The objectives of the software quality assurance process are to ensure that the software development and software assurance processes comply with software assurance plans and standards, and to recommend process improvement. This process uses the system requirements and information about the purpose and criticality of the software to evaluate the outputs of the software development and software assurance processes.
The objective of the software verification and validation (SV&V) process is to comprehensively analyze and test the software concurrently with processes of software development and software maintenance. The process determines that the software performs its intended functions correctly, ensures that it performs no unintended functions, and measures its quality and reliability. SV&V is a detailed engineering assessment for evaluating how well the software is meeting its technical requirements, in particular its safety, security, and reliability objectives, and for ensuring that software requirements are not in conflict with any standards or requirements applicable to other system components.
76. The Reference Monitor concept is which of the following?
a. It is dependent on mandatory access control policy.
b. It is independent of any access control policy.
c. It is independent of role-based access control policy.
d. It is dependent on discretionary access control policy.
76. b. The Reference Monitor concept is independent of any particular access control policy because it mediates all types of access to objects by subjects. Mandatory access control policy is a means of restricting access to objects based on the sensitivity of the information contained in the objects and the formal authorization of subjects to access information of such sensitivity. With role-based access control policy, access decisions are based on the roles (for example, teller, analyst, and manager) that individual users have as part of an organization. Discretionary access control policy is a means of restricting access to objects based on the identity of subjects.
77. Which of the following are essential activities of a comprehensive information security program for an organization on an ongoing basis?
1. Information preservation
2. Security test and evaluation
3. Security control monitoring
4. Security status reporting
a. 1 and 2
b. 2 and 3
c. 1 and 4
d. 3 and 4
77. d. Security-control monitoring and reporting the status of the information system to appropriate management authorities are essential activities of a comprehensive information security program. Information preservation is a part of the disposal phase, whereas security test and evaluation is a part of the implementation phase of a system development life cycle (SDLC). Security-control monitoring and security status reporting are a part of the operation and maintenance phase of an SDLC, which facilitate ongoing work.
78. Security certification is made in support of which of the following?
a. Security accreditation
b. Management controls
c. Operational controls
d. Technical controls
78. a. Security certification is a comprehensive assessment of the management, operational, and technical controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcomes.
79. Which of the following is not one of the primary goals of certification and accreditation of information systems?
a. To enable consistent assessment of security controls
b. To promote a better understanding of organization-wide risks
c. To deliver reliable information to management
d. To conduct reaccreditation reviews periodically
79. d. Conducting reaccreditation reviews periodically is a mechanical step (a byproduct of the goal) and a secondary goal. The primary goals of certification and accreditation of information systems are to (i) enable more consistent, comparable, and repeatable assessments of security controls in information systems, (ii) promote a better understanding of organization-related risks resulting from the operation of information systems, and (iii) create more complete, reliable, and trustworthy information for authorizing officials (management) to facilitate more informed security accreditation decisions.
80. The security accreditation phase does not contain which of the following?
a. System security plan
b. System security assessment report
c. Plan of actions and milestones
d. Security impact analyses
80. d. Security impact analyses are conducted in the continuous monitoring phase whenever there are changes to the information system. The other three choices are part of the security accreditation phase, which comes before the continuous monitoring phase.
81. Which of the following is not a usual common error or vulnerability in information systems?
a. Encryption failures
b. Buffer overflows
c. Format string errors
d. Failing to check input for validity
81. a. Usually, encryption algorithms do not fail due to their extensive testing, and the encryption key is getting longer making it more difficult to break into. Many errors reoccur, including buffer overflows, race conditions, format string errors, failing to check input for validity, and computer programs being given excessive access privileges.
82. Which of the following is not the responsibility of the configuration manager?
a. Documenting the configuration management plan
b. Approving, denying, or deferring changes
c. Evaluating configuration management metric information
d. Ensuring that an audit trail of changes is documented
82. c. Evaluating configuration management metric information is the responsibility of the configuration control review board, whereas the other three choices are responsibilities of the configuration manager.
83. Which of the following tasks are performed during continuous monitoring step of the configuration management (CM) process?
1. Configuration verification tests
2. System audits
3. Patch management
4. Risk management
a. 1 and 2
b. 2 and 3
c. 1, 2, and 3
d. 1, 2, 3, and 4
83. d. The configuration management (CM) process calls for continuous system monitoring to ensure that it is operating as intended and that implemented changes do not adversely impact either the performance or security posture of the system. Configuration verification tests, system audits, patch management, and risk management activities are performed to achieve the CM goal.