1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 94
Выбрать главу

a. Automated vulnerability scanning tools

b. Security requirement checklist

c. Security advisories

d. Security test and evaluation

35. b. Developing a security requirements checklist, based on the security requirements specified for the system during the conceptual, design, and implementation phases of the system development life cycle (SDLC), can be used to provide a 360-degree inspection of the system.

Automated vulnerability scanning tools and security test and evaluation augment the basic vulnerability reviews. Security advisories are typically provided by the vendor and give the organization up-to-date information on system vulnerabilities and remediation strategies

36. During the risk assessment process of a system, what is the level of risk to the system derived by?

a. Multiplying the threat likelihood rating with the impact level

b. Subtracting the threat likelihood rating from the impact level

c. Adding the threat likelihood rating to the impact level

d. Dividing the threat likelihood rating by the impact level

36. a. When the ratings for threat likelihood (i.e., high, moderate, or low) and impact levels (i.e., high, moderate, or low) have been determined through appropriate analysis, the level of risk to the system and the organization can be derived by multiplying the ratings assigned for threat likelihood (e.g., probability) and threat impact level.

37. The effectiveness of recommended security controls is primarily related to which of the following?

a. System safety

b. System reliability

c. System complexity

d. System regulations

37. c. The effectiveness of recommended security controls is primarily related to system complexity and compatibility. The level and type of security controls should fit with the system complexity, meaning more controls are needed for complex systems and fewer controls are needed for simple systems. At the same time, security controls should match the system compatibility, meaning application-oriented controls are needed for application systems, and operating system–oriented controls are needed for operating systems. Other factors that should be considered include legislation and regulations, the organization’s policy, system impact, system safety, and system reliability.

38. Risk mitigation does not strive to do which of the following?

a. Control identification

b. Control prioritization

c. Control evaluation

d. Control implementation

38. a. Risk mitigation strives to prioritize, evaluate, and implement the appropriate risk-reducing controls recommended from the risk assessment process. Control identification is performed in the risk assessment process, which comes before risk mitigation.

39. Which one of the following items can be a part of other items?

a. Management controls

b. Operational controls

c. Technical controls

d. Preventive controls

39. d. System security controls selected are grouped into one of the three categories of management, operational, or technical controls. Each one of these controls can be preventive in nature.

40. Risk management activities are performed for periodic system re-authorization in which of the following system development life cycle (SDLC) phases?

a. Initiation

b. Development/acquisition

c. Implementation

d. Operation/maintenance

40. d. In the operation/maintenance phase of the SDLC, risk management activities are performed for periodic system re-authorization or re-accreditation.

41. Which of the following are the fundamental reasons why organizations implement a risk management process for their IT systems?

1. Need for minimizing negative impact on an organization

2. Need for sound basis in decision making

3. Need for inventing a new risk management methodology for each SDLC phase

4. Need for noniterative process used in risk management

a. 1 and 2

b. 1 and 3

c. 2 and 4

d. 3 and 4

41. a. Minimizing a negative impact on an organization and need a for sound basis in decision making are the fundamental reasons why organizations implement a risk management process for their IT systems. The risk management methodology is the same regardless of the system development life cycle (SDLC) phase and it is an iterative process that can be performed during each major phase of the SDLC.

42. From a risk management viewpoint, system migration is conducted in which of the following system development life cycle (SDLC) phases?

a. Development/acquisition

b. Implementation

c. Operation/maintenance

d. Disposal

42. d. In the disposal phase of the SDLC process, system migration is conducted in a secure and systematic manner.

43. For gathering information in the risk assessment process, proactive technical methods include which of the following?

a. Questionnaires

b. Onsite interviews

c. Document review

d. Network mapping tool

43. d. A network mapping tool, which is an automated information scanning tool, can identify the services that run on a large group of hosts and provide a quick way of building individual profiles of the target IT system(s). The other three choices are not examples of technical methods, whether proactive.

44. Which of the following is not a recommended approach for identifying system vulnerabilities?

a. Using vulnerability sources

b. Using threat sources

c. Conducting system security testing

d. Using security requirements checklist

44. b. Vulnerabilities (flaws and weaknesses) are exploited by the potential threat sources such as employees, hackers, computer criminals, and terrorists. Threat source is a method targeted at the intentional exploitation of a vulnerability or a situation that may accidentally exploit a vulnerability.

Recommended approaches for identifying system vulnerabilities include the use of vulnerability sources, the performance of system security testing, and the development of a security-requirements checklist.

45. From a risk mitigation viewpoint, which of the following is not an example of system protection controls that are part of supporting technical security controls?

a. Modularity

b. Layering

c. Need-to-know

d. Access controls

45. d. From a risk mitigation viewpoint, technical security controls are divided into two categories: supporting controls and other controls (i.e., prevention, detection, and recovery controls). Supporting controls must be in place in order to implement other controls. Access controls are a part of preventive technical security controls, whereas system protections are an example of supporting technical security controls.

~ 94 ~