. 

Techniques and concerns that are normally addressed by management in the organization’s computer security program are defined in NIST SP 800-12 as:

  1. Administrative controls
  2. Management controls
  3. Operational controls
  4. Technical controls

image from book

62. 

The National Research Council publication Computers at Risk defines an element of computer security as a “requirement intended to assure that systems work properly and service is not denied to authorized users.” Which one of the following elements best fits this definition?

  1. Availability
  2. Assurance
  3. Integrity
  4. Authentication

image from book

63. 

NSTISSI Publication No. 4009, “National Information Systems Security (INFOSEC) Glossary,” defines the term assurance as:

  1. Requirement that information and programs are changed only in a specified and authorized manner
  2. Measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual’s authorization to receive specific categories of information
  3. Measure of confidence that the security features, practices, procedures, and architecture of an IS accurately mediate and enforce the security policy
  4. Requirement that private or confidential information not be disclosed to unauthorized individuals

image from book

64. 

The “National Information Systems Security (INFOSEC) Glossary” defines an information system security term as a “formal determination by an authorized adjudicative office that an individual is authorized access, on a need to know basis, to a specific level of collateral classified information.” This definition refers to which one of the following terms?

  1. Sensitivity of information
  2. Classification of information
  3. Clearance
  4. Compartmentalization

image from book

65. 

In NSTISSI Publication No. 4009, what term is defined as a “document detailing the method, act, process, or effect of using an information system (IS)”?

  1. QUADRANT
  2. Concept of Operations (CONOPS)
  3. Evaluation Assurance Level (EAL)
  4. Information Assurance (IA) architecture

image from book

66. 

Which one of the following definitions best describes the National Information Assurance Partnership (NIAP) according to NSTISSI Publication No. 4009?

  1. Nationwide interconnection of communications networks, computers, databases, and consumer electronics that makes vast amounts of information available to users
  2. Worldwide interconnections of the information systems of all countries, international and multinational organizations, and international commercial communications
  3. Joint initiative between NSA and NIST responsible for security testing needs of both IT consumers and producers, promoting the development of technically sound security requirements for IT products
  4. First level of the PKI Certification Management Authority that approves the security policy of each Policy Certification Authority (PCA)

image from book

67. 

TEMPEST refers to which one of the following definitions?

  1. Property whereby the security level of an object cannot change while the object is being processed by an IS
  2. Investigation, study, and control of compromising emanations from IS equipment
  3. Program established for a specific class of classified information that imposes safeguarding and access requirements that exceed those normally required for information at the same classified level
  4. Unclassified cryptographic equipment

image from book

68. 

Executive Order (E.O.) 13231, issued on October 16, 2001, renamed the National Security Telecommunications and Information Systems Security Committee (NSTISSC) as which one of the following committees?

  1. Committee for Information Systems Security (CISS)
  2. Committee on National Security Systems (CNSS)
  3. Committee on National Infrastructure Protection (CNIP)
  4. Committee for the Protection of National Information Systems (CPNIS)

answer: b the other answers are distracters.

69. 

In addressing the security of systems with national security information, E.O. 13231 assigned the responsibilities of developing government-wide policies and overseeing the implementation of governmentwide policies, procedures, standards, and guidelines to the:

  1. U.S. Secretary of Defense and the Director of the FBI
  2. FBI and the Director of Central Intelligence
  3. NIST and the U.S. Secretary of Defense
  4. U.S. Secretary of Defense and the Director of Central Intelligence

image from book

70. 

Which one of the following characteristics is not associated with the definition of a national security system?

  1. Contains classified information
  2. Involved in industrial commerce
  3. Supports intelligence activities
  4. Involved with the command and control of military forces

image from book

71. 

In 2002, the U.S. Congress enacted the E-Government Act (Public Law 107-347). Title III of the E-Government Act was written to provide for a number of protections of Federal information systems, including to “provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets.” Title III of the E-Government Act is also known as the:

  1. Computer Security Act (CSA)
  2. Computer Fraud and Abuse Act (CFAA)
  3. Federal Information Security Management Act (FISMA)
  4. Cyber Security Enhancement Act

image from book

72. 

FISMA assigned which one of the following entities the responsibility of overseeing the security policies and practices of U.S. government agencies?

  1. The FBI
  2. The U.S. Secretary of Defense
  3. The Director of the Office of Management and Budget (OMB)
  4. The Director of Central Intelligence

image from book

73. 

