1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 121
Выбрать главу

50. Which of the following is similar to security certification and accreditation?

a. Quality assurance

b. Quality control

c. Operational control

d. Management control

50. b. Quality control is similar to security certification and accreditation in terms of scope of work and goals. Quality control is a technical control. Quality assurance is included in security planning, which is a management control. Operational control deals with day-to-day procedures.

51. Which of the following are essential components of the security certification and accreditation process?

1. Risk assessment

2. Security requirements

3. Security plans

4. Security controls

a. 1 and 2

b. 1 and 3

c. 2 and 4

d. 3 and 4

51. b. Both risk assessment and security plans are essential components of the security certification and accreditation process. These two components accurately reflect the security requirements and security controls through the system development life cycle (SDLC) methodology. Security requirements and security controls (planned or designed) drive the risk assessment process and security plans.

52. By accrediting an information system, an organization’s management official does which of the following?

a. Avoids the risks

b. Limits the risks

c. Accepts the risks

d. Transfers the risks

52. c. By accrediting an information system, an organization’s management official accepts the risks associated with operating the system and the associated security implications to the organization’s operations, assets, or individuals.

53. Information system assurance is achieved through which of the following?

1. Understanding of the threat environment

2. Evaluation of system requirements sets

3. Knowledge of hardware and software engineering principles

4. Availability of product and system evaluation results

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

53. d. System assurance is the grounds for confidence that a system meets its security expectations. Good understanding of the threat environment, evaluation of system requirements sets, knowledge of hardware and software engineering principles, and the availability of product and system evaluation results are required for system assurance.

54. What should be in place prior to the security certification and accreditation process?

a. The security plan is analyzed.

b. The security plan is updated.

c. The security plan is accepted.

d. The security plan is developed.

54. d. During the security certification and accreditation process, the system security plan is analyzed, updated, and accepted. For this to happen, the system security plan must have been developed and in place.

55. Which of the following should occur prior to a significant change in the processing of an information system?

a. System recertification

b. System reaccreditation

c. System reauthorization

d. System reassessment

55. c. Reauthorization should occur prior to a significant change in processing of an information system. A periodic review of controls should also contribute to future authorizations.

56. Effective control is achieved when configuration management control is established prior to the start of which of the following?

a. Requirements analysis

b. Design

c. Coding

d. Testing

56. b. The design phase translates requirements into a representation of the software. The design is placed under configuration management control before coding begins.

Requirements analysis is incorrect because it focuses on gathering requirements to understand the nature of the programs to be built. The design must be translated into code-readable form. The coding step performs this task. Code is verified, for example, through the inspection process and put under configuration management control prior to the start of formal testing. After code is generated, program testing begins. The testing focuses on the logical internals of the software, ensuring that all statements have been tested, and on the functional externals; that is, conducting tests to uncover errors to ensure that the defined input can produce actual results that agree with required results.

57. The security-planning document developed in the development/acquisition phase of a system development life cycle (SDLC) does not contain which of the following?

a. System interconnection agreements

b. Security tests and evaluation results

c. Request for proposal

d. Plan of actions and milestones

57. c. The request for proposal development, evaluation, and acceptance are a part of other planning components in the development/acquisition phase of an SDLC. It is a part of project management activities. The other three choices are part of the security-planning document.

58. A worm has infected a system. What should be the first step in handling the worm incident?

a. Analyze the host computer.

b. Disconnect the infected system.

c. Analyze the server.

d. Identify the worm’s behavior.

58. b. Worm incidents often necessitate as rapid a response as possible, because an infected system may be attacking other systems both inside and outside the organization. Organizations may choose to disconnect infected systems from networks immediately, instead of performing an analysis of the host first. Next, the analyst can examine fixed (nonvolatile) characteristics of the server’s operating system, such as looking for administrative-level user accounts and groups that may have been added by the worm. Ultimately, the analyst should gather enough information to identify the worm’s behavior in sufficient detail so that the incident response team can act effectively to contain, eradicate, and recover from the incident.

59. A worm has infected a system. From a network traffic perspective, which of the following contains more detailed information?

a. Network-based IDS and firewalls

b. Routers

c. Host-based IDS and firewalls

d. Remote access servers

59. c. Host-based intrusion detection system (IDS) and firewall products running on the infected system may contain more detailed information than network-based IDS and firewall products. For example, host-based IDS can identify changes to files or configuration settings on the host that were performed by a worm. This information is helpful not only in planning containment, eradication, and recovery activities by determining how the worm has affected the host, but also in identifying which worm infected the system. However, because many worms disable host-based security controls and destroy log entries, data from host-based IDS and firewall software may be limited or missing. If the software was configured to forward copies of its logs to centralized log servers, then queries to those servers may provide some useful information (assuming the host logs’ integrity is not in doubt).

~ 121 ~