ISC CSSLP Certified Secure Software Lifecycle Professional Online Training

Question #1

You work as a Network Auditor for Net Perfect Inc. The company has a Windows-based network. While auditing the company’s network, you are facing problems in searching the faults and other entities that belong to it.

Which of the following risks may occur due to the existence of these problems?

A . Residual risk
B . Secondary risk
C . Detection risk
D . Inherent risk

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Detection risks are the risks that an auditor will not be able to find what they are looking to detect. Hence, it becomes tedious to report negative results when material conditions (faults) actually exist. Detection risk includes two types of risk: Sampling risk: This risk occurs when an auditor falsely accepts or erroneously rejects an audit sample. Nonsampling risk: This risk occurs when an auditor fails to detect a condition because of not applying the appropriate procedure or using procedures inconsistent with the audit objectives (detection faults).

ANS: A is incorrect. Residual risk is the risk or danger of an action or an event, a method or a (technical) process that, although being abreast with science, still conceives these dangers, even if all theoretically possible safety measures would be applied (scientifically conceivable measures). The formula to calculate residual risk is (inherent risk) x (control risk) where inherent risk is (threats vulnerability). In the economic context, residual means "the quantity left over at the end of a process; a remainder".

ANS: D is incorrect. Inherent risk, in auditing, is the risk that the account or section being audited is materially misstated without considering internal controls due to error or fraud. The assessment of inherent risk depends on the professional judgment of the auditor, and it is done after assessing the business environment of the entity being audited.

ANS: B is incorrect. A secondary risk is a risk that arises as a straight consequence of implementing a risk response. The secondary risk is an outcome of dealing with the original risk. Secondary risks are not as rigorous or important as primary risks, but can turn out to be so if not estimated and planned properly.

Question #2

The National Information Assurance Certification and Accreditation Process (NIACAP) is the minimum standard process for the certification and accreditation of computer and telecommunications systems that handle U.S. national security information.

Which of the following participants are required in a NIACAP security assessment? Each correct answer represents a part of the solution. Choose all that apply.

A . Certification agent
B . Designated Approving Authority
C . IS program manager
D . Information Assurance Manager
E . User representative

Reveal Solution Hide Solution

Correct Answer: ABCE
ABCE

Explanation:

The NIACAP roles are nearly the same as the DITSCAP roles. Four minimum participants (roles) are required to perform a NIACAP security assessment: IS program manager: The IS program manager is the primary authorization advocate. He is responsible for the Information Systems (IS) throughout the life cycle of the system development. Designated Approving Authority (DAA): The Designated Approving Authority (DAA), in the United States Department of Defense, is the official with the authority to formally assume responsibility for operating a system at an acceptable level of risk. Certification agent: The certification agent is also referred to as the certifier. He provides the technical expertise to conduct the certification throughout the system life cycle. User representative: The user representative focuses on system availability, access, integrity, functionality, performance, and

confidentiality in a Certification and Accreditation (C&A) process.

ANS: D is incorrect. Information Assurance Manager (IAM) is one of the key participants in the DIACAP process.

Question #3

DRAG DROP

Drop the appropriate value to complete the formula.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

A Single Loss Expectancy (SLE) is the value in dollar ($) that is assigned to a single event. The SLE can be calculated by the following formula: SLE = Asset Value ($) X Exposure Factor (EF) The Exposure Factor (EF) represents the % of assets loss caused by a threat. The EF is required to calculate the Single Loss Expectancy (SLE). The Annualized Loss Expectancy (ALE) can be calculated by multiplying the Single Loss Expectancy (SLE) with the Annualized Rate of Occurrence (ARO). Annualized Loss Expectancy (ALE) = Single Loss Expectancy (SLE) X Annualized Rate of Occurrence (ARO) Annualized Rate of Occurrence (ARO) is a number that represents the estimated frequency in which a threat is expected to occur. It is calculated based upon the probability of the event occurring and the number of employees that could make that event occur.

Question #4

Which of the following penetration testing techniques automatically tests every phone line in an exchange and tries to locate modems that are attached to the network?

A . Demon dialing
B . Sniffing
C . Social engineering
D . Dumpster diving

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The demon dialing technique automatically tests every phone line in an exchange and tries to locate modems that are attached to the network. Information about these modems can then be used to attempt external unauthorized access.

ANS: B is incorrect. In sniffing, a protocol analyzer is used to capture data packets that are later decoded to collect information such as passwords or infrastructure configurations.

ANS: D is incorrect. Dumpster diving technique is used for searching paper disposal areas for unshredded or otherwise improperly disposed-of reports.

ANS: C is incorrect. Social engineering is the most commonly used technique of all, getting information (like passwords) just by asking for them.

Question #5

Which of the following roles is also known as the accreditor?

A . Data owner
B . Chief Risk Officer
C . Chief Information Officer
D . Designated Approving Authority

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Designated Approving Authority (DAA) is also known as the accreditor.

ANS: A is incorrect. The data owner (information owner) is usually a member of management, in charge of a specific business unit, and is ultimately responsible for the protection and use of a specific subset of information.

ANS: B is incorrect. A Chief Risk Officer (CRO) is also known as Chief Risk Management Officer (CRMO). The Chief Risk Officer or Chief Risk Management Officer of a corporation is the executive accountable for enabling the efficient and effective governance of significant risks, and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational, financial, or compliance-related. CRO’s are accountable to the Executive Committee and The Board for enabling the business to balance risk and reward. In more complex organizations, they are generally responsible for coordinating the organization’s Enterprise Risk Management (ERM) approach.

ANS: C is incorrect. The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the most senior executive in an enterprise responsible for the information technology and computer systems that support enterprise goals. The CIO plays the role of a leader and reports to the chief executive officer, chief operations officer, or chief financial officer. In military organizations, they report to the commanding officer.

Question #6

DoD 8500.2 establishes IA controls for information systems according to the Mission Assurance Categories (MAC) and confidentiality levels.

Which of the following MAC levels requires high integrity and medium availability?

A . MAC III
B . MAC IV
C . MAC I
D . MAC II

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The various MAC levels are as follows: MAC I: It states that the systems have high availability and high integrity. MAC II: It states that the systems have high integrity and medium availability. MAC III: It states that the systems have basic integrity and availability.

Question #7

Microsoft software security expert Michael Howard defines some heuristics for determining code review in "A Process for Performing Security Code Reviews".

Which of the following heuristics increase the application’s attack surface? Each correct answer represents a complete solution. Choose all that apply.

A . Code written in C/C++/assembly language
B . Code listening on a globally accessible network interface
C . Code that changes frequently
D . Anonymously accessible code
E . Code that runs by default
F . Code that runs in elevated context

Reveal Solution Hide Solution

Correct Answer: BDEF
BDEF

Explanation:

Microsoft software security expert Michael Howard defines the following heuristics for determining code review in "A Process for Performing Security Code Reviews": Old code: Newer code provides better understanding of software security and has lesser number of vulnerabilities. Older code must be checked deeply. Code that runs by default: It must have high quality, and must be checked deeply than code that does not execute by default. Code that runs by default increases the application’s attack surface.

Code that runs in elevated context: It must have higher quality. Code that runs in elevated privileges must be checked deeply and increases the application’s attack surface. Anonymously accessible code: It must be checked deeply than code that only authorized users and administrators can access, and it increases the application’s attack surface. Code listening on a globally accessible network interface: It must be checked deeply for security vulnerabilities and increases the application’s attack surface. Code written in C/C++/assembly language: It is prone to security vulnerabilities, for example, buffer overruns. Code with a history of security vulnerabilities: It includes additional vulnerabilities except concerted efforts that are required for removing them. Code that handles sensitive data: It must be checked deeply to ensure that data is protected from unintentional disclosure. Complex code: It includes undiscovered errors because it is more difficult to analyze complex code manually and programmatically. Code that changes frequently: It has more security vulnerabilities than code that does not change frequently.