Which information system security–related Act requires government agencies to perform periodic assessments of risk, develop policies and procedures that are based on risk assessments, conduct security awareness training, perform periodic testing and evaluation of the effectiveness of information security policies, and implement procedures for detecting, reporting, and responding to security incidents?

  1. Computer Security Act (CSA)
  2. Federal Information Security Management Act (FISMA)
  3. Computer Fraud and Abuse Act (CFAA)
  4. Cyber Security Enhancement Act

image from book

74. 

FISMA charged which one of the following entities to develop information system security standards and guidelines for federal agencies?

  1. FBI
  2. DoD
  3. NSA
  4. NIST

image from book

75. 

The general formula for categorization of an information type developed in FIPS Publication 199, “Standards for Security Categorization of Federal Information and Information Systems,” is which one of the following?

  1. SC information type = {(confidentiality, risk), (integrity, risk), (availability, risk)}
  2. SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}
  3. SC information type = {(assurance, impact), (integrity, impact), (authentication, impact)}
  4. SC information type = {(confidentiality, controls), (integrity, controls), (availability, controls)}

answer: b the other answers are distracters.

76. 

Circular A-130 directs that an oversight function should be performed consisting of the use of information technology planning reviews, fiscal budget reviews, information collection budget reviews, management reviews, and such other measures as deemed necessary to evaluate the adequacy and efficiency of each agency’s information resources management and compliance with the circular. Which one of the following individuals does the circular designate as being responsible for this oversight function?

  1. The Secretary of Commerce
  2. The Director of the Office of Management and Budget
  3. The U.S. Secretary of Defense
  4. The Director of NSA

image from book

77. 

The National Computer Security Center Publication NCSC-TG-004-88 includes a definition that refers to the characteristic of a system that “performs its intended function in an unimpaired manner, free from deliberate, inadvertent, or unauthorized manipulation of the system.” This characteristic defines which one of the following terms?

  1. Data integrity
  2. System integrity
  3. Enterprise integrity
  4. Risk integrity

image from book

78. 

Which one of the following terms best describes a secure telecommunications or associated cryptographic component that is unclassified but governed by a special set of control requirements, as defined in NSTISSI Publication 4009?

  1. Controlled cryptographic item (CCI) assembly
  2. Controlled cryptographic item (CCI) component
  3. Controlled cryptographic item (CCI)
  4. Crypto-ignition key (CIK)

image from book

79. 

What is a definable perimeter encompassing all hardware, firmware, and software components performing critical COMSEC functions, such as key generation and key handling and storage?

  1. COMSEC area
  2. COMSEC compartment
  3. COMSEC partition
  4. COMSEC boundary

answer: d answers a, b, and c are distracters.

80. 

What process involves the five steps of identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures?

  1. Operations security
  2. Application security
  3. Administrative security
  4. Management security

answer: a the other answers are distracters.

81. 

Information that has been determined pursuant to Executive Order 12958 or any predecessor order to require protection against unauthorized disclosures is known as:

  1. Protected information (PI)
  2. National security information (NSI)
  3. Personally identifiable information (PII)
  4. Secure information (SI)

image from book

82. 

An area that, when staffed, must be occupied by two or more appropriately cleared individuals who remain within sight of each other is referred to as which one of the following terms?

  1. No-lone zone
  2. Restricted area
  3. Protected occupancy zone
  4. Cleared area

answer: a answers b, c, and d are distracters.

83. 

According to NSTISSI Publication 4009, the process of identifying and applying countermeasures commensurate with the value of the assets protected based on a risk assessment is called a:

  1. Vulnerability assessment
  2. Continuity planning
  3. Risk management
  4. Risk control

image from book

84. 

In the context of information systems security, the abbreviation ST&E stands for which one of the following terms?

  1. Security training and evaluation
  2. Security test and evaluation
  3. Security test and engineering
  4. Sensitivity test and evaluation

answer: b answers a, c, and d are distracters.

85. 

Which one of the following designations refers to a product that is a classified or controlled cryptographic item endorsed by the NSA for securing classified and sensitive U.S. government information when appropriately keyed?

  1. Cleared product
  2. Type 3 product
  3. Type 1 product
  4. Type 2 product

image from book

86. 

Which one of the following items is not one of the responsibilities of the Committee on National Security Systems (CNSS) for the security of national security systems?

  1. Providing a forum for the discussion of policy issues
  2. Setting national policy
  3. Providing operational procedures, direction, and guidance.
  4. Requiring agencies to identify and provide information security protections commensurate with the risk and magnitude of the harm to information or information systems of government agencies

answer: d this responsibility is assigned to the omb.

