FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems.
Which of the following FITSAF levels shows that the procedures and controls are tested and reviewed?
- A . Level 4
- B . Level 5
- C . Level 1
- D . Level 2
- E . Level 3
Which of the following is a type of security management for computers and networks in order to identify security breaches
- A . IPS
- B . IDS
- C . ASA
- D . EAP
Which of the following types of firewalls increases the security of data packets by remembering the state of connection at the network and the session layers as they pass through the filter
- A . Stateless packet filter firewall
- B . PIX firewall
- C . Stateful packet filter firewall
- D . Virtual firewall
Which of the following federal laws is designed to protect computer data from theft
- A . Federal Information Security Management Act (FISMA)
- B . Computer Fraud and Abuse Act (CFAA)
- C . Government Information Security Reform Act (GISRA)
- D . Computer Security Act
Which of the following is used to indicate that the software has met a defined quality level and is ready for mass distribution either by electronic means or by physical media
- A . ATM
- B . RTM
- C . CRO
- D . DAA
Part of your change management plan details what should happen in the change control system for your project. Theresa, a junior project manager, asks what the configuration management activities are for scope changes. You tell her that all of the following are valid configuration management activities except for which one
- A . Configuration Item Costing
- B . Configuration Identification
- C . Configuration Verification and Auditing
- D . Configuration Status Accounting
Which of the following professionals is responsible for starting the Certification & Accreditation (C&A) process
- A . Authorizing Official
- B . Information system owner
- C . Chief Information Officer (CIO)
- D . Chief Risk Officer (CRO)
Which of the following security controls is a set of layered security services that address communications and data security problems in the emerging Internet and intranet application space
- A . Internet Protocol Security (IPSec)
- B . Common data security architecture (CDSA)
- C . File encryptors
- D . Application program interface (API)
Which of the following protocols is used to establish a secure terminal to a remote network device
- A . WEP
- B . SMTP
- C . SSH
- D . IPSec
Which of the following elements of Registration task 4 defines the system’s external interfaces as well as the purpose of each external interface, and the relationship between the interface and the system
- A . System firmware
- B . System software
- C . System interface
- D . System hardware
Which of the following guidelines is recommended for engineering, protecting, managing, processing, and controlling national security and sensitive (although unclassified) information
- A . Federal Information Processing Standard (FIPS)
- B . Special Publication (SP)
- C . NISTIRs (Internal Reports)
- D . DIACAP by the United States Department of Defense (DoD)
Which of the following Security Control Assessment Tasks gathers the documentation and supporting materials essential for the assessment of the security controls in the information system
- A . Security Control Assessment Task 4
- B . Security Control Assessment Task 3
- C . Security Control Assessment Task 1
- D . Security Control Assessment Task 2
Which of the following professionals plays the role of a monitor and takes part in the organization’s configuration management process
- A . Chief Information Officer
- B . Authorizing Official
- C . Common Control Provider
- D . Senior Agency Information Security Officer
Which of the following processes culminates in an agreement between key players that a system in its current configuration and operation provides adequate protection controls
- A . Certification and accreditation (C&A)
- B . Risk Management
- C . Information systems security engineering (ISSE)
- D . Information Assurance (IA)
The Phase 4 of DITSCAP C&A is known as Post Accreditation. This phase starts after the system has been accredited in Phase 3.
What are the process activities of this phase Each correct answer represents a complete solution. Choose all that apply.
- A . Security operations
- B . Continue to review and refine the SSAA
- C . Change management
- D . Compliance validation
- E . System operations
- F . Maintenance of the SSAA
Which of the following email lists is written for the technical audiences, and provides weekly summaries of security issues, new vulnerabilities, potential impact, patches and workarounds, as well as the actions recommended to mitigate risk
- A . Cyber Security Tip
- B . Cyber Security Alert
- C . Cyber Security Bulletin
- D . Technical Cyber Security Alert
Which of the following tasks obtains the customer agreement in planning the technical effort
- A . Task 9
- B . Task 11
- C . Task 8
- D . Task 10
Which of the following documents were developed by NIST for conducting Certification & Accreditation (C&A) Each correct answer represents a complete solution. Choose all that apply.
- A . NIST Special Publication 800-59
- B . NIST Special Publication 800-60
- C . NIST Special Publication 800-37A
- D . NIST Special Publication 800-37
- E . NIST Special Publication 800-53
- F . NIST Special Publication 800-53A
Which of the following elements are described by the functional requirements task Each correct answer represents a complete solution. Choose all that apply.
