a. Initiation

b. Security certification

c. Security accreditation

d. Continuous monitoring

16. d. The fourth phase of the security certification and accreditation process, continuous-monitoring, primarily deals with configuration management. Documenting information system changes and assessing the potential impact those changes may have on the security of the system is an essential part of continuous monitoring and maintaining the security accreditation.

17. Constant monitoring of an information system is performed with which of the following?

1. Risk management

2. Security certification

3. Security accreditation

4. Configuration management processes

a. 1 and 2

b. 2 and 3

c. 1, 2, and 3

d. 1, 2, 3, and 4

17. d. Constant monitoring of a system is performed to identify possible risks to the system so that these can be addressed through the risk management, security certification and accreditation, and configuration management processes.

18. Which of the following are not the responsibilities of the configuration control review board?

1. Discussing change requests

2. Conducting impact analysis of changes

3. Requesting funding to implement changes

4. Notifying users of system changes

a. 1 and 2

b. 1 and 3

c. 2 and 4

d. 3 and 4

18. c. Conducting impact analysis of changes and notifying users of system changes are the responsibilities of the configuration manager, whereas discussing change requests and requesting funding to implement changes are the responsibilities of the configuration control review board.

19. An impact analysis of changes is conducted in which of the following configuration management process steps?

a. Identify changes.

b. Evaluate change request.

c. Implement decisions.

d. Implement approved change requests.

19. b. After initiating a change request, the effects that the change may have on a specific system or other interrelated systems must be evaluated. An impact analysis of the change is conducted in the “evaluate change request” step. Evaluation is the end result of identifying changes, deciding what changes to approve and how to implement them, and actually implementing the approved changes.

20. Additional testing or analysis may be needed in which of the following operational decision choices of the configuration management process?

a. Approve

b. Implement

c. Deny

d. Defer

20. d. In the “defer” choice, immediate decision is postponed until further notice. In this situation, additional testing or analysis may be needed before a final decision can be made later.

On the other hand, approve, implement, and deny choices do not require additional testing and analysis because management is already satisfied with the testing and analysis.

21. During the initiation phase of a system development life cycle (SDLC) process, which of the following tasks is not typically performed?

a. Preliminary risk assessment

b. Preliminary system security plans

c. High-level security test plans

d. High-level security system architecture

21. c. A security-test-plan, whether high level or low level, is developed in the development/acquisition phase. The other three choices are performed in the initiation phase.

22. Security controls are designed and implemented in which of the following system development life cycle (SDLC) phases?

a. Initiation

b. Development/acquisition

c. Implementation

d. Disposal

22. b. Security controls are developed, designed, and implemented in the development/acquisition phase. Additional controls may be developed to support the controls already in place or planned.

23. Product acquisition and integration costs are determined in which of the following system development life cycle (SDLC) phases?

a. Initiation

b. Development/acquisition

c. Implementation

d. Disposal

23. b. Product acquisition and integration costs that can be attributed to information security over the life cycle of the system are determined in the development/acquisition phase. These costs include hardware, software, personnel, and training.

24. A formal authorization to operate an information system is obtained in which of the following system development life cycle (SDLC) phases?

a. Initiation

b. Development/acquisition

c. Implementation

d. Disposal

24. c. In the implementation phase, the organization configures and enables system security features, tests the functionality of these features, installs or implements the system, and finally, obtains a formal authorization to operate the system.

25. Which of the following gives assurance as part of system’s security and functional requirements defined for an information system?

a. Access controls

b. Background checks for system developers

c. Awareness

d. Training

25. b. Security and functional requirements can be expressed as technical (for example, access controls), assurances (for example, background checks for system developers), or operational practices (for example, awareness and training).

26. System users must perform which of the following when new security controls are added to an existing application system?

a. Unit testing

b. Subsystem testing

c. Full system testing

d. Acceptance testing

26. d. If new security controls are added to an existing application system or to a support system, system users must perform additional acceptance tests of these new controls. This approach ensures that new controls meet security specifications and do not conflict with or invalidate existing controls.

27. Periodic reaccreditation of a system is done in which of the following system development life cycle (SDLC) phases?

a. Initiation

b. Development/acquisition

c. Implementation

d. Operation/maintenance

27. d. Documenting information system changes and assessing the potential impact of these changes on the security of a system is an essential part of continuous monitoring and key to avoiding a lapse in the system security reaccreditation. Periodic reaccreditation is done in the operation phase.

28. Which of the following tests is driven by system requirements?

a. Black-box testing

b. White-box testing