The fourth element is software configuration audit, consisting of periodically performing a review to ensure that the SCM practices and procedures are rigorously followed. Auditing is performed last after all the elements are in place to determine whether they are properly working.
7. Which of the following is an example of input validation error?
a. Access validation error
b. Configuration error
c. Buffer overflow error
d. Race condition error
7. c. In an input validation error, the input received by a system is not properly checked, resulting in a vulnerability that can be exploited by sending a certain input sequence. In a buffer overflow, the input received by a system is longer than the expected input length, but the system does not check for this condition.
In an access validation error, the system is vulnerable because the access control mechanism is faulty. A configuration error occurs when user controllable settings in a system are set so that the system is vulnerable. Race condition error occurs when there is a delay between the time when a system checks to see if an operation is allowed by the security model and the time when the system actually performs the operation.
8. From a risk management viewpoint, new system interfaces are addressed in which of the following system development life cycle (SDLC) phases?
a. Initiation
b. Development/acquisition
c. Implementation
d. Operation/maintenance
8. d. In the operation/maintenance phase of the SDLC, risk management activities are performed whenever major changes are made to an IT system in its operational (production) environment (for example, new system interfaces).
9. System assurance requires which of the following?
1. Proof-of-origin
2. Proof-of-delivery
3. Techniques
4. Metrics
a. 1 and 2
b. 1 and 3
c. 2 and 4
d. 3 and 4
9. d. System assurance is the grounds for confidence that the set of intended security controls in an information system are effective in their application. System assurance requires (i) techniques to achieve integrity, confidentiality, availability, and accountability and (ii) metrics to measure them. Proof-of-origin and proof-of-delivery are required in nonrepudiation.
10. The initiation phase of the security certification and accreditation process does not contain which of the following?
a. Preparation
b. Resource identification
c. Action plan and milestones
d. Security plan acceptance
10. c. The action plan and milestones document is a latter part of security certification and accreditation phases, which describe the measures that have been implemented or planned to correct any deficiencies noted during the assessment of the security controls and to reduce or eliminate known system vulnerabilities.
The other three choices are part of the initiation phase, which is the first phase, where it is too early to develop the action plan and milestones.
11. Which of the following comes first in the security certification and accreditation process of an information system?
a. Security certification
b. Security recertification
c. Security accreditation
d. Security reaccreditation
11. a. The security certification work comes first as it determines the extent to which the security controls in the information system are implemented correctly, operating as intended, and producing the desired system security posture. This assurance is achieved through system security assessments. The security accreditation package documents the results of the security certification.
Recertification and reaccreditation occur periodically and sequentially whenever there is a significant change to the system or its operational environment as part of ongoing monitoring of security controls.
12. Which of the following security accreditation authority’s decision scenarios require justification for the decision?
1. Full accreditation of the system
2. Accredit the system with conditions
3. Deny the system accreditation
4. Defer the system accreditation
a. 1 only
b. 2 only
c. 1, 2, or 3
d. 1, 2, 3, or 4
12. c. The security accreditation authority has three major scenarios to work with: (i) accredit the system fully, (ii) accredit the system with conditions, or (iii) deny the system accreditation. In any case, supporting rationale (justification) for the decision is needed. In some cases, the system accreditation can be deferred based on sudden changes in regulatory requirements or unexpected merger and acquisition activities in the company. Management can come back to the deferred decision later.
13. In the continuous monitoring phase of the security certification and accreditation process, ongoing assessment of security controls is based on which of the following?
a. Configuration management documents
b. Action plan and milestone documents
c. Configuration control documents
d. Security impact analyses documents
13. b. To determine what security controls to select for ongoing review, organizations should first prioritize testing on “action plan and milestones” items that become closed. These newly implemented controls should be validated first.
The other three documents are part of the continuous monitoring phase and come into play when there are major changes or modifications to the operational system.
14. What is the major purpose of configuration management?
a. To reduce risks from system insertions
b. To reduce risks from system installations
c. To reduce risks from modifications
d. To minimize the effects of negative changes
14. d. The purpose of configuration management is to minimize the effects of negative changes or differences in configurations on an information system or network. The other three choices are examples of minor purposes, all leading to the major purpose. Note that modifications could be proper or improper where the latter leads to a negative effect and the former leads to a positive effect.
15. The primary implementation of the configuration management process is performed in which of the following system development life cycle (SDLC) phases?
a. Initiation
b. Acquisition/development
c. Implementation
d. Operation/maintenance
15. d. The primary implementation of the configuration management process is performed during the operation/maintenance phase of the SDLC, the operation/maintenance phase. The other phases are too early for this process to take place.
16. Which of the following phases of the security certification and accreditation process primarily deals with configuration management?