- A . Coverage
- B . Accuracy
- C . Quality
- D . Quantity
Which of the following documents is defined as a source document, which is most useful for the ISSE when classifying the needed security functionality
- A . Information Protection Policy (IPP)
- B . IMM
- C . System Security Context
- D . CONOPS
DoD 8500.2 establishes IA controls for information systems according to the Mission Assurance Categories (MAC) and confidentiality levels.
Which of the following MAC levels requires basic integrity and availability?
- A . MAC I
- B . MAC II
- C . MAC IV
- D . MAC III
What are the responsibilities of a system owner Each correct answer represents a complete solution. Choose all that apply.
- A . Integrates security considerations into application and system purchasing decisions and development projects.
- B . Ensures that the necessary security controls are in place.
- C . Ensures that adequate security is being provided by the necessary controls, password management, remote access controls, operating system configurations, and so on.
- D . Ensures that the systems are properly assessed for vulnerabilities and must report any to the incident response team and data owner.
Which of the following Registration Tasks sets up the business or operational functional description and system identification
- A . Registration Task 2
- B . Registration Task 1
- C . Registration Task 3
- D . Registration Task 4
SIMULATION
Fill in the blank with an appropriate section name. _________________ is a section of the SEMP template, which specifies the methods and reasoning planned to build the requisite trade-offs between functionality, performance, cost, and risk.
Which of the following federal agencies provides a forum for the discussion of policy issues, sets national policy, and promulgates direction, operational procedures, and guidance for the security of national security systems
- A . National Security AgencyCentral Security Service (NSACSS)
- B . National Institute of Standards and Technology (NIST)
- C . United States Congress
- D . Committee on National Security Systems (CNSS)
Which of the following statements is true about residual risks
- A . It can be considered as an indicator of threats coupled with vulnerability.
- B . It is a weakness or lack of safeguard that can be exploited by a threat.
- C . It is the probabilistic risk after implementing all security measures.
- D . It is the probabilistic risk before implementing all security measures.
According to U.S. Department of Defense (DoD) Instruction 8500.2, there are eight Information Assurance (IA) areas, and the controls are referred to as IA controls.
Which of the following are among the eight areas of IA defined by DoD Each correct answer represents a complete solution? Choose all that apply.
- A . DC Security Design & Configuration
- B . EC Enclave and Computing Environment
- C . VI Vulnerability and Incident Management
- D . Information systems acquisition, development, and maintenance
Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation.
Which of the following statements are true about Certification and Accreditation Each correct answer represents a complete solution? Choose two.
- A . Accreditation is a comprehensive assessment of the management, operational, and technical security controls in an information system.
- B . Accreditation is the official management decision given by a senior agency official to authorize operation of an information system.
- C . Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system.
- D . Certification is the official management decision given by a senior agency official to authorize operation of an information system.
Which of the following protocols is built in the Web server and browser to encrypt data traveling over the Internet
- A . UDP
- B . SSL
- C . IPSec
- D . HTTP
Which of the following configuration management system processes defines which items will be configuration managed, how they are to be identified, and how they are to be documented
- A . Configuration verification and audit
- B . Configuration control
- C . Configuration status accounting
- D . Configuration identification
What are the subordinate tasks of the Initiate and Plan IA C&A phase of the DIACAP process Each correct answer represents a complete solution. Choose all that apply.
- A . Develop DIACAP strategy.
- B . Initiate IA implementation plan.
- C . Conduct validation activity.
- D . Assemble DIACAP team.
- E . Register system with DoD Component IA Program.
- F . Assign IA controls.
You work as a security engineer for BlueWell Inc.
Which of the following documents will you use as a guide for the security certification and accreditation of Federal Information Systems?
- A . NIST Special Publication 800-59
- B . NIST Special Publication 800-37
- C . NIST Special Publication 800-60
- D . NIST Special Publication 800-53
Which of the following documents is described in the statement below It is developed along with all processes of the risk management. It contains the results of the qualitative risk analysis, quantitative risk analysis, and risk response planning.
- A . Risk management plan
- B . Project charter
- C . Quality management plan
- D . Risk register
Diane is the project manager of the HGF Project. A risk that has been identified and analyzed in the project planning processes is now coming into fruition.