Question #8

Which of the following cryptographic system services ensures that information will not be disclosed to any unauthorized person on a local network?

A . Authentication
B . Integrity
C . Non-repudiation
D . Confidentiality

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The confidentiality service of a cryptographic system ensures that information will not be disclosed to any unauthorized person on a local network.

Question #9

What are the various activities performed in the planning phase of the Software Assurance Acquisition process? Each correct answer represents a complete solution. Choose all that apply.

A . Develop software requirements.
B . Implement change control procedures.
C . Develop evaluation criteria and evaluation plan.
D . Create acquisition strategy.

Reveal Solution Hide Solution

Correct Answer: ACD
ACD

Explanation:

The various activities performed in the planning phase of the Software Assurance Acquisition

process are as follows: Determine software product or service requirements. Identify associated risks. Develop software requirements. Create acquisition strategy. Develop evaluation criteria and evaluation plan. Define development and use of SwA due diligence questionnaires.

ANS: B is incorrect. This activity is performed in the monitoring and acceptance phase of the Software Assurance acquisition process.

Question #10

You work as a project manager for BlueWell Inc. You are working on a project and the management wants a rapid and cost-effective means for establishing priorities for planning risk responses in your project.

Which risk management process can satisfy management’s objective for your project?

A . Qualitative risk analysis
B . Historical information
C . Rolling wave planning
D . Quantitative analysis

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Qualitative risk analysis is the best answer as it is a fast and low-cost approach to analyze the risk impact and its effect. It can promote certain risks onto risk response planning. Qualitative Risk Analysis uses the likelihood and impact of the identified risks in a fast and cost-effective manner. Qualitative Risk Analysis establishes a basis for a focused quantitative analysis or Risk Response Plan by evaluating the precedence of risks with a concern to impact on the project’s scope, cost, schedule, and quality objectives. The qualitative risk analysis is conducted at any point in a project life cycle. The primary goal of qualitative risk analysis is to determine proportion of effect and theoretical response. The inputs to the Qualitative Risk Analysis process are: Organizational process assets Project Scope Statement Risk Management Plan Risk Register Ans: B is incorrect. Historical information can be helpful in the qualitative risk analysis, but it is not the best answer for the question as historical information is not always available (consider new projects).

ANS: D is incorrect. Quantitative risk analysis is in-depth and often requires a schedule and budget for the analysis.

ANS: C is incorrect. Rolling wave planning is not a valid answer for risk analysis processes.

Question #11

Which of the following models uses a directed graph to specify the rights that a subject can transfer to an object or that a subject can take from another subject?

A . Take-Grant Protection Model
B . Biba Integrity Model
C . Bell-LaPadula Model
D . Access Matrix

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The take-grant protection model is a formal model used in the field of computer security to establish or disprove the safety of a given computer system that follows specific rules. It shows that for specific systems the question of safety is decidable in linear time, which is in general undecidable. The model represents a system as directed graph, where vertices are either subjects or objects. The edges between them are labeled and the label indicates the rights that the source of the edge has over the destination. Two rights occur in every instance of the model: take and grant. They play a special role in the graph rewriting rules describing admissible changes of the graph.

ANS: D is incorrect. The access matrix is a straightforward approach that provides access rights to subjects for objects.

ANS: C is incorrect. The Bell-LaPadula model deals only with the confidentiality of classified material. It does not address integrity or availability.

ANS: B is incorrect. The integrity model was developed as an analog to the Bell-LaPadula confidentiality model and then became more sophisticated to address additional integrity requirements.

Question #12

You are the project manager for GHY Project and are working to create a risk response for a negative risk. You and the project team have identified the risk that the project may not complete on time, as required by the management, due to the creation of the user guide for the software you’re creating. You have elected to hire an external writer in order to satisfy the requirements and to alleviate the risk event.

What type of risk response have you elected to use in this instance?

A . Transference
B . Exploiting
C . Avoidance
D . Sharing

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

This is an example of transference as you have transferred the risk to a third party. Transference almost always is done with a negative risk event and it usually requires a contractual relationship.

Question #13

Which of the following organizations assists the President in overseeing the preparation of the federal budget and to supervise its administration in Executive Branch agencies?

A . OMB
B . NIST
C . NSA/CSS
D . DCAA

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The Office of Management and Budget (OMB) is a Cabinet-level office, and is the largest office within the Executive Office of the President (EOP) of the United States. The current OMB Director is Peter Orszag and was appointed by President Barack Obama. The OMB’s predominant mission is to assist the President in overseeing the preparation of the federal budget and to supervise its administration in Executive Branch agencies. In helping to formulate the President’s spending plans, the OMB evaluates the effectiveness of agency programs, policies, and procedures, assesses competing funding demands among agencies, and sets funding priorities. The OMB ensures that agency reports, rules, testimony, and proposed legislation are consistent with the President’s Budget and with Administration policies.

ANS: D is incorrect. The DCAA has the aim to monitor contractor costs and perform contractor audits.

ANS: C is incorrect. The National Security Agency/Central Security Service (NSA/CSS) is a crypto-logic intelligence agency of the United States government. It is administered as part of the United States Department of Defense. NSA is responsible for the collection and analysis of foreign communications and foreign signals intelligence, which involves cryptanalysis. NSA is also responsible for protecting U.S. government communications and information systems from similar agencies elsewhere, which involves cryptography. NSA is a key component of the U.S. Intelligence Community, which is headed by the Director of National Intelligence. The Central Security Service is a co-located agency created to coordinate intelligence activities and co-operation between NSA and U.S. military cryptanalysis agencies. NSA’s work is limited to communications intelligence. It does not perform field or human intelligence activities.

ANS: B is incorrect. The National Institute of Standards and Technology (NIST), known between 1901 and 1988 as the National Bureau of Standards (NBS), is a measurement standards laboratory which is a non-regulatory agency of the United States Department of Commerce. The institute’s official mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve quality of life.

Question #14

Part of your change management plan details what should happen in the change control system for your project. Theresa, a junior project manager, asks what the configuration management activities are for scope changes.

You tell her that all of the following are valid configuration management activities except for which one?

A . Configuration Identification
B . Configuration Verification and Auditing
C . Configuration Status Accounting
D . Configuration Item Costing

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Configuration item cost is not a valid activity for configuration management. Cost changes are managed by the cost change control system; configuration management is concerned with changes to the features and functions of the project deliverables.

Question #15

Which of the following types of redundancy prevents attacks in which an attacker can get physical control of a machine, insert unauthorized software, and alter data?

A . Data redundancy
B . Hardware redundancy
C . Process redundancy
D . Application redundancy

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Process redundancy permits software to run simultaneously on multiple geographically distributed locations, with voting on results. It prevents attacks in which an attacker can get physical control of a machine, insert unauthorized software, and alter data.

Question #16

Which of the following individuals inspects whether the security policies, standards, guidelines, and procedures are efficiently performed in accordance with the company’s stated security objectives?

A . Information system security professional
B . Data owner
C . Senior management
D . Information system auditor

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

An information system auditor is an individual who inspects whether the security policies, standards, guidelines, and procedures are efficiently performed in accordance with the company’s stated security objectives. He is responsible for reporting the senior management about the value of security controls by performing regular and independent audits.

ANS: B is incorrect. A data owner determines the sensitivity or classification levels of data.

ANS: A is incorrect. An informational systems security professional is an individual who designs, implements, manages, and reviews the security policies, standards, guidelines, and procedures of the organization. He is responsible to implement and maintain security by the senior-level management.

ANS: C is incorrect. A senior management assigns overall responsibilities to other individuals.

Question #17

Which of the following process areas does the SSE-CMM define in the ‘Project and Organizational Practices’ category? Each correct answer represents a complete solution. Choose all that apply.