87. 

FISMA, Title III of the E-Government Act of 2002, reserves the responsibility for standards associated with the national defense establishment to which of the following entities?

  1. DoD and NSA
  2. DoD and CIA
  3. CIA and NSA
  4. CIA and NIST

image from book

88. 

FIPS Publication 199, “Standards for Security Characterization of Federal Information and Information Systems, NIST Pre-Publication Final Draft,” December 2003, characterizes three levels of potential impact on organizations or individuals based on the objectives of confidentiality, integrity, and availability. What is the level of impact specified in Publication 199 for the following description of integrity: “The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals”?

  1. High
  2. Moderate
  3. Low
  4. Severe

image from book

89. 

Referring to question 88, the following impact description refers to which one of the three security objectives and which corresponding level of impact: “The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals”?

  1. Confidentiality - Low
  2. Availability - Moderate
  3. Availability - Low
  4. Availability - High

image from book

90. 

DoD Directive 8500.1, “Information Assurance (IA),” October 4, 2002, specifies a defense-in-depth approach that integrates the capabilities of which set of the following entities?

  1. Personnel, operations, and technology
  2. Personnel, research and development, and technology
  3. Operations, resources, and technology
  4. Personnel, operations, and resources

answer: a answers b, c, and d are distracters.

Answers

1. 

Answer: b

The requirements phase is not one of the five system life cycle planning phases. The other two phases of the system life cycle are the Development/Acquisition phase and the Operations phase.

2. 

Answer: a

Answers b, c, and d are distracters comprising components of the SDLC and the Acquisition Cycle.

3. 

Answer: d

Answers a, b, and c are distracters.

4. 

Answer: d

A program policy is used to create and define a computer security program, an issue specific policy addresses specific areas and issues, and a system specific policy focuses on decisions made by management.

5. 

Answer: a

Answers b, c, and d are distracters.

6. 

Answer: c

7. 

Answer: b

Answer a refers to the Initiation phase, answer c refers to the Operation/Maintenance phase, and answer d refers to the Disposal phase.

8. 

Answer: a

Answers b, c, and d are distracters.

9. 

Answer: d

Delineating accreditation boundaries is a subset of system characterization (answer a).

10. 

Answer: a

Answer b describes the principles and practices found in NIST SP 800-14. Answers c and d are distracters.

11. 

Answer: c

Obtaining accreditation is not one of the SE process activities. The other SE process activities are to design system architecture, develop detailed design, and implement system.

12. 

Answer: b

13. 

Answer: d

This task is performed under the Develop Detailed Security Design activity.

14. 

Answer: d

Answers a through c are distracters.

15. 

Answer: a

Functional decomposition is part of the Design System Security Architecture activity of the ISSE process.

16. 

Answer: b

17. 

Answer: c

18. 

Answer: a

Security certification is performed in the Implementation phase. Validation (answer b) is not a phase of the SDLC. Answers c and d are additional phases of the SDLC. This activity has tasks that should be performed throughout the ISSE process.

19. 

Answer: d

Answers A, B, and C are outputs of the Certification and Accreditation process.

20. 

Answer: d

Defense of the enclave boundary is addressed in the Defense-In-Depth strategy.

21. 

Answer: a

22. 

Answer: a

Security categorization, performed in the Initiation phase, defines low, moderate, or high levels of potential impact on organizations in the event of a security breach. Answers b and c are other phases of the SDLC. Answer d is not a phase of the SDLC.

23. 

Answer: d

Answer d is a distracter. The other two types of attacks, in addition to passive attacks (answer a), active attacks (answer b), and close-in attacks (answer c), are insider and distribution attacks.

24. 

Answer: a

Preliminary risk assessment is performed in the Initiation phase of the SDLC. Additional activities under the Acquisition/Development phase of the SDLC are risk assessment, assurance requirements analysis security, security planning, and security control development.

25. 

Answer: d

26. 

Answer: b

Additional activities under the Acquisition/Development phase include requirements analysis, alternatives analysis, and a software conversion study.

27. 

Answer: b

The spiral model depicts the acquisition management process as a set of phases and decision points in a circular representation. The other answers are distracters.

28. 

Answer: c

Answer a is a threat source, answer b defines risk, and answer d is the definition of vulnerability.

29. 

Answer: a

30. 

Answer: b

Technical Management

31. 

