1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 116
Выбрать главу

“IT Examination Handbook, Outsourcing Technology Services,” Federal Financial Institutions Examination Council (FFIEC), Washington, DC, June 2004 (www.ffiec.gov).

“Managing Information Security Risk (NIST SP800-39),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, March 2011.

“Minimum Security Requirements for Federal Information and Information Systems (NIST FIPS PUB 200),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, March 2006.

“Piloting Supply Chain Risk Management Practices for Federal Information Systems (NISTIR 7622 Draft),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, June 2010.

“Recommended Security Controls for Federal Information Systems and Organizations (NIST SP800-53 R3),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, August 2009.

“Risk Management Guide for Information Technology Systems (NIST SP 800-30 Revision A Draft),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, January 2004.

“Underlying Technical Models for Information Technology Security (NIST SP 800-33),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, December 2001.

Domain 4

Software Development Security

Traditional Questions, Answers, and Explanations

1. Which of the following is the correct sequence of steps to be followed in an application-software change control process?

1. Test the changes.

2. Plan for changes.

3. Initiate change request.

4. Release software changes.

a. 1, 2, 3, and 4

b. 2, 1, 3, and 4

c. 3, 2, 1, and 4

d. 4, 3, 1, and 2

1. c. Any application software change must start with a change request from a functional user. An information technology (IT) person can plan, test, and release the change after approved by the functional user.

2. To overcome resistance to a change, which of the following approaches provides the best solution?

a. The change is well planned.

b. The change is fully communicated.

c. The change is implemented in a timely way.

d. The change is fully institutionalized.

2. d. Managing change is a difficult process. People resist change due to a certain amount of discomfort that a change may bring. It does not matter how well the change is planned, communicated, or implemented if it is not spread throughout the organization evenly. Institutionalizing the change means changing the climate of the company. This needs to be done in a consistent and orderly manner. Any major change should be done using a pilot approach. After a number of pilots have been successfully completed, it is time to use these success stories as leverage to change the entire company.

3. During the system design of data input control procedures, the least consideration should be given to which of the following items?

a. Authorization

b. Validation

c. Configuration

d. Error notification

3. c. Configuration management is a procedure for applying technical and administrative direction and monitoring to (i) identify and document the functional and physical characteristics of an item or system, (ii) control any changes made to such characteristics, and (iii) record and report the change, process, and implementation status. The authorization process may be manual or automated. All authorized transactions should be recorded and entered into the system for processing. Validation ensures that the data entered meets predefined criteria in terms of its attributes. Error notification is as important as error correction.

4. Software configuration management (SCM) should primarily address which of the following questions?

a. How does software evolve during system development?

b. How does software evolve during system maintenance?

c. What constitutes a software product at any point in time?

d. How is a software product planned?

4. c. Software configuration management (SCM) is a discipline for managing the evolution of computer products, both during the initial stages of development and through to maintenance and final product termination. Visibility into the status of the evolving software product is provided through the adoption of SCM on a software project. Software developers, testers, project managers, quality assurance staff, and the customer benefit from SCM information. SCM answers questions such as (i) what constitutes the software product at any point in time? (ii) What changes have been made to the software product?

How a software product is planned, developed, or maintained does not matter because it describes the history of a software product’s evolution, as described in the other choices.

5. What is the main feature of software configuration management (SCM)?

a. Tracing of all software changes

b. Identifying individual components

c. Using computer-assisted software engineering tools

d. Using compilers and assemblers

5. a. Software configuration management (SCM) is practiced and integrated into the software development process throughout the entire life cycle of the product. One of the main features of SCM is the tracing of all software changes.

Identifying individual components is incorrect because it is a part of configuration identification function. The goals of configuration identification are to create the ability to identify the components of the system throughout its life cycle and to provide traceability between the software and related configuration identification items.

Computer-assisted software engineering (CASE) tools, compilers, and assemblers are incorrect because they are examples of technical factors. SCM is essentially a discipline applying technical and administrative direction and surveillance for managing the evolution of computer program products during all stages of development and maintenance. Some examples of technical factors include use of CASE tools, compilers, and assemblers.

6. Which of the following areas of software configuration management (SCM) is executed last?

a. Identification

b. Change control

c. Status accounting

d. Audit

6. d. There are four elements of configuration management. The first element is configuration identification, consisting of selecting the configuration items for a system and recording their functional and physical characteristics in technical documentation.

The second element is configuration change control, consisting of evaluation, coordination, approval or disapproval, and implementation of changes to configuration items after formal establishment of their configuration identification.

The third element is configuration status accounting, consisting of recording and reporting of information that is needed to manage a configuration effectively.

~ 116 ~