A . Provide Ongoing Skills and Knowledge
B . Verify and Validate Security
C . Manage Project Risk
D . Improve Organization’s System Engineering Process

Reveal Solution Hide Solution

Correct Answer: ACD
ACD

Explanation:

Project and Organizational Practices include the following process areas: PA12: Ensure

Quality PA13: Manage Configuration PA14: Manage Project Risk PA15: Monitor and Control Technical

Effort PA16: Plan Technical Effort PA17: Define Organization’s System Engineering Process PA18:

Improve Organization’s System Engineering Process PA19: Manage Product Line Evolution PA20:

Manage Systems Engineering Support Environment PA21: Provide Ongoing Skills and Knowledge PA22:

Coordinate with Suppliers

Question #18

The LeGrand Vulnerability-Oriented Risk Management method is based on vulnerability analysis and consists of four principle steps.

Which of the following processes does the risk assessment step include? Each correct answer represents a part of the solution. Choose all that apply.

A . Remediation of a particular vulnerability
B . Cost-benefit examination of countermeasures
C . Identification of vulnerabilities
D . Assessment of attacks

Reveal Solution Hide Solution

Correct Answer: BCD
BCD

Explanation:

Risk assessment includes identification of vulnerabilities, assessment of losses caused by threats materialized, cost-benefit examination of countermeasures, and assessment of attacks.

ANS: A is incorrect. This process is included in the vulnerability management.

Question #19

You work as a Security Manager for Tech Perfect Inc. You have set up a SIEM server for the following purposes: Analyze the data from different log sources Correlate the events among the log entries Identify and prioritize significant events Initiate responses to events if required One of your log monitoring staff wants to know the features of SIEM product that will help them in these purposes.

What features will you recommend? Each correct answer represents a complete solution. Choose all that apply.

A . Asset information storage and correlation
B . Transmission confidentiality protection
C . Incident tracking and reporting
D . Security knowledge base
E . Graphical user interface

Reveal Solution Hide Solution

Correct Answer: ACDE
ACDE

Explanation:

The features of SIEM products are as follows: Graphical user interface (GUI): It is used in analysis for identifying potential problems and reviewing all available data that are associated with the problems. Security knowledge base: It includes information on known vulnerabilities, log messages, and other technical data. Incident tracking and hacking: It has robust workflow features to track and report incidents. Asset information storage and correlation: It gives higher priority to an attack that affects a vulnerable OS or a main host.

ANS: B is incorrect. SIEM product does not have this feature.

Question #20

According to U.S. Department of Defense (DoD) Instruction 8500.2, there are eight Information Assurance (IA) areas, and the controls are referred to as IA controls.

Which of the following are among the eight areas of IA defined by DoD? Each correct answer represents a complete solution. Choose all that apply.

A . VI Vulnerability and Incident Management
B . Information systems acquisition, development, and maintenance
C . DC Security Design & Configuration
D . EC Enclave and Computing Environment

Reveal Solution Hide Solution

Correct Answer: ACD
ACD

Explanation:

According to U.S. Department of Defense (DoD) Instruction 8500.2, there are eight Information Assurance (IA) areas, and the controls are referred to as IA controls. Following are the various U.S. Department of Defense information security standards: DC Security Design & Configuration IA Identification and Authentication EC Enclave and Computing Environment EB Enclave Boundary Defense PE Physical and Environmental PR Personnel CO Continuity VI Vulnerability and Incident Management Ans: B is incorrect. Business continuity management is an International information security standard.

Question #21

The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively.

Which of the following statements are true about ISSO and ISSE? Each correct answer represents a complete solution. Choose all that apply.

A . An ISSE manages the security of the information system that is slated for Certification & Accreditation (C&A).
B . An ISSE provides advice on the continuous monitoring of the information system.
C . An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A).
D . An ISSE provides advice on the impacts of system changes. E. An ISSO takes part in the development activities that are required to implement system changes.

Reveal Solution Hide Solution

Correct Answer: BCD
BCD

Explanation:

An Information System Security Officer (ISSO) plays the role of a supporter. The responsibilities of an Information System Security Officer (ISSO) are as follows: Manages the security of the information system that is slated for Certification & Accreditation (C&A). Insures the information systems configuration with the agency’s information security policy. Supports the information system owner/information owner for the completion of security-related responsibilities. Takes part in the formal configuration management process. Prepares Certification & Accreditation (C&A) packages. An Information System Security Engineer (ISSE) plays the role of an advisor. The responsibilities of an Information System Security Engineer are as follows:

Provides view on the continuous monitoring of the information system. Provides advice on the impacts of system changes. Takes part in the configuration management process. Takes part in the development activities that are required to implement system changes. Follows approved system changes.

Question #22

In which of the following types of tests are the disaster recovery checklists distributed to the members of disaster recovery team and asked to review the assigned checklist?

A . Parallel test
B . Simulation test
C . Full-interruption test
D . Checklist test

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

A checklist test is a test in which the disaster recovery checklists are distributed to the members of the disaster recovery team. All members are asked to review the assigned checklist. The checklist test is a simple test and it is easy to conduct this test. It allows to accomplish the following three goals: It ensures that the employees are aware of their responsibilities and they have the refreshed knowledge. It provides an individual with an opportunity to review the checklists for obsolete information and update any items that require modification during the changes in the organization. It ensures that the assigned members of disaster recovery team are still working for the organization.

ANS: B is incorrect. A simulation test is a method used to test the disaster recovery plans. It operates just like a structured walk- through test. In the simulation test, the members of a disaster recovery team present with a disaster scenario and then, discuss on appropriate responses. These suggested responses are measured and some of them are taken by the team. The range of the simulation test should be defined carefully for avoiding excessive disruption of normal business activities.

ANS: A is incorrect. A parallel test includes the next level in the testing procedure, and relocates the employees to an alternate recovery site and implements site activation procedures. These employees present with their disaster recovery responsibilities as they would for an actual disaster. The disaster recovery sites have full responsibilities to conduct the day-to-day organization’s business.

ANS: C is incorrect. A full-interruption test includes the operations that shut down at the primary site and are shifted to the recovery site according to the disaster recovery plan. It operates just like a parallel test. The full-interruption test is very expensive and difficult to arrange. Sometimes, it causes a major disruption of operations if the test fails.

Question #23

SIMULATION

Fill in the blank with an appropriate phrase. models address specifications, requirements, design, verification and validation, and maintenance activities.

Reveal Solution Hide Solution

Correct Answer: Life cycle

Explanation:

A life cycle model helps to provide an insight into the development process and emphasizes on the relationships among the different activities in this process. This model describes a structured approach to the development and adjustment process involved in producing and maintaining systems. The life cycle model addresses specifications, design, requirements, verification and validation, and maintenance activities.

Question #24

Which of the following security design patterns provides an alternative by requiring that a user’s authentication credentials be verified by the database before providing access to that user’s data?

A . Secure assertion
B . Authenticated session
C . Password propagation
D . Account lockout

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Password propagation provides an alternative by requiring that a user’s authentication credentials be verified by the database before providing access to that user’s data.

ANS: D is incorrect. Account lockout implements a limit on the incorrect password attempts to protect an account from automated password-guessing attacks.

ANS: B is incorrect. Authenticated session allows a user to access more than one access-restricted Web page without re-authenticating every page. It also integrates user authentication into the basic session model.

ANS: A is incorrect. Secure assertion distributes application-specific sanity checks throughout the system.

Question #25

Which of the following is the duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in business continuity?