Answer: c

The SSE-CMM defines two dimensions that are used to measure the capability of an organization to perform specific activities, the domain dimension and the capability dimension. The domain dimension consists of all the practices that collectively define security engineering. The capability dimension represents practices that indicate process management and institutionalization capability.

32. 

Answer: b

Level 5, “Continuously Improving,” is the highest level. A statement characterizing this level would be: “A culture of continuous improvement requires a foundation of sound management practice, defined processes, and measurable goals.”

33. 

Answer: c

In the Defense sector, a TEMP is required for most large programs and includes the planning and implementation of procedures for the Development Test and Evaluation (DT&E) and Operational Test and Evaluation (OT&E). DT&E basically equates to the Analytical, Type 1, and Type 2 testing, and OT&E is equivalent to Type 3 and Type 4 testing.

34. 

Answer: a

The lowest level, Level 1, “Performed Informally,” focuses on whether an organization or project performs a process that incorporates the BPs. The attribute of this level simply requires that the BPs are performed.

35. 

Answer: a

Cost control starts with the initial development of cost estimates for the program and continues with the functions of cost, monitoring, and the collection of cost data, the analysis of the data, and the immediate initiation of corrective action. Cost control requires good overall cost management, including:

  • Cost estimating
  • Cost accounting
  • Cost monitoring
  • Cost analysis and reporting
  • Control functions

36. 

Answer: d

The SSE-CMM, not the SE-CMM, goal is to define, improve, and assess security engineering capability. The SE-CMM goal is to improve the system or product engineering process. The SE-CMM describes the essential elements of an organization’s systems engineering process that must exist in order to ensure good systems engineering. It also provides a reference to compare existing systems engineering practices against the essential systems engineering elements described in the model.

37. 

Answer: d

Testing and evaluation processes often involves several stages of testing categories or phases, such as:

  1. Analytical - Design evaluations conducted early in the system life cycle using computerized techniques such as CAD, CAM, CALS, simulation, rapid prototyping, and other related approaches
  2. Type 1 testing - The evaluation of system components in the laboratory using bench test models and service test models, designed to verify performance and physical characteristics
  3. Type 2 testing - Testing performed during the latter stages of the detail design and development phase, when preproduction prototype equipment and software are available
  4. Type 3 testing - Tests conducted after initial system qualification and prior to the completion of the production or construction phase, the first time that all elements of the system are operated and evaluated on an integrated basis
  5. Type 4 testing - Testing conducted during the system operational use and life-cycle support phase, intended to gain further knowledge of the system in the user environment

38. 

Answer: a

Answer a is an activity of outsourcing. The cost control process includes:

  1. Define the elements of work, as extracted from the SOW
  2. Integrate the tasks defined in the WBS
  3. Develop the costs as estimated for each task
  4. Develop a functional cost data collection and reporting capability
  5. Develop a procedure for evaluation and quick corrective action

39. 

Answer: b

Developing a functional cost reporting capability is a function of Cost Control. The order of activities for the outsourcing process are:

  1. Identification of Potential Suppliers
  2. Development of a Request for Proposal (RFP)
  3. Review and Evaluation of Supplier Proposals
  4. Selection of Suppliers and Contract Negotiation
  5. Supplier Monitoring and Control

40. 

Answer: b

The WBS structure generally includes three levels of activity:

  • Level 1 identifies the entire program scope of work to be produced and delivered. Level 1 may be used as the basis for the authorization for the program work.
  • Level 2 identifies the various projects, or categories of activity, that must be completed in response to program requirements. Program budgets are usually prepared at this level.
  • Level 3 identifies the activities, functions, major tasks, and/or components of the system that are directly subordinate to the Level 2 items. Program schedules are generally prepared at this level.

41. 

Answer: a

The five phases of the IDEAL model are:

  • Initiating - Laying the groundwork for a successful improvement effort
  • Diagnosing - Determining where you are relative to where you want to be
  • Establishing - Planning the specifics of how you will reach your destination
  • Acting - Doing the work according to the plan
  • Learning - Learning from the experience and improving your ability

42. 

Answer: b

The definition of systems engineering on which the SE-CMM is based is defined as the selective application of scientific and engineering efforts to:

  • Transform an operational need into a description of the system configuration that best satisfies the operational need according to the measures of effectiveness
  • Integrate related technical parameters and ensure compatibility of all physical, functional, and technical program interfaces in a manner that optimizes the total system definition and design
  • Integrate the efforts of all engineering disciplines and specialties into the total engineering effort

Answer a describes a system, answer c describes the SOW, and answer d describes outsourcing.

