a. Develop preventive security controls.
b. Develop a plan of action and milestones.
c. Develop detective security controls.
d. Modify ineffective security controls.
39. b. Detailed plans of action and milestones (POA&M) schedules are required to document the corrective measures needed to increase the effectiveness of the security controls and to provide the requisite security for the information system prior to security authorization. The other three choices are not corrective steps requiring action plans and milestone schedules.
40. The security-planning document developed in the development/acquisition phase of a system development life cycle (SDLC) does not contain which of the following?
a. Statement of work development
b. Configuration management plan
c. Contingency plan
d. Incident response plan
40. a. The statement of work development is a part of other planning components in the development/acquisition phase of a system development life cycle (SDLC). The other three choices are part of the security-planning document.
41. In establishing a secure network, which of the following reflects the greatest need for restricting access via secure location?
a. Transaction files
b. Configuration files
c. Work files
d. Temporary files
41. b. Configuration files, system files, or files with sensitive information must not be migrated to different storage media and must be retained in a secure location due to their access restrictions. The files listed in the other three choices are not sensitive; they are temporary and don't need to be retained after their use is completed.
42. Which of the following occurs after delivery and installation of a new information system under acquisition?
a. Unit testing
b. Subsystem testing
c. Full system testing
d. Integration and acceptance testing
42. d. Integration and acceptance testing occurs after delivery and installation of the new information system. The unit, subsystem and full system testing are not conducted for an acquired system but conducted for the in-house developed system. The integration and acceptance testing is conducted for an acquired system.
43. Which of the following should be done prior to final system deployment for operation?
a. Conduct a security certification process.
b. Describe the known vulnerabilities in the system.
c. Establish control verification techniques to provide confidence.
d. Document the safeguards that are in place to protect the system.
43. a. Prior to final system deployment, a security certification should be conducted to ensure that security controls established in response to security requirements are included as part of the system development process. The other three choices are part of the scope of the security certification process.
44. The security accreditation decision reflects which of the following?
a. Test-based decision
b. Risk-based decision
c. Evaluation-based decision
d. Results-based decision
44. b. The security accreditation decision is a risk-based decision that depends heavily, but not exclusively, on the security testing and evaluation results produced during the security control verification process. The security accreditation focuses on risk, whereas system accreditation focuses on an evaluation based on tests and their results.
45. Which of the following are the two key information security steps of the operation phase within the system development life cycle (SDLC)?
1. Information preservation
2. Security accreditation
3. Configuration management and control
4. Continuous monitoring
a. 1 and 2
b. 2 and 3
c. 1 and 4
d. 3 and 4
45. d. Managing and controlling the configuration of the system and providing for a process of continuous monitoring are the two key information security steps of the operation/maintenance phase of an SDLC. Information preservation is an activity of the disposal phase, whereas security accreditation is an activity of the implementation phase of an SDLC.
46. Which of the following are ways to accomplish ongoing monitoring of security control effectiveness?
1. Security reviews
2. Self-assessments
3. Security test and evaluation
4. Independent security audits
a. 1 and 2
b. 2 and 3
c. 1 and 4
d. 1, 2, 3, and 4
46. d. The ongoing monitoring of security control effectiveness can be accomplished in a variety of ways including security reviews, self-assessments, security test and evaluation, and independent security audits.
47. Which of the following is a good definition of security control monitoring?
a. Verifying the continued effectiveness of security controls over time
b. Verifying the continued efficiency of security controls over time
c. Verifying the development effectiveness of security controls over time
d. Verifying the planning effectiveness of security controls over time
47. a. Organizations need periodic and continuous testing and evaluation of the security controls in an information system to ensure that the controls are effective in their application. Security-control monitoring means verifying the continued effectiveness of those controls over time.
48. Which of the following statements is not true about a system development life cycle (SDLC) process?
a. Systems undergo improvements in technology.
b. Security plans evolve with the follow-on system.
c. There is a definitive end to an SDLC.
d. Much of previous operational controls are relevant to the follow-on system.
48. c. Usually, there is no definitive end to an SDLC process because the system can become a legacy system for a long-time or it can eventually be replaced with a new system. Systems evolve or transition to the next generation as follow-on systems with changing requirements and technology. Security plans evolve with the system. Much of management and operational controls in the old, legacy system are still relevant and useful in developing the security plan for the follow-on system.
49. If there is a doubt as to whether sensitive information remains on a system, which of the following should be consulted before disposing of the system?
a. Information system owner
b. Information system security officer
c. Information owner
d. Certification and accreditation officer
49. b. Some systems may contain sensitive information after the storage media is removed. If there is a doubt whether sensitive information remains on a system, the information system security officer should be consulted before disposing of the system because the officer deals with technical aspects of a system. The other parties mentioned do not have a technical focus but instead have a business focus.