A . RTO
B . RTA
C . RPO
D . RCO

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The Recovery Time Objective (RTO) is the duration of time and a service level within which a business process must be restored after a disaster or disruption in order to avoid unacceptable consequences associated with a break in business continuity. It includes the time for trying to fix the problem without a recovery, the recovery itself, tests and the communication to the users. Decision time for user representative is not included. The business continuity timeline usually runs parallel with an incident management timeline and may start at the same, or different, points. In accepted business continuity planning methodology, the RTO is established during the Business Impact Analysis (BIA) by the owner of a process (usually in conjunction with the Business Continuity planner). The RTOs are then presented to senior management for acceptance. The RTO attaches to the business process and not the resources required to support the process.

ANS: B is incorrect. The Recovery Time Actual (RTA) is established during an exercise, actual event, or predetermined based on recovery methodology the technology support team develops. This is the time frame the technology support takes to deliver the recovered infrastructure to the business.

ANS: D is incorrect. The Recovery Consistency Objective (RCO) is used in Business Continuity Planning in addition to Recovery Point Objective (RPO) and Recovery Time Objective (RTO). It applies data consistency objectives to Continuous Data Protection services.

ANS: C is incorrect. The Recovery Point Objective (RPO) describes the acceptable amount of data loss measured in time. It is the point in time to which data must be recovered as defined by the organization. The RPO is generally a definition of what an organization determines is an "acceptable loss" in a disaster situation. If the RPO of a company is 2 hours and the time it takes to get the data back into production is 5 hours, the RPO is still 2 hours. Based on this RPO the data must be restored to within 2 hours of the disaster.

Question #26

Which of the following processes culminates in an agreement between key players that a system in its current configuration and operation provides adequate protection controls?

A . Information Assurance (IA)
B . Information systems security engineering (ISSE)
C . Certification and accreditation (C&A)
D . Risk Management

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Certification and accreditation (C&A) is a set of processes that culminate in an agreement between key players that a system in its current configuration and operation provides adequate protection controls. Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. The C&A process is used extensively in the U.S. Federal Government. Some C&A processes include FISMA, NIACAP, DIACAP, and DCID 6/3. Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.

ANS: D is incorrect. Risk management is a set of processes that ensures a risk-based approach is used to determine adequate, cost- effective security for a system.

ANS: A is incorrect. Information assurance (IA) is the process of organizing and monitoring information-related risks. It ensures that only the approved users have access to the approved information at the approved time. IA practitioners seek to protect and defend information and information systems by ensuring confidentiality, integrity, authentication, availability, and non-repudiation. These objectives are applicable whether the information is in storage, processing, or transit, and whether threatened by an attack.

ANS: B is incorrect. ISSE is a set of processes and solutions used during all phases of a system’s life cycle to meet the system’s information protection needs.

Question #27

Adam works as a Computer Hacking Forensic Investigator for a garment company in the United States. A project has been assigned to him to investigate a case of a disloyal employee who is suspected of stealing design of the garments, which belongs to the company and selling those garments of the same design under different brand name. Adam investigated that the company does not have any policy related to the copy of design of the garments. He also investigated that the trademark under which the employee is selling the garments is almost identical to the original trademark of the company.

On the grounds of which of the following laws can the employee be prosecuted?

A . Espionage law
B . Trademark law
C . Cyber law
D . Copyright law

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The Trademark law is a piece of legislation that contains the federal statutes of trademark law in the United States. The Act prohibits a number of activities, including trademark infringement, trademark dilution, and false advertising. Trademarks were traditionally protected in the United States only under State common law, growing out of the tort of unfair competition. Trademark law in the United States is almost entirely enforced through private lawsuits. The exception is in the case of criminal counterfeiting of goods. Otherwise, the responsibility is entirely on the mark owner to file suit in either state or federal civil court in order to restrict an infringing use. Failure to "police" a mark by stopping infringing uses can result in the loss of protection.

ANS: D is incorrect. Copyright law of the United States governs the legally enforceable rights of creative and artistic works under the laws of the United States. Copyright law in the United States is part of federal law, and is authorized by the U.S. Constitution. The power to enact copyright law is granted in Article I, Section 8, Clause 8, also known as the Copyright Clause. This clause forms the basis for U.S. copyright law ("Science", "Authors", "Writings") and patent law ("useful Arts", "Inventors", "Discoveries"), and includes the limited terms (or durations) allowed for copyrights and patents ("limited Times"), as well as the items they may protect. In the U.S., registrations of claims of copyright, recordation of copyright transfers, and other administrative aspects of copyright are the responsibility of the United States Copyright Office, a part of the Library of Congress.

ANS: A is incorrect. The Espionage Act of 1917 was a United States federal law passed shortly after entering World War I, on June 15, 1917, which made it a crime for a person: To convey information with intent to interfere with the operation or success of the armed forces of the United States or to promote the success of its enemies. This was punishable by death or by imprisonment for not more than 30 years. To convey false reports or false statements with intent to interfere with the operation or success of the military or naval forces of the United States or to promote the success of its enemies and whoever when the United States is at war, to cause or attempt to cause insubordination, disloyalty, mutiny, refusal of duty, in the military or naval forces of the United States, or to willfully obstruct the recruiting or enlistment service of the United States.

ANS: C is incorrect. Cyber law is a very wide term, which wraps up the legal issue related to the use of communicative, transactional and distributive aspect of networked information device and technologies. It is commonly known as INTERNET LAW. These Laws are important to apply as Internet does not tend to make any geographical and jurisdictional boundaries clear; this is the reason why Cyber law is not very efficient.

A single transaction may involve the laws of at least three jurisdictions, which are as follows:

Question #27

Adam works as a Computer Hacking Forensic Investigator for a garment company in the United States. A project has been assigned to him to investigate a case of a disloyal employee who is suspected of stealing design of the garments, which belongs to the company and selling those garments of the same design under different brand name. Adam investigated that the company does not have any policy related to the copy of design of the garments. He also investigated that the trademark under which the employee is selling the garments is almost identical to the original trademark of the company.

On the grounds of which of the following laws can the employee be prosecuted?

A . Espionage law
B . Trademark law
C . Cyber law
D . Copyright law

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The Trademark law is a piece of legislation that contains the federal statutes of trademark law in the United States. The Act prohibits a number of activities, including trademark infringement, trademark dilution, and false advertising. Trademarks were traditionally protected in the United States only under State common law, growing out of the tort of unfair competition. Trademark law in the United States is almost entirely enforced through private lawsuits. The exception is in the case of criminal counterfeiting of goods. Otherwise, the responsibility is entirely on the mark owner to file suit in either state or federal civil court in order to restrict an infringing use. Failure to "police" a mark by stopping infringing uses can result in the loss of protection.

ANS: D is incorrect. Copyright law of the United States governs the legally enforceable rights of creative and artistic works under the laws of the United States. Copyright law in the United States is part of federal law, and is authorized by the U.S. Constitution. The power to enact copyright law is granted in Article I, Section 8, Clause 8, also known as the Copyright Clause. This clause forms the basis for U.S. copyright law ("Science", "Authors", "Writings") and patent law ("useful Arts", "Inventors", "Discoveries"), and includes the limited terms (or durations) allowed for copyrights and patents ("limited Times"), as well as the items they may protect. In the U.S., registrations of claims of copyright, recordation of copyright transfers, and other administrative aspects of copyright are the responsibility of the United States Copyright Office, a part of the Library of Congress.

ANS: A is incorrect. The Espionage Act of 1917 was a United States federal law passed shortly after entering World War I, on June 15, 1917, which made it a crime for a person: To convey information with intent to interfere with the operation or success of the armed forces of the United States or to promote the success of its enemies. This was punishable by death or by imprisonment for not more than 30 years. To convey false reports or false statements with intent to interfere with the operation or success of the military or naval forces of the United States or to promote the success of its enemies and whoever when the United States is at war, to cause or attempt to cause insubordination, disloyalty, mutiny, refusal of duty, in the military or naval forces of the United States, or to willfully obstruct the recruiting or enlistment service of the United States.