43. 

Answer: d

The WBS provides many benefits, such as:

  • It provides for the reporting of system technical performance measures (TPMs).
  • The entire security system can be easily defined by the breakout of its elements in to discrete work packages.
  • The WBS aids in linking objectives and activities with available resources.
  • The WBS facilitates budgeting and cost reporting.
  • Responsibility assignments can be readily identified through the assignment of tasks.
  • The WBS provides a greater probability that every activity will be accounted for.

Answer d describes a benefit of systems engineering.

44. 

Answer: c

The Statement of Work (SOW) is a narrative description of the work required for a given project. It includes:

  • Summary statement of the tasks to be accomplished
  • Identification of the input requirements from other tasks, including tasks accomplished by the customer and supplier
  • References to applicable specifications, standards, procedures, and related documentation
  • Description of specific results to be achieved and proposed schedule of delivery

Answer c is an example of a SSE-CMM Best Practice.

45. 

Answer: a

Testing and evaluation processes often involve several stages of testing categories or phases, such as:

  1. Analytical - Design evaluations conducted early in the system life cycle using computerized techniques such as CAD, CAM, CALS, simulation, rapid prototyping, and other related approaches
  2. Type 1 testing - The evaluation of system components in the laboratory using bench test models and service test models, designed to verify performance and physical characteristics
  3. Type 2 testing - Testing performed during the latter stages of the detail design and development phase, when preproduction prototype equipment and software are available
  4. Type 3 testing - Tests conducted after initial system qualification and prior to the completion of the production or construction phase, the first time that all elements of the system are operated and evaluated on an integrated basis
  5. Type 4 testing - Testing conducted during the system operational use and life-cycle support phase, intended to gain further knowledge of the system in the user environment

46. 

Answer: c

47. 

Answer: a

The Statement of Work is a narrative description of the work required for a given project. Answer b describes a “system” as defined by the SECMM, answer c describes outsourcing, and answer d describes a function of Cost Control.

48. 

Answer: a

BPs are mandatory characteristics that must exist within an implemented security engineering process before an organization can claim satisfaction in a given PA. The GPs are ordered in degrees of maturity and are grouped to form and distinguish among five levels of security engineering maturity. The other answers are distracters.

49. 

Answer: b

In the SE-CMM, a system is defined as:

  • An integrated composite of people, products, and processes that provide a capability to satisfy a need or objective
  • An assembly of things or parts forming a complex or unitary whole; a collection of components organized to accomplish a specific function or set of functions
  • An interacting combination of elements that are viewed in relation to function

    Answer b describes process improvement.

50. 

Answer: b

The Learning phase is both the final stage of the initial process improvement cycle and the initial phase of the next process improvement effort. Based on the analysis of the improvement effort itself, the lessons learned are translated into recommendations for improving subsequent improvement efforts. Answer a describes the Acting phase, answer c describes the Diagnosing phase, and answer d describes the Establishing phase.

51. 

Answer: b

The SEMP contains detailed statements of how the systems security engineering functions are to be carried out during development. Two elements of the SEMP are:

  • Development program planning and control
  • Security systems engineering process

Answer b describes a goal of process improvement.

52. 

Answer: d

The order of activities in the IDEAL model is Initiating, Diagnosing, Establishing, Acting, and Learning.

53. 

Answer: d

The SEMP is intended to be a dynamic document. It starts as an outline and is updated as the security system development process goes on, and contains detailed statements of how the systems security engineering functions are to be carried out during development. The SEMP covers all management functions associated with the performance of security systems engineering activities for a given program.

54. 

Answer: a

The term suppliers is defined here as a broad class of external organizations that provide products, components, materials, and/or services to a producer or prime contractor. Answers b and c describe a system, and answer d is a distracter.

55. 

Answer: b

The basic premise of process improvement is that the quality of services produced is a direct function of the quality of the associated development and maintenance processes. Answers a and c describe knowledge or assumptions required to implement a successful security engineering process improvement activity, but not the main premise. Answer d is a distracter.

56. 

Answer: d

The Work Breakdown Structure (WBS) is an important technique to ensure that all essential tasks are properly defined, assigned, scheduled, and controlled. It contains a hierarchical structure of the tasks to be accomplished during the project. The WBS may be a contractual requirement in competitive bid system developments. Answers a, c, and d are attributes of the WBS, not its main purpose.

57. 

