Integration testing is incorrect because it comes after completion of unit tests. An integration test is performed to examine how units interface and interact with each other with the assumption that the units and the objects (for example, data) they manipulate have all passed their unit tests. Software integration tests check how the units interact with other software libraries and hardware.

System testing is incorrect because it comes after completion of the integration tests. It tests the completely integrated system and validates that the software meets its requirements.

Acceptance testing is incorrect because it comes after completion of integration tests. It is testing of user requirements in an operational mode conducted by end users and computer operations staff.

68. If manual controls over program changes were weak, which of the following would be effective?

a. Automated controls

b. Written policies

c. Written procedures

d. Written standards

68. a. In general, automated controls compensate for the weaknesses in or lack of manual controls or vice versa (i.e., a compensating control). For example, an automated software management system can help in strengthening controls by moving programs from production to test libraries and back. It minimizes human errors in moving wrong programs or forgetting to move the right ones. Written policies, procedures, and standards are equally necessary in manual and automated environments.

69. Which of the following defines a management’s formal acceptance of the adequacy of an application system’s security?

a. System certification

b. Security certification

c. System accreditation

d. Security accreditation

69. c. System accreditation is a management’s formal acceptance of the adequacy of an application system’s security. The accreditors are responsible for evaluating the certification evidence, deciding on the acceptability of application security safeguards, approving corrective actions, ensuring that corrective actions are accomplished, and issuing the accreditation statement.

System certification is the technical evaluation of compliance with security requirements for the purpose of accreditation. The technical evaluation uses a combination of security evaluation techniques (for example, risk analysis, security plans, validation, verification, testing, security safeguard evaluation, and audit) and culminates in a technical judgment of the extent to which safeguards meet security requirements.

Security certification is a formal testing of the security controls (safeguards) implemented in the computer system to determine whether they meet applicable requirements and specifications.

Security accreditation is the formal authorization by the accrediting (management) official for system operation and an explicit acceptance of risk. It is usually supported by a review of the system, including its management, operational, and technical controls.

A system certification is conducted first and system accreditation is next because the former supports the latter. Security certification and security accreditation processes follow the system certification and system accreditation processes.

70. Which of the following is a nonresident virus?

a. Master boot sector virus

b. File infector virus

c. Macro virus

d. Boot-sector infector

70. c. Macro viruses are nonresident viruses. A resident virus is one that loads into memory, hooks one or more interrupts, and remains inactive in memory until some trigger event. All boot viruses and most common file viruses are resident viruses. Macro viruses are found in documents, not in disks.

71. Backdoors are which of the following?

a. They are entry points into a computer program.

b. They are choke points into a computer program.

c. They are halt points into a computer program.

d. They are exit points into a computer program.

71. a. Programmers frequently create entry points (backdoors) into a program for debugging purposes and/or insertion of new program codes at a later date. The other three choices do not apply here because they do not deal with entry points.

72. Most Trojan horses can be prevented and detected by which of the following?

a. Removing the damage

b. Assessing the damage

c. Installing program change controls

d. Correcting the damage

72. c. Most Trojan horses can be prevented and detected by a strong program change control in which every change is independently examined before being put into use. After a Trojan horse is detected, the cure is to remove it. Next, try to find all the damage it has done and correct that damage.

73. From a risk analysis viewpoint, what does the major vulnerable area in a computer application system include?

a. Internal computer processing

b. System inputs and outputs

c. Telecommunications and networks

d. External computer processing

73. b. The biggest vulnerable area is in the manual handling of data before it is entered into an application system or after it has been retrieved from the system in hard copy form. Because human intervention is significant here, the risk is higher. Controls over internal and external computer processing and telecommunications and the network can be made stronger with automated controls.

74. Which of the following is most likely to be tampered or manipulated with?

a. Configuration file

b. Password file

c. Log file

d. System file

74. c. A log file is most likely to be tampered (manipulated) with either by insiders or outsiders because it contains unsuccessful login attempts or system usage. A configuration file contains system parameters. A password file contains passwords and user IDs, whereas a system file contains general information about computer system hardware and software.

75. Which of the following software assurance processes is responsible for ensuring that any changes to software outputs during the system development process are made in a controlled and complete manner?

a. Software configuration management processes

b. Software project management processes

c. Software quality assurance processes

d. Software verification and validation processes

75. a. The objectives of the software configuration management (SCM) process are to track the different versions of the software and ensure that each version of the software contains the exact software outputs generated and approved for that version. SCM is responsible for ensuring that any changes to any software outputs during the development processes are made in a controlled and complete manner.

The objective of the project management process is to establish the organizational structure of the project and assign responsibilities. This process uses the system requirements documentation and information about the purpose of the software, criticality of the software, required deliverables, and available time and resources to plan and manage the software development and software assurance processes. It establishes or approves standards, monitoring and reporting practices, and high-level policy for quality, and it cites policies and regulations.