ANS: C is incorrect. Cyber law is a very wide term, which wraps up the legal issue related to the use of communicative, transactional and distributive aspect of networked information device and technologies. It is commonly known as INTERNET LAW. These Laws are important to apply as Internet does not tend to make any geographical and jurisdictional boundaries clear; this is the reason why Cyber law is not very efficient.

A single transaction may involve the laws of at least three jurisdictions, which are as follows:

Question #27

Adam works as a Computer Hacking Forensic Investigator for a garment company in the United States. A project has been assigned to him to investigate a case of a disloyal employee who is suspected of stealing design of the garments, which belongs to the company and selling those garments of the same design under different brand name. Adam investigated that the company does not have any policy related to the copy of design of the garments. He also investigated that the trademark under which the employee is selling the garments is almost identical to the original trademark of the company.

On the grounds of which of the following laws can the employee be prosecuted?

A . Espionage law
B . Trademark law
C . Cyber law
D . Copyright law

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The Trademark law is a piece of legislation that contains the federal statutes of trademark law in the United States. The Act prohibits a number of activities, including trademark infringement, trademark dilution, and false advertising. Trademarks were traditionally protected in the United States only under State common law, growing out of the tort of unfair competition. Trademark law in the United States is almost entirely enforced through private lawsuits. The exception is in the case of criminal counterfeiting of goods. Otherwise, the responsibility is entirely on the mark owner to file suit in either state or federal civil court in order to restrict an infringing use. Failure to "police" a mark by stopping infringing uses can result in the loss of protection.

ANS: D is incorrect. Copyright law of the United States governs the legally enforceable rights of creative and artistic works under the laws of the United States. Copyright law in the United States is part of federal law, and is authorized by the U.S. Constitution. The power to enact copyright law is granted in Article I, Section 8, Clause 8, also known as the Copyright Clause. This clause forms the basis for U.S. copyright law ("Science", "Authors", "Writings") and patent law ("useful Arts", "Inventors", "Discoveries"), and includes the limited terms (or durations) allowed for copyrights and patents ("limited Times"), as well as the items they may protect. In the U.S., registrations of claims of copyright, recordation of copyright transfers, and other administrative aspects of copyright are the responsibility of the United States Copyright Office, a part of the Library of Congress.

ANS: A is incorrect. The Espionage Act of 1917 was a United States federal law passed shortly after entering World War I, on June 15, 1917, which made it a crime for a person: To convey information with intent to interfere with the operation or success of the armed forces of the United States or to promote the success of its enemies. This was punishable by death or by imprisonment for not more than 30 years. To convey false reports or false statements with intent to interfere with the operation or success of the military or naval forces of the United States or to promote the success of its enemies and whoever when the United States is at war, to cause or attempt to cause insubordination, disloyalty, mutiny, refusal of duty, in the military or naval forces of the United States, or to willfully obstruct the recruiting or enlistment service of the United States.

ANS: C is incorrect. Cyber law is a very wide term, which wraps up the legal issue related to the use of communicative, transactional and distributive aspect of networked information device and technologies. It is commonly known as INTERNET LAW. These Laws are important to apply as Internet does not tend to make any geographical and jurisdictional boundaries clear; this is the reason why Cyber law is not very efficient.

A single transaction may involve the laws of at least three jurisdictions, which are as follows:

Question #27

Adam works as a Computer Hacking Forensic Investigator for a garment company in the United States. A project has been assigned to him to investigate a case of a disloyal employee who is suspected of stealing design of the garments, which belongs to the company and selling those garments of the same design under different brand name. Adam investigated that the company does not have any policy related to the copy of design of the garments. He also investigated that the trademark under which the employee is selling the garments is almost identical to the original trademark of the company.

On the grounds of which of the following laws can the employee be prosecuted?

A . Espionage law
B . Trademark law
C . Cyber law
D . Copyright law

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The Trademark law is a piece of legislation that contains the federal statutes of trademark law in the United States. The Act prohibits a number of activities, including trademark infringement, trademark dilution, and false advertising. Trademarks were traditionally protected in the United States only under State common law, growing out of the tort of unfair competition. Trademark law in the United States is almost entirely enforced through private lawsuits. The exception is in the case of criminal counterfeiting of goods. Otherwise, the responsibility is entirely on the mark owner to file suit in either state or federal civil court in order to restrict an infringing use. Failure to "police" a mark by stopping infringing uses can result in the loss of protection.

ANS: D is incorrect. Copyright law of the United States governs the legally enforceable rights of creative and artistic works under the laws of the United States. Copyright law in the United States is part of federal law, and is authorized by the U.S. Constitution. The power to enact copyright law is granted in Article I, Section 8, Clause 8, also known as the Copyright Clause. This clause forms the basis for U.S. copyright law ("Science", "Authors", "Writings") and patent law ("useful Arts", "Inventors", "Discoveries"), and includes the limited terms (or durations) allowed for copyrights and patents ("limited Times"), as well as the items they may protect. In the U.S., registrations of claims of copyright, recordation of copyright transfers, and other administrative aspects of copyright are the responsibility of the United States Copyright Office, a part of the Library of Congress.

ANS: A is incorrect. The Espionage Act of 1917 was a United States federal law passed shortly after entering World War I, on June 15, 1917, which made it a crime for a person: To convey information with intent to interfere with the operation or success of the armed forces of the United States or to promote the success of its enemies. This was punishable by death or by imprisonment for not more than 30 years. To convey false reports or false statements with intent to interfere with the operation or success of the military or naval forces of the United States or to promote the success of its enemies and whoever when the United States is at war, to cause or attempt to cause insubordination, disloyalty, mutiny, refusal of duty, in the military or naval forces of the United States, or to willfully obstruct the recruiting or enlistment service of the United States.

ANS: C is incorrect. Cyber law is a very wide term, which wraps up the legal issue related to the use of communicative, transactional and distributive aspect of networked information device and technologies. It is commonly known as INTERNET LAW. These Laws are important to apply as Internet does not tend to make any geographical and jurisdictional boundaries clear; this is the reason why Cyber law is not very efficient.

A single transaction may involve the laws of at least three jurisdictions, which are as follows:

Question #31

John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. In order to do so, he performs the following steps of the pre-attack phase successfully: Information gathering Determination of network range Identification of active systems Location of open ports and applications Now, which of the following tasks should he perform next?

A . Perform OS fingerprinting on the We-are-secure network.
B . Map the network of We-are-secure Inc.
C . Install a backdoor to log in remotely on the We-are-secure server.
D . Fingerprint the services running on the we-are-secure network.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

John will perform OS fingerprinting on the We-are-secure network. Fingerprinting is the easiest way to detect the Operating System (OS) of a remote system. OS detection is important because, after knowing the target system’s OS, it becomes easier to hack into the system. The comparison of data packets that are sent by the target system is done by fingerprinting. The analysis of data packets gives the attacker a hint as to which operating system is being used by the remote system. There are two types of fingerprinting techniques as follows: 1.Active fingerprinting 2.Passive fingerprinting In active fingerprinting ICMP messages are sent to the target system and the response message of the target system shows which OS is being used by the remote system. In passive fingerprinting the number of hops reveals the OS of the remote system.

ANS: D and B are incorrect. John should perform OS fingerprinting first, after which it will be easy to identify which services are running on the network since there are many services that run only on a specific operating system. After performing OS fingerprinting, John should perform networking mapping.

ANS: C is incorrect. This is a pre-attack phase, and only after gathering all relevant knowledge of a network should John install a backdoor.

Question #32

Which of the following DITSCAP C&A phases takes place between the signing of the initial version of the SSAA and the formal accreditation of the system?

A . Phase 4
B . Phase 3
C . Phase 1
D . Phase 2

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The Phase 2 of DITSCAP C&A is known as Verification. The goal of this phase is to obtain a fully integrated system for certification testing and accreditation. This phase takes place between the signing of the initial version of the SSAA and the formal accreditation of the system. This phase verifies security requirements during system development.