Answer: a

Development Program Planning and Control describes the security systems security engineering tasks that must be implemented to manage the development phase of the security program, including:

  • Statement of Work
  • Organizational Structure
  • Scheduling and Cost Estimation
  • Technical Performance Measurement

Answer a is an activity of the Security Systems Engineering Process element of the SEMP.

58. 

Answer: a

After the generation of the SOW and the identification of the organizational structure, one of the initial steps in program planning is the development of the Work Breakdown Structure (WBS). The other answers are distracters.

59. 

Answer: c

The five levels are: Level 1, Performed Informally; Level 2, Planned and Tracked; Level 3, Well Defined; Level 4, Quantitatively Controlled; and Level 5, Continuously Improving.

60. 

Answer: d

The correct order of activities in the security system design testing process is Planning, Acquisition, Testing, Analysis, and Correction.

Certification and Accreditation

See Chapter 11 Assessment Questions.

U.S. Government Information Assurance Regulations

61. 

Answer: b.

Answer a is a distracter. Operational controls (answer c) are security controls that are usually implemented by people instead of systems, and technical controls (answer d) are security controls that the computer system executes.

62. 

Answer: a

63. 

Answer: c

Answer a is a definition of data integrity, answer b defines authentication, and answer d describes confidentiality.

64. 

Answer: c

Answers a and b are distracters. Answer d refers to a “nonhierarchical grouping of sensitive information used to control access to data more finely than with hierarchical security classification alone,” as defined in NSTISSI Publication No. 4009.

65. 

Answer: b, Concept of Operations

Answer a, QUADRANT, refers to technology that provides tamper-proof protection to cryptographic equipment. Answer c defines “a set of assurance requirements that represent a point on the Common Criteria predefined assurance scale,” and answer d is a “framework that assigns and portrays IA roles and behavior among all IT assets, and prescribes rules for interaction and connection.”

66. 

Answer: c

Answer a refers to the National Information Infrastructure (NII), answer b defines the Global Information Infrastructure (GII), and answer d defines a Policy Approving Authority (PAA).

67. 

Answer: b

Answer a refers to the concept of Tranquility, answer c refers to a Special Access Program (SAP), and answer d is distracter.

68. 

Answer: b

The other answers are distracters.

69. 

Answer: d

70. 

Answer: b

Additional characteristics of a national information system include employing cryptographic activities related to national security, associated with equipment that is an integral part of a weapon or weapons system(s), and critical to the direct fulfillment of military or intelligence missions.

71. 

Answer: c

72. 

Answer: c

The Director of the Office of Management and Budget (OMB) has the responsibility of overseeing government agency security policies and practices. Standards associated with national defense are still the responsibility of the DoD and NSA.

73. 

Answer: b

74. 

Answer: d

75. 

Answer: b

The other answers are distracters.

76. 

Answer: b

77. 

Answer: b

78. 

Answer: c

Answer a refers to a device embodying a communications security (COMSEC) design that NSA has approved as a CCI. Answer b is part of a CCI that does not perform the entire COMSEC function but depends upon the host equipment, or assembly, to complete and operate the COMSEC function. Answer d is a device or electronic key used to unlock the secure mode of crypto-equipment.

79. 

Answer: d

Answers a, b, and c are distracters.

80. 

Answer: a

The other answers are distracters.

81. 

Answer: b

Answers a and d are distracters. PII (answer c) is usually associated with privacy. An example of PII is a person’s health care information.

82. 

Answer: a

Answers b, c, and d are distracters.

83. 

Answer: c

84. 

Answer: b

Answers a, c, and d are distracters.

85. 

Answer: c

Answers a and b are distracters. Answer d, a Type 2 product, defines unclassified cryptographic equipment, assembly, or component endorsed by the NSA for use in national security systems as defined in Title 40 U.S.C. § 1452.

86. 

Answer: d

This responsibility is assigned to the OMB.

87. 

Answer: a

88. 

Answer: b

89. 

Answer: c

90. 

Answer: a

Answers b, c, and d are distracters.

Appendix E

1. 

Which one of the following is not one of the five system life cycle planning phases as defined in NIST SP 800-14?

  1. Initiation phase
  2. Requirements phase
  3. Implementation phase
  4. Disposal phase

image from book

2. 

The IATF document 3.1 stresses that information assurance relies on three critical components. Which one of the following answers correctly lists these components?

  1. People, documentation, technology
  2. People, Defense in Depth, technology
  3. People, evaluation, certification
  4. People, operations, technology

answer: d answers a, b, and c are distracters.