What individual should respond to the risk with the preplanned risk response
- A . Project sponsor
- B . Risk owner
- C . Diane
- D . Subject matter expert
Which of the following refers to a process that is used for implementing information security
- A . Classic information security model
- B . Certification and Accreditation (C&A)
- C . Information Assurance (IA)
- D . Five Pillars model
In which of the following phases of the interconnection life cycle as defined by NIST SP 800-47, do the organizations build and execute a plan for establishing the interconnection, including executing or configuring appropriate security controls
- A . Establishing the interconnection
- B . Planning the interconnection
- C . Disconnecting the interconnection
- D . Maintaining the interconnection
Which of the following tools demands involvement by upper executives, in order to integrate quality into the business system and avoid delegation of quality functions to junior administrators
- A . ISO 90012000
- B . Benchmarking
- C . SEI-CMM
- D . Six Sigma
Which of the following documents contains the threats to the information management, and the security services and controls required to counter those threats
- A . System Security Context
- B . Information Protection Policy (IPP)
- C . CONOPS
- D . IMM
Which of the following statements define the role of the ISSEP during the development of the detailed security design, as mentioned in the IATF document Each correct answer represents a complete solution. Choose all that apply.
- A . It identifies the information protection problems that needs to be solved.
- B . It allocates security mechanisms to system security design elements.
- C . It identifies custom security products.
- D . It identifies candidate commercial off-the-shelf (COTS)government off-the-shelf (GOTS) security products.
Which of the following individuals is responsible for the oversight of a program that is supported by a team of people that consists of, or be exclusively comprised of contractors
- A . Quality Assurance Manager
- B . Senior Analyst
- C . System Owner
- D . Federal program manager
Which of the following agencies serves the DoD community as the largest central resource for DoD and government-funded scientific, technical, engineering, and business-related information available today
- A . DISA
- B . DIAP
- C . DTIC
- D . DARPA
You work as a system engineer for BlueWell Inc. You want to verify that the build meets its data requirements, and correctly generates each expected display and report.
Which of the following tests will help you to perform the above task?
- A . Functional test
- B . Reliability test
- C . Performance test
- D . Regression test
You work as a system engineer for BlueWell Inc.
Which of the following documents will help you to describe the detailed plans, procedures, and schedules to guide the transition process?
- A . Configuration management plan
- B . Transition plan
- C . Systems engineering management plan (SEMP)
- D . Acquisition plan
Which of the following policies describes the national policy on the secure electronic messaging service
- A . NSTISSP No. 11
- B . NSTISSP No. 7
- C . NSTISSP No. 6
- D . NSTISSP No. 101
Which of the following is a subset discipline of Corporate Governance focused on information security systems and their performance and risk management
- A . Computer Misuse Act
- B . Clinger-Cohen Act
- C . ISG
- D . Lanham Act
Which of the following principles are defined by the IATF model Each correct answer represents a complete solution. Choose all that apply.
- A . The degree to which the security of the system, as it is defined, designed, and implemented, meets the security needs.
- B . The problem space is defined by the customer’s mission or business needs.
- C . The systems engineer and information systems security engineer define the solution space, which is driven by the problem space.
- D . Always keep the problem and solution spaces separate.
Which of the following cooperative programs carried out by NIST conducts research to advance the nation’s technology infrastructure
- A . Manufacturing Extension Partnership
- B . NIST Laboratories
- C . Baldrige National Quality Program
- D . Advanced Technology Program
Which of the following persons in an organization is responsible for rejecting or accepting the residual risk for a system
- A . System Owner
- B . Information Systems Security Officer (ISSO)
- C . Designated Approving Authority (DAA)
- D . Chief Information Security Officer (CISO)
Which of the following assessment methodologies defines a six-step technical security evaluation
- A . FITSAF
- B . OCTAVE
- C . FIPS 102
- D . DITSCAP
What are the subordinate tasks of the Implement and Validate Assigned IA Control phase in the DIACAP process Each correct answer represents a complete solution. Choose all that apply.
- A . Conduct activities related to the disposition of the system data and objects.
- B . Combine validation results in DIACAP scorecard.
- C . Conduct validation activities.
- D . Execute and update IA implementation plan.
Which of the following memorandums reminds the Federal agencies that it is required by law and policy to establish clear privacy policies for Web activities and to comply with those policies
- A . OMB M-01-08
- B . OMB M-03-19
- C . OMB M-00-07
- D . OMB M-00-13
Lisa is the project manager of the SQL project for her company. She has completed the risk response planning with her project team and is now ready to update the risk register to reflect the risk response.
Which of the following statements best describes the level of detail Lisa should include with the risk responses she has created?
- A . The level of detail must define exactly the risk response for each identified risk.
- B . The level of detail is set of project risk governance.
- C . The level of detail is set by historical information.
- D . The level of detail should correspond with the priority ranking.
You work as a security manager for BlueWell Inc. You are going through the NIST SP 800-37 C&A methodology, which is based on four well defined phases. In which of the following phases of NIST SP 800-37 C&A methodology does the security categorization occur
- A . Continuous Monitoring
- B . Initiation
- C . Security Certification
- D . Security Accreditation
You work as a systems engineer for BlueWell Inc. You are working on translating system requirements into detailed function criteria.