ANS: C, B, and A are incorrect. These phases do not take place between the signing of the initial version of the SSAA and the formal accreditation of the system.

Question #33

In which of the following testing methodologies do assessors use all available documentation and work under no constraints, and attempt to circumvent the security features of an information system?

A . Full operational test
B . Penetration test
C . Paper test
D . Walk-through test

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

A penetration testing is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution. The intent of a penetration test is to determine feasibility of an attack and the amount of business impact of a successful exploit, if discovered. It is a component of a full security audit.

ANS: C is incorrect. A paper test is the least complex test in the disaster recovery and business continuity testing approaches. In this test, the BCP/DRP plan documents are distributed to the appropriate managers and BCP/DRP team members for review, markup, and comment. This approach helps the auditor to ensure that the plan is complete and that all team members are familiar with their responsibilities within the plan.

ANS: D is incorrect. A walk-through test is an extension of the paper testing in the business continuity and disaster recovery process. In this testing methodology, appropriate managers and BCP/DRP team members discuss and walk through procedures of the plan. They also discuss the training needs, and clarification of critical plan elements.

ANS: A is incorrect. A full operational test includes all team members and participants in the disaster recovery and business continuity process. This full operation test involves the mobilization of personnel. It restores operations in the same manner as an outage or disaster would. The full operational test extends the preparedness test by including actual notification, mobilization of resources, processing of data, and utilization of backup media for restoration.

Question #34

You work as a systems engineer for BlueWell Inc.

Which of the following tools will you use to look outside your own organization to examine how others achieve their performance levels, and what processes they use to reach those levels?

A . Benchmarking
B . Six Sigma
C . ISO 9001:2000
D . SEI-CMM

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Benchmarking is the tool used by system assessment process to provide a point of reference by which performance measurements can be reviewed with respect to other organizations. Benchmarking is also recognized as Best Practice Benchmarking or Process Benchmarking. It is a process used in management and mostly useful for strategic management. It is the process of comparing the business processes and performance metrics including cost, cycle time, productivity, or quality to another that is widely considered to be an industry standard benchmark or best practice. It allows organizations to develop plans on how to implement best practice with the aim of increasing some aspect of performance. Benchmarking might be a one-time event, although it is frequently treated as a continual process in which organizations continually seek out to challenge their practices. It allows organizations to develop plans on how to make improvements or adapt specific best practices, usually with the aim of increasing some aspect of performance.

ANS: C is incorrect. The ISO 9001:2000 standard combines the three standards 9001, 9002, and 9003 into one, called 9001. Design and development procedures are required only if a company does in fact engage in the creation of new products. The 2000 version sought to make a radical change in thinking by actually placing the concept of process management front and center ("Process management" was the monitoring and optimizing of a company’s tasks and activities, instead of just inspecting the final product). The ISO 9001:2000 version also demands involvement by upper executives, in order to integrate quality into the business system and avoid delegation of quality functions to junior administrators. Another goal is to improve effectiveness via process performance metrics numerical measurement of the effectiveness of tasks and activities. Expectations of continual process improvement

and tracking customer satisfaction were made explicit.

ANS: B is incorrect. Six Sigma is a business management strategy, initially implemented by Motorola. As of 2009 it enjoys widespread application in many sectors of industry, although its application is not without controversy. Six Sigma seeks to improve the quality of process outputs by identifying and removing the causes of defects and variability in manufacturing and business processes. It uses a set of quality management methods, including statistical methods, and creates a special infrastructure of people within the organization ("Black Belts", "Green Belts", etc.) who are experts in these methods. Each Six Sigma project carried out within an organization follows a defined sequence of steps and has quantified financial targets (cost reduction or profit increase). The often used Six Sigma symbol is as follows:

ANS: D is incorrect. Capability Maturity Model Integration (CMMI) was created by Software Engineering Institute (SEI). CMMI in software engineering and organizational development is a process improvement approach that provides organizations with the essential elements for effective process improvement. It can be used to guide process improvement across a project, a division, or an entire organization. CMMI can help integrate traditionally separate organizational functions, set process improvement goals and priorities, provide guidance for quality processes, and provide a point of reference for appraising current processes. CMMI is now the de facto standard for measuring the maturity of any process. Organizations can be assessed against the CMMI model using Standard CMMI Appraisal Method for Process Improvement (SCAMPI).

Question #35

Which of the following methods determines the principle name of the current user and returns the jav a.security.Principal object in the HttpServletRequest interface?

A . getUserPrincipal()
B . isUserInRole()
C . getRemoteUser()
D . getCallerPrincipal()

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The getUserPrincipal() method determines the principle name of the current user and returns the java.security.Principal object. The java.security.Principal object contains the remote user name. The value of the getUserPrincipal() method returns null if no user is authenticated.

ANS: C is incorrect. The getRemoteUser() method returns the user name that is used for the client authentication. The value of the getRemoteUser() method returns null if no user is authenticated.

ANS: B is incorrect. The isUserInRole () method determines whether the remote user is granted a specified user role. The value of the isUserInRole() method returns true if the remote user is granted the specified user role; otherwise it returns false.

ANS: D is incorrect. The getCallerPrincipal() method is used to identify a caller using a java.security.Principal object. It is not used in the HttpServletRequest interface.

Question #36

The NIST Information Security and Privacy Advisory Board (ISPAB) paper "Perspectives on Cloud Computing and Standards" specifies potential advantages and disdvantages of virtualization.

Which of the following disadvantages does it include? Each correct answer represents a complete solution. Choose all that apply.

A . It increases capabilities for fault tolerant computing using rollback and snapshot features.
B . It increases intrusion detection through introspection.
C . It initiates the risk that malicious software is targeting the VM environment.
D . It increases overall security risk shared resources.
E . It creates the possibility that remote attestation may not work.
F . It involves new protection mechanisms for preventing VM escape, VM detection, and VM-VM interference.
G . It increases configuration effort because of complexity and composite system.

Reveal Solution Hide Solution

Correct Answer: CDEFG
CDEFG

Explanation:

The potential security disadvantages of virtualization are as follows: It increases configuration effort because of complexity and composite system. It initiates the problem of how to prevent overlap while mapping VM storage onto host files. It introduces the problem of virtualizing the TPM. It creates the possibility that remote attestation may not work. It initiates the problem of detecting VM covert channels. It involves new protection mechanisms for preventing VM escape, VM detection, and VM-VM interference. It initiates the possibility of virtual networking configuration errors. It initiates the risk that malicious software is targeting the VM environment.

It increases overall security risk shared resources, such as networks, clipboards, clocks, printers, desktop management, and folders.

ANS: A and B are incorrect. These are not the disadvantages of virtualization, as described in the NIST Information Security and Privacy Advisory Board (ISPAB) paper "Perspectives on Cloud Computing and Standards".

Question #37

Which of the following are the types of access controls? Each correct answer represents a complete solution. Choose three.

A . Physical
B . Technical
C . Administrative
D . Automatic

Reveal Solution Hide Solution

Correct Answer: ABC
ABC

Explanation:

Security guards, locks on the gates, and alarms come under physical access control. Policies and procedures implemented by an organization come under administrative access control. IDS systems, encryption, network segmentation, and antivirus controls come under technical access control.

ANS: D is incorrect. There is no such type of access control as automatic control.

Question #38

What are the subordinate tasks of the Initiate and Plan IA C&A phase of the DIACAP process? Each correct answer represents a complete solution. Choose all that apply.

A . Initiate IA implementation plan
B . Develop DIACAP strategy
C . Assign IA controls.
D . Assemble DIACAP team
E . Register system with DoD Component IA Program.
F . Conduct validation activity.