3. 

Risk management, as defined in NIST SP 800-30, comprises which three processes?

  1. Risk assessment, risk mitigation, and evaluation and assessment
  2. Risk identification, risk mitigation, and evaluation and assessment
  3. Risk assessment, risk impacts, and risk mitigation
  4. Risk assessment, risk mitigation, and risk identification

answer: a answers b, c, and d are distracters.

4. 

In the system development life cycle, SDLC, or system life cycle as it is sometimes called, in which one of the of the five phases are the system security features configured, enabled, tested, and verified?

  1. Operation/maintenance
  2. Development/acquisition
  3. Implementation
  4. Initiation

image from book

5. 

Which one of he following activities is performed in the Development/Acquisition phase of the SDLC?

  1. The scope of the IT system is documented.
  2. The IT system is developed, programmed, or otherwise constructed.
  3. The system performs its function.
  4. Disposition of information, hardware, or software.

image from book

6. 

In NIST SP 800-30, risk is defined as a function of which set of the following items?

  1. Threat likelihood, vulnerabilities, and impact
  2. Threat likelihood, mission, and impact
  3. Vulnerabilities, mission and impact
  4. Threat likelihood, sensitivity, and impact

answer: a answers b, c, and d are distracters.

7. 

The risk assessment methodology described in NIST SP 800-30 comprises nine primary steps. Which one of the following is not one of these steps?

  1. System characterization
  2. Control analysis
  3. Impact analysis
  4. Accreditation boundaries

answer: d delineating accreditation boundaries is a subset of answer a, system characterization.

8. 

Which one of the following items is not one of the activities of the generic systems engineering (SE) process?

  1. Discover needs
  2. Define system requirements
  3. Obtain accreditation
  4. Assess effectiveness

image from book

9. 

The elements of Discover Information Protection Needs, Develop Detailed Security Design, and Assess Information Protection Effectiveness are part of what process?

  1. The systems engineering (SE) process
  2. The information systems security engineering process (ISSE)
  3. The system development life cycle (SDLC)
  4. The risk management process

image from book

10. 

In the ISSE process, information domains are defined under the Discover Information Protection Needs process. Which one of the following tasks is not associated with the information domain?

  1. Identify the members of the domain
  2. List the information entities that are under control in the domain
  3. Identify the applicable privileges, roles, rules, and responsibilities of the users in the domain
  4. Map security mechanisms to security design elements in the domain

image from book

11. 

As part of the Define System Security Requirements activity of the ISSE process, the information systems security engineer identifies and selects a solution set that can satisfy the requirements of the IPP. Which one of the following elements is not a component of the solution set?

  1. Functional decomposition
  2. Preliminary security concept of operations (CONOPS)
  3. System context
  4. System requirements

image from book

12. 

The information systems security engineer’s tasks of cataloging candidate commercial off-the-shelf (COTS) products, government off-the-shelf (GOTS) products, and custom security products are performed in which one of the following ISSE process activities?

  1. Define System Security Requirements
  2. Develop Detailed Security Design
  3. Implement System Security
  4. Design System Security Architecture

image from book

13. 

Which ISSE activity includes conducting unit testing of components, integration testing, and developing installation and operational procedures?

  1. Assess Information Protection Effectiveness
  2. Develop Detailed Security Design
  3. Implement System Security
  4. Design System Security Architecture

image from book

14. 

Security certification is performed in which phase of the SDLC?

  1. Implementation phase
  2. Validation phase
  3. Development/Acquisition phase
  4. Operations/Maintenance phase

image from book

15. 

The certification and accreditation process receives inputs from the ISSE process. These inputs are which one of the following items?

  1. Certification documentation
  2. Certification recommendations
  3. Accreditation decision
  4. Evidence and documentation

answer: d answers a, b, and c are outputs of the certification and accreditation process.

16. 

Security categorization is part of which phase of the SDLC?

  1. Initiation
  2. Acquisition/Development
  3. Implementation
  4. Requirements

image from book

17. 

Which one of the following items is not an activity under the Acquisition/Development phase of the SDLC?

  1. Preliminary risk assessment
  2. Security functional requirements analysis
  3. Cost considerations and reporting
  4. Developmental security evaluation

image from book

18. 

According to NIST SP 800-64, which phase of the SDLC includes the activities of functional statement of need, market research, cost-benefit analysis, and a cost analysis?

