1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 119
Выбрать главу

c. Gray-box testing

d. Integration testing

28. a. Black-box testing, also known as functional testing, executes part or all the system to validate that the user requirement is satisfied.

White-box testing, also known as structural testing, examines the logic of the units and may be used to support software requirements for test coverage, i.e., how much of the program has been executed.

Gray-box testing can be looked at as anything that is not tested in white-box or black-box. An integration testing is performed to examine how units interface and interact with each other with the assumption that the units and the objects (for example, data) they manipulate have all passed their unit tests.

29. System integration is performed in which of the following system development life cycle (SDLC) phases?

a. Initiation

b. Development/acquisition

c. Implementation

d. Operation/maintenance

29. c. The new system is integrated at the operational site where it is to be deployed for operation. Security control settings and switches are enabled.

30. Formal risk assessment is conducted in which of the following system development life cycle (SDLC) phases?

a. Initiation

b. Development/acquisition

c. Implementation

d. Operation/maintenance

30. b. Formal risk assessment is conducted in the development/acquisition phase to identify system protection requirements. This analysis builds on the initial (preliminary or informal) risk assessment performed during the initiation phase, but will be more in-depth and specific.

31. Which of the following system development life cycle (SDLC) phases establishes an initial baseline of hardware, software, and firmware components for the information system?

a. Initiation

b. Development/acquisition

c. Implementation

d. Operation/maintenance

31. d. Configuration management and control procedures are critical to establishing an initial baseline of hardware, software, and firmware components for the information system. This task is performed in the operation/maintenance phase so that changes can be tracked and monitored. Prior to this phase, the system is in a fluid state, meaning that initial baselines cannot be established.

32. Controlling and maintaining an accurate inventory of any changes to an information system is possible due to which of the following?

a. Configuration management and controls

b. Continuous monitoring

c. Security certification

d. Security accreditation

32. a. Configuration management and controls, which is a part of system operation and maintenance phase, deals with controlling and maintaining an accurate inventory of any changes to the system. Security certification and security accreditation are part of system implementation phase, whereas continuous monitoring is a part of operation and maintenance phase.

33. Which of the following does not facilitate self-assessments or independent security audits of an information system?

a. Internal control reviews

b. Penetration testing

c. Developing security controls

d. Security checklists

33. c. System assessors or auditors do not develop security controls due to loss of objectivity in thinking and loss of independence in appearance. Security controls should be built by system designers and developers prior to performing internal control reviews, conducting penetration testing, or using security checklists by system assessors or auditors. Internal control reviews, penetration testing, and security checklists simply facilitate self-assessments or independent audits of an information system later.

34. In the needs-determination task of the system development life cycle (SDLC) initiation phase, which of the following optimizes the organization’s system needs within budget constraints?

a. Fit-gap analysis

b. Risk analysis

c. Investment analysis

d. Sensitivity analysis

34. c. Investment analysis is defined as the process of managing the enterprise information system portfolio and determining an appropriate investment strategy. The investment analysis optimizes the organization’s system needs within budget constraints.

Fit-gap analysis identifies the differences between what is required and what is available; or how two things fit or how much gap there is between them. Risk analysis is determining the amount of risk and sensitivity analysis can determine the boundaries of the risk in terms of changing input values and the accompanying changes in output values.

35. In the preliminary risk assessment task of the system development life cycle (SDLC) initiation phase, integrity needs from a user’s or owner’s perspective are defined in terms of which of the following?

a. Place of data

b. Timeliness of data

c. Form of data

d. Quality of data

35. d. Integrity can be examined from several perspectives. From a user’s or application owner’s perspective, integrity is the quality of data that is based on attributes such as accuracy and completeness. The other three choices do not reflect the attributes of integrity.

36. An in-depth study of the needs-determination for a new system under development is conducted in which of the following system development life cycle (SDLC) phases?

a. Initiation

b. Development/acquisition

c. Implementation

d. Operation/maintenance

36. b. The requirements analysis task of the SDLC phase of development is an in-depth study of the need for a new system. The requirements analysis draws on and further develops the work performed during the initiation phase. The needs-determination activity is performed at a high-level x of functionality in the initiation phase.

37. Which of the following should be conducted before the approval of system design specifications of a new system under development?

a. Enterprise security architecture

b. Interconnected systems

c. Formal risk assessment

d. System security specifications

37. c. A formal security risk assessment should be conducted before the approval of system design specifications. The other three choices are considered during a formal security risk assessment process.

38. Which of the following is often overlooked when determining the cost of a new system’s acquisition or development?

a. Hardware

b. Software

c. Training

d. Security

38. d. The capital planning process determines how much the acquisition or development of a new system will cost over its life cycle. These costs include hardware, software, personnel, and training. Another critical area often overlooked is security.

39. Which of the following is required when an organization uncovers deficiencies in the security controls employed to protect an information system?

~ 119 ~