Reveal Solution Hide Solution

Correct Answer: ABCDE
ABCDE

Explanation:

The Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) is a process defined by the United States Department of Defense (DoD) for managing risk. The subordinate tasks of the Initiate and Plan IA C&A phase are as follows: Register system with DoD

Component IA Program. Assign IA controls. Assemble DIACAP team. Develop DIACAP strategy. Initiate IA implementation plan.

ANS: F is incorrect. Validation activities are conducted in the second phase of the DIACAP process, i.e., Implement and Validate Assigned IA Controls.

Question #39

Which of the following attacks causes software to fail and prevents the intended users from accessing software?

A . Enabling attack
B . Reconnaissance attack
C . Sabotage attack
D . Disclosure attack

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

A sabotage attack is an attack that causes software to fail. It also prevents the intended users from accessing software. A sabotage attack is referred to as a denial of service (DoS) or compromise of availability.

ANS: B is incorrect. The reconnaissance attack enables an attacker to collect information about software and operating environment.

ANS: D is incorrect. The disclosure attack exposes the revealed data to an attacker.

ANS: A is incorrect. The enabling attack delivers an easy path for other attacks.

Question #40

FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems.

Which of the following FITSAF levels shows that the procedures and controls have been implemented?

A . Level 2
B . Level 3
C . Level 5
D . Level 1
E . Level 4

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The following are the five levels of FITSAF based on SEI’s Capability Maturity Model (CMM):

Level 1: The first level reflects that an asset has documented a security policy.

Level 2: The second level shows that the asset has documented procedures and controls to implement the policy.

Level 3: The third

level indicates that these procedures and controls have been implemented.

Level 4: The fourth level shows that the procedures and controls are tested and reviewed.

Level 5: The fifth level is the final level and shows that the asset has procedures and controls fully integrated into a comprehensive program.

Question #41

Which of the following is a name, symbol, or slogan with which a product is identified?

A . Trademark
B . Copyright
C . Trade secret
D . Patent

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

A trademark is a name, symbol, or slogan with which a product is identified. Its uniqueness makes the product noticeable among the same type of products. For example, Pentium and Athlon are brand names of the CPUs that are manufactured by Intel and AMD, respectively. The trademark law protects a company’s trademark by making it illegal for other companies to use it without taking prior permission of the trademark owner. A trademark is registered so that others cannot use identical or similar marks.

ANS: C is incorrect. A trade secret is a formula, practice, process, design, instrument, pattern, or compilation of information which is not generally known. It helps a business to obtain an economic advantage over its competitors or customers. In some jurisdictions, such secrets are referred to as confidential information or classified information.

ANS: B is incorrect. A copyright is a form of intellectual property, which secures to its holder the exclusive right to produce copies of his or her works of original expression, such as a literary work, movie, musical work or sound recording, painting, photograph, computer program, or industrial design, for a defined, yet extendable, period of time. It does not cover ideas or facts. Copyright laws protect intellectual property from misuse by other individuals.

ANS: D is incorrect. A patent is a set of exclusive rights granted to anyone who invents any new and useful machine, process, composition of matter, etc. A patent enables the inventor to legally enforce his right to exclude others from using his invention.

Question #42

Della work as a project manager for BlueWell Inc. A threat with a dollar value of $250,000 is expected to happen in her project and the frequency of threat occurrence per year is 0.01.

What will be the annualized loss expectancy in her project?

A . $2,000
B . $2,500
C . $3,510
D . $3,500

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The annualized loss expectancy in her project will be $2,500. Annualized loss expectancy (ALE) is the annually expected financial loss to an organization from a threat. The annualized loss expectancy (ALE) is the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE).

It is mathematically expressed as follows: ALE = Single Loss Expectancy (SLE) * Annualized Rate of Occurrence (ARO) Here, it is as follows:

ALE = SLE * ARO

= 250,000 * 0.01

= 2,500

ANS: D, C, and A are incorrect. These are not valid answers.

Question #43

Which of the following coding practices are helpful in simplifying code? Each correct answer represents a complete solution. Choose all that apply.

A . Programmers should use multiple small and simple functions rather than a single complex function.
B . Software should avoid ambiguities and hidden assumptions, recursions, and GoTo statements.
C . Programmers should implement high-consequence functions in minimum required lines of code and follow proper coding standards.
D . Processes should have multiple entry and exit points.

Reveal Solution Hide Solution

Correct Answer: ABC
ABC

Explanation:

The various coding practices that are helpful in simplifying the code are as follows: Programmers should implement high-consequence functions in minimum required lines of code and follow the proper coding standards. Software should implement the functions that are defined in the software

specification. Software should avoid ambiguities and hidden assumptions, recursion, and GoTo statements. Programmers should use multiple small and simple functions rather than a complex function. The processes should have only one entry point and minimum exit points. Interdependencies should be minimum so that a process module or component can be disabled when it is not needed, or replaced when it is found insecure or a better alternative is available, without disturbing the software operations. Programmers should use object-oriented techniques to keep the code simple and small. Some of the object-oriented techniques are object inheritance, encapsulation, and polymorphism.

ANS: D is incorrect. Processes should have only one entry point and the minimum number of exit points.

Question #44

Which of the following methods does the Java Servlet Specification v2.4 define in the HttpServletRequest interface that control programmatic security? Each correct answer represents a complete solution. Choose all that apply.

A . getCallerIdentity()
B . isUserInRole()
C . getUserPrincipal()
D . getRemoteUser()

Reveal Solution Hide Solution

Correct Answer: BCD
BCD

Explanation:

The various methods of the HttpServletRequest interface are as follows: getRemoteUser(): It returns the user name that is used for the client authentication. The value of the getRemoteUser() method returns null if no user is authenticated. isUserInRole(): It determines whether the remote user is granted a specified user role. The value of the isUserInRole() method returns true if the remote user is granted the specified user role; otherwise it returns false. getUserPrincipal(): It determines the principle name of the current user and returns the java.security.Principal object. The java.security.Principal object contains the remote user name. The value of the getUserPrincipal() method returns null if no user is authenticated.

ANS: A is incorrect. It is not defined in the HttpServletRequest interface. The getCallerIdentity() method is used to obtain the java.security.Identity of the caller.

Question #45

You are the project manager of the CUL project in your organization. You and the project team are assessing the risk events and creating a probability and impact matrix for the identified risks.

Which one of the following statements best describes the requirements for the data type used in qualitative risk analysis?

A . A qualitative risk analysis encourages biased data to reveal risk tolerances.
B . A qualitative risk analysis required unbiased stakeholders with biased risk tolerances.
C . A qualitative risk analysis requires accurate and unbiased data if it is to be credible.
D . A qualitative risk analysis requires fast and simple data to complete the analysis.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Of all the choices only this answer is accurate. The PMBOK clearly states that the data must

be accurate and unbiased to be credible.

ANS: D is incorrect. This is not a valid statement about the

qualitative risk analysis data.

ANS: A is incorrect. This is not a valid statement about the qualitative risk

analysis data.

ANS: B is incorrect. This is not a valid statement about the qualitative risk analysis data.

Question #46

FIPS 199 defines the three levels of potential impact on organizations.

Which of the following potential impact levels shows limited adverse effects on organizational operations, organizational assets, or individuals?

A . Moderate
B . Low
C . Medium
D . High

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The potential impact is called low if the loss of confidentiality, integrity, or availability is expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

ANS: C is incorrect. Such a type of potential impact level does not exist ANS: A is incorrect. The potential impact is known to be moderate if the loss of confidentiality, integrity, or availability is expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

ANS: D is incorrect. The potential impact is called high if the loss of confidentiality, integrity, or availability is expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Question #47

You work as the senior project manager in SoftTech Inc. You are working on a software project using configuration management. Through configuration management you are decomposing the verification system into identifiable, understandable, manageable, traceable units that are known as Configuration Items (CIs). According to you, which of the following processes is known as the decomposition process of a verification system into Configuration Items?