  1. Initiation
  2. Acquisition/Development
  3. Implementation
  4. Operations/Maintenance

image from book

19. 

In NIST SP 800-30, a threat is defined as which one of the following items?

  1. Intent and method targeted at the intentional exploit of a vulnerability
  2. The likelihood that a given threat source will exercise a particular potential vulnerability, and the resulting impact of that adverse event on the organization
  3. The potential for a threat source to exercise a specific vulnerability
  4. A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised and result in a security breach or a violation of the system’s security policy

image from book

20. 

Questionnaires, on-site interviews, review of documents, and automated scanning tools are primarily used to gather information for which one of the following steps of the risk assessment process?

  1. System characterization
  2. Risk determination
  3. Vulnerability identification
  4. Control analysis

image from book

21. 

In performing an impact analysis as part of the risk assessment process, three important factors should be considered in calculating the negative impact. Which one of the following items is not one of these factors?

  1. The sensitivity of the system and its data
  2. The management of the system
  3. The mission of the system
  4. The criticality of the system, determined by its value and the value of the data to the organization

image from book

22. 

Which choice would not be considered an operations management task related to system maintenance?

  1. Approving, controlling, and monitoring remotely executed maintenance and diagnostic activities
  2. Scheduling, performing, and documenting routine preventative and regular maintenance on the components of the IS
  3. Prioritizing, evaluating, and implementing the controls that are an output of the risk assessment process
  4. Maintaining a list of personnel authorized to perform maintenance on the information system

image from book

23. 

Which task is not a common incident reporting task?

  1. Tracking information system security incidents on an ongoing basis
  2. Employing a formal sanctions process for personnel failing to comply with established information security policies and procedures
  3. Promptly reporting incident information to appropriate authorities
  4. Providing an incident support advice and assistance to users of the information system

image from book

24. 

Which choice accurately describes a task of operations security?

  1. Terminating information system access to terminated employees
  2. Incorporating security in system development models and configuration management
  3. Integrating application and network security controls
  4. Developing processes to identify system threats and vulnerabilities

image from book

25. 

Which choice would not be considered an element of managing operations security compliance?

  1. Developing continuity of operations plans
  2. Managing incidents and security violations
  3. Developing help desk and maintenance programs
  4. Ensuring the availability and integrity of system processes

image from book

Answers

1. 

Answer: b

The requirements phase is not one of the five system life cycle planning phases. The other two phases of the system life cycle are the Development/Acquisition phase and the Operations phase.

2. 

Answer: d

Answers a, b, and c are distracters.

3. 

Answer: a

Answers b, c, and d are distracters.

4. 

Answer: c

5. 

Answer: b

Answer a refers to the Initiation phase; answer c refers to the Operation/Maintenance phase; and answer d refers to the Disposal phase.

6. 

Answer: a

Answers b, c, and d are distracters.

7. 

Answer: d

Delineating accreditation boundaries is a subset of answer a, system characterization.

8. 

Answer: c

Obtaining accreditation is not one of the SE process activities. The other SE process activities are to design system architecture, to develop detailed design, and to implement the system.

9. 

Answer: b

10. 

Answer: d

11. 

Answer: a

Functional decomposition is part of the Design System Security Architecture activity of the ISSE process.

12. 

Answer: b

13. 

Answer: c

14. 

Answer: a

Answer b, Validation, is not a phase of the SDLC. Answers c and d are additional phases of the SDLC.

15. 

Answer: d

Answers a, b, and c are outputs of the Certification and Accreditation process.

16. 

Answer: a

Security categorization defines low, moderate, or high levels of potential impact on organizations as a result of a security breach. Answers b and c are other phases of the SDLC. Answer d is not a phase of the SDLC.

17. 

Answer: a

This activity is performed in the initiation phase of the SDLC. Additional activities under the acquisition/development phase of the SDLC are risk assessment, assurance requirements analysis security, security planning, and security control development.

18. 

Answer: b

Additional activities under this phase include requirements analysis, alternatives analysis, and a software conversion study.

19. 

Answer: c

Answer a is a threat source, answer b defines risk, and answer d is the definition of vulnerability.

20. 

Answer: a

21. 

Answer: b

22. 

Answer: c

23. 

Answer: b

24. 

Answer: a

25. 

Answer: a



The CISSP and CAP Prep Guide. Platinum Edition
The CISSP and CAP Prep Guide: Platinum Edition
ISBN: 0470007923
EAN: 2147483647
Year: 2004
Pages: 239

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net