Which of the following diagrams will help you to show all of the function requirements and their groupings in one diagram?
- A . Activity diagram
- B . Functional flow block diagram (FFBD)
- C . Functional hierarchy diagram
- D . Timeline analysis diagram
Which of the following phases of DITSCAP includes the activities that are necessary for the continuing operation of an accredited IT system in its computing environment and for addressing the changing threats that a system faces throughout its life cycle
- A . Phase 1, Definition
- B . Phase 3, Validation
- C . Phase 4, Post Accreditation Phase
- D . Phase 2, Verification
Which of the following Security Control Assessment Tasks evaluates the operational, technical, and the management security controls of the information system using the techniques and measures selected or developed
- A . Security Control Assessment Task 3
- B . Security Control Assessment Task 1
- C . Security Control Assessment Task 4
- D . Security Control Assessment Task 2
The Phase 2 of DITSCAP C&A is known as Verification. The goal of this phase is to obtain a fully integrated system for certification testing and accreditation.
What are the process activities of this phase Each correct answer represents a complete solution? Choose all that apply.
- A . Assessment of the Analysis Results
- B . Certification analysis
- C . Registration
- D . System development
- E . Configuring refinement of the SSAA
You work as a Network Administrator for PassGuide Inc. You need to secure web services of your company in order to have secure transactions.
Which of the following will you recommend for providing security?
- A . HTTP
- B . VPN
- C . SMIME
- D . SSL
Which of the following processes illustrate the study of a technical nature of interest to focused audience, and consist of interim or final reports on work made by NIST for external sponsors, including government and non-government sponsors
- A . Federal Information Processing Standards (FIPS)
- B . Special Publication (SP)
- C . NISTIRs (Internal Reports)
- D . DIACAP
SIMULATION
Fill in the blank with an appropriate phrase. __________ seeks to improve the quality of process outputs by identifying and removing the causes of defects and variability in manufacturing and business processes.
You work as a security engineer for BlueWell Inc. You are working on the ISSE model. In which of the following phases of the ISSE model is the system defined in terms of what security is needed
- A . Define system security architecture
- B . Develop detailed security design
- C . Discover information protection needs
- D . Define system security requirements
TQM recognizes that quality of all the processes within an organization contribute to the quality of the product.
Which of the following are the most important activities in the Total Quality Management Each correct answer represents a complete solution? Choose all that apply.
- A . Quality renewal
- B . Maintenance of quality
- C . Quality costs
- D . Quality improvements
SIMULATION
Fill in the blank with the appropriate phrase. The ____________ is the risk that remains after the implementation of new or enhanced controls.
Which of the following is designed to detect unwanted attempts at accessing, manipulating, and disabling of computer systems through the Internet
- A . DAS
- B . IDS
- C . ACL
- D . Ipsec
Which of the following security controls is standardized by the Internet Engineering Task Force (IETF) as the primary network layer protection mechanism
- A . Internet Key Exchange (IKE) Protocol
- B . SMIME
- C . Internet Protocol Security (IPSec)
- D . Secure Socket Layer (SSL)
Which of the following DoD policies provides assistance on how to implement policy, assign responsibilities, and prescribe procedures for applying integrated, layered protection of the DoD information systems and networks
- A . DoD 8500.1 Information Assurance (IA)
- B . DoDI 5200.40
- C . DoD 8510.1-M DITSCAP
- D . DoD 8500.2 Information Assurance Implementation
Which of the following is a document, usually in the form of a table, that correlates any two baseline documents that require a many-to-many relationship to determine the completeness of the relationship
- A . FIPS 200
- B . NIST SP 800-50
- C . Traceability matrix
- D . FIPS 199
The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively.
Which of the following statements are true about ISSO and ISSE Each correct answer represents a complete solution? Choose all that apply.
- A . An ISSE manages the security of the information system that is slated for Certification & Accreditation (C&A).
- B . An ISSE provides advice on the impacts of system changes.
- C . An ISSE provides advice on the continuous monitoring of the information system.
- D . An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A).
- E . An ISSO takes part in the development activities that are required to implement system changes.
SIMULATION
For interactive and self-paced preparation of exam ISSEP, try our practice exams. Practice exams also include self assessment and reporting features! Fill in the blank with an appropriate word. _______ has the goal to securely interconnect people and systems independent of time or location.
Which of the following configuration management system processes keeps track of the changes so that the latest acceptable configuration specifications are readily available
- A . Configuration Identification
- B . Configuration Verification and Audit
- C . Configuration Status and Accounting
- D . Configuration Control