d. 1, 2, 3, and 4

103. d. Management authorization of a system to process information provides an important quality control. By authorizing processing in a system, the manager accepts its associated risk. Management authorization should be based on an assessment of management, operational, and technical controls.

104. Which of the following should be performed prior to proceeding with the security certification and accreditation process for a system?

a. System security plan be developed

b. System security plan be analyzed

c. System security plan be updated

d. System security plan be accepted

104. a. Procedures should be in place outlining who reviews the security plan, keeps the plan current, and follows up on planned security controls. In addition, procedures should require that system security plans be developed and reviewed prior to proceeding with the security certification and accreditation process for the system.

105. Which of the following individuals establishes the rules for appropriate use and protection of a system’s data and information?

a. Chief information officer

b. Information system security officer

c. Information system owner

d. Information owner

105. d. The information owner is responsible for establishing the rules for appropriate uses and protection of a system’s data and information. He establishes controls in terms of generation, collection, processing, dissemination, and disposal. The chief information officer (CIO) is incorrect because the CIO is responsible for developing and maintaining an organization-wide information security program. The information system security officer is incorrect because he is responsible for ensuring that the appropriate operational security posture is maintained for an information system. The information system owner (also known as program manager or business owner) is incorrect because he is responsible for the overall procurement, development, integration, modification, or operation and maintenance of the information system.

106. Which of the following states that every user should be notified prior to receiving authorization for access to a system and understand the consequences of noncompliance?

a. Rules-of-behavior

b. Rules-of-access

c. Rules-of-use

d. Rules-of-information

106. a. The rules-of-behavior is a security control clearly delineating the responsibilities and expected behavior of all individuals with access to the system. The rules should state the consequences of inconsistent behavior or noncompliance and be made available to every user prior to receiving authorization for access to the system. Electronic signatures are acceptable for use in acknowledging the rules of behavior.

107. The baseline security controls can be tailored using the results from:

1. Assessment of risk

2. Specific threat information

3. Cost-benefit analyses

4. Availability of compensating controls

a. 1 only

b. 1 and 2

c. 1, 2, and 3

d. 1, 2, 3, and 4

107. d. The baseline security controls can be tailored based on an assessment of risk and local conditions including organization-specific security requirements, specific threat information, cost-benefit analyses, the availability of compensating controls, or special circumstances.

108. For system security scoping guidance, which of the following addresses the breadth and depth of security control implementation?

a. Technology-related considerations

b. Physical infrastructure-related considerations

c. Scalability-related considerations

d. Public access–related considerations

108. c. Scoping guidance provides an organization with specific terms and conditions on the applicability and implementation of individual security controls.

Scalability-related consideration addresses the breadth and depth of security control implementation. Technology-related considerations deal with specific technologies such as wireless, cryptography, and public key infrastructure. Physical infrastructure-related considerations include locks and guards, and environmental controls for temperature, humidity, lighting, fire, and power. Public access-related considerations address whether identification and authentication, and personnel security controls, are applicable to public access.

109. The major reason for using compensating security controls for an information system is in lieu of which of the following?

a. Prescribed controls

b. Management controls

c. Operational controls

d. Technical controls

109. a. Compensating security controls are the management, operational, or technical controls used by an organization, which are implemented in lieu of prescribed controls in the low, moderate, or high security control baselines. All these controls provide equivalent or comparable protection for an information system.

110. Which of the following is not a part of operational controls as they relate to system security controls?

a. Access controls

b. Contingency planning controls

c. Incident response controls

d. Physical security controls

110. a. Access control, along with identification and authentication and audit and accountability, is a part of technical control. Contingency planning controls are incorrect because they are a part of operational controls. Incident response controls are incorrect because they are a part of operational controls. Physical security controls are incorrect because they are a part of operational controls.

111. The process of selecting the appropriate security controls and applying the system security scoping guidance is to achieve which of the following?

a. Reasonable security

b. Adequate security

c. Normal security

d. Advanced security

111. b. Adequate security is defined as security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. The process of selecting the appropriate security controls and applying the scoping guidelines to achieve adequate security is a multifaceted, risk-based activity involving management and operational personnel within the organization. Note that the adequate security is more than the reasonable security and the normal security and less than the advanced security.

112. Which of the following is not an example of a common security control?

a. Access control

b. Management control

c. Operational control

d. Hybrid control

112. a. Security controls not designated as common controls are considered system-specific controls and are the responsibility of the information system owner. For example, access control is a part of technical control and is a system-specific control. Many of the management and operational controls needed to protect an information system may be excellent candidates for common security control status. Common security controls reduce security costs when they are centrally managed in terms of development, implementation, and assessment. Hybrid controls contain both common and system-specific controls.