A . Configuration status accounting
B . Configuration identification
C . Configuration auditing
D . Configuration control

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Configuration identification is known as the decomposition process of a verification system into Configuration Items. Configuration identification is the process of identifying the attributes that define every aspect of a configuration item. A configuration item is a product (hardware and/or software) that has an end-user purpose. These attributes are recorded in configuration documentation and baselined. Baselining an attribute forces formal configuration change control processes to be effected in the event that these attributes are changed.

ANS: D is incorrect. Configuration control is a procedure of the Configuration management. Configuration control is a set of processes and approval stages required to change a configuration item’s attributes and to re-baseline them. It supports the change of the functional and physical attributes of software at various points in time, and performs systematic control of changes to the identified attributes. Configuration control is a means of ensuring that system changes are approved before being implemented. Only the proposed and approved changes are implemented, and the implementation is complete and accurate.

ANS: A is incorrect. The configuration status accounting procedure is the ability to record and report on the configuration baselines associated with each configuration item at any moment of time. It supports the functional and physical attributes of software at various points in time, and performs systematic control of accounting to the identified attributes for the purpose of maintaining software integrity and traceability throughout the software development life cycle.

ANS: C is incorrect. Configuration auditing is the quality assurance element of configuration management. It is occupied in the process of periodic checks to establish the consistency and completeness of accounting information and to validate that all configuration management policies are being followed. Configuration audits are broken into functional and physical configuration audits. They occur either at delivery or at the moment of effecting the change. A functional configuration audit ensures that functional and performance attributes of a configuration item are achieved, while a physical configuration audit ensures that a configuration item is installed in accordance with the requirements of its detailed design documentation.

Question #48

Bill is the project manager of the JKH Project. He and the project team have identified a risk event in the project with a high probability of occurrence and the risk event has a high cost impact on the project. Bill discusses the risk event with Virginia, the primary project customer, and she decides that the requirements surrounding the risk event should be removed from the project. The removal of the requirements does affect the project scope, but it can release the project from the high risk exposure.

What risk response has been enacted in this project?

A . Mitigation
B . Transference
C . Acceptance
D . Avoidance

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

This is an example of the avoidance risk response. Because the project plan has been changed to avoid the risk event, so it is considered the avoidance risk response. Risk avoidance is a technique used for threats. It creates changes to the project management plan that are meant to either eliminate the risk completely or to protect the project objectives from its impact. Risk avoidance removes the risk event entirely either by adding additional steps to avoid the event or reducing the project scope requirements. It may seem the answer to all possible risks, but avoiding risks also means losing out on the potential gains that accepting (retaining) the risk might have allowed.

ANS: C is incorrect. Acceptance is when the stakeholders acknowledge the risk event and they accept that the event could happen and could have an impact on the project. Acceptance is usually used for risk events that have low risk exposure or risk events in which the project has no control, such as a pending law or weather threats.

ANS: A is incorrect. Mitigation is involved with the actions to reduce an included risk’s probability and/or impact on the project’s objectives. As the risk was removed from the project, this scenario describes avoidance, not mitigation.

ANS: B is incorrect. Transference is when the risk is still within the project, but the ownership and management of the risk event is transferred to a third party – usually for a fee.

Question #49

Martha registers a domain named Microsoft.in. She tries to sell it to Microsoft Corporation. The infringement of which of the following has she made?

A . Copyright
B . Trademark
C . Patent
D . Intellectual property

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

According to the Lanham Act, domain names fall under trademarks law. A new section 43(d) of the Trademark Act (Lanham Act) states that anyone who in bad faith registers, traffics in, or uses a domain name that infringes or dilutes another’s trademark has committed trademark infringement. Factors involved in assessing bad faith focus on activities typically associated with cyberpiracy or cybersquatting, such as whether the registrant has offered to sell the domain name to the trademark holder for financial gain without having used or intended to use it for a bona fide business; whether the domain-name registrant registered multiple domain names that are confusingly similar to the trademarks of others; and whether the trademark incorporated in the domain name is distinctive and famous. Other factors are whether the domain name consists of the legal name or common handle of the domain-name registrant and whether the domain-name registrant previously used the mark in connection with a bona fide business.

Question #50

Which of the following is a variant with regard to Configuration Management?

A . A CI that has the same name as another CI but shares no relationship.
B . A CI that particularly refers to a software version.
C . A CI that has the same essential functionality as another CI but a bit different in some small manner.
D . A CI that particularly refers to a hardware specification.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

A CI that has the same essential functionality as another CI but a bit different in some small manner, and therefore, might be required to be analyzed along with its generic group. A Configuration item (CI) is an IT asset or a combination of IT assets that may depend and have relationships with other IT processes. A CI will have attributes which may be hierarchical and relationships that will be assigned by the configuration manager in the CM database. The Configuration Item (CI) attributes are as follows:

Question #50

Which of the following is a variant with regard to Configuration Management?

A . A CI that has the same name as another CI but shares no relationship.
B . A CI that particularly refers to a software version.
C . A CI that has the same essential functionality as another CI but a bit different in some small manner.
D . A CI that particularly refers to a hardware specification.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

A CI that has the same essential functionality as another CI but a bit different in some small manner, and therefore, might be required to be analyzed along with its generic group. A Configuration item (CI) is an IT asset or a combination of IT assets that may depend and have relationships with other IT processes. A CI will have attributes which may be hierarchical and relationships that will be assigned by the configuration manager in the CM database. The Configuration Item (CI) attributes are as follows:

Question #50

Which of the following is a variant with regard to Configuration Management?

A . A CI that has the same name as another CI but shares no relationship.
B . A CI that particularly refers to a software version.
C . A CI that has the same essential functionality as another CI but a bit different in some small manner.
D . A CI that particularly refers to a hardware specification.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

A CI that has the same essential functionality as another CI but a bit different in some small manner, and therefore, might be required to be analyzed along with its generic group. A Configuration item (CI) is an IT asset or a combination of IT assets that may depend and have relationships with other IT processes. A CI will have attributes which may be hierarchical and relationships that will be assigned by the configuration manager in the CM database. The Configuration Item (CI) attributes are as follows:

Question #50

Which of the following is a variant with regard to Configuration Management?

A . A CI that has the same name as another CI but shares no relationship.
B . A CI that particularly refers to a software version.
C . A CI that has the same essential functionality as another CI but a bit different in some small manner.
D . A CI that particularly refers to a hardware specification.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

A CI that has the same essential functionality as another CI but a bit different in some small manner, and therefore, might be required to be analyzed along with its generic group. A Configuration item (CI) is an IT asset or a combination of IT assets that may depend and have relationships with other IT processes. A CI will have attributes which may be hierarchical and relationships that will be assigned by the configuration manager in the CM database. The Configuration Item (CI) attributes are as follows:

Question #54

The organization level is the Tier 1 and it addresses risks from an organizational perspective.

What are the various Tier 1 activities? Each correct answer represents a complete solution. Choose all that apply.

A . The organization plans to use the degree and type of oversight, to ensure that the risk management strategy is being effectively carried out.
B . The level of risk tolerance.
C . The techniques and methodologies an organization plans to employ, to evaluate information system-related security risks.
D . The RMF primarily operates at Tier 1.

Reveal Solution Hide Solution

Correct Answer: ABC
ABC

Explanation:

The Organization Level is the Tier 1, and it addresses risks from an organizational perspective. It includes the following points: The techniques and methodologies an organization plans to employ, to evaluate information system-related security risks. During risk assessment, the methods and procedures the organization plans to use, to evaluate the significance of the risks identified. The types and extent of risk mitigation measures the organization plans to employ, to address identified risks. The level of risk tolerance. According to the environment of operation, how the organization plans to monitor risks on an ongoing basis, given the inevitable changes to organizational information system.

The organization plans to use the degree and type of oversight, in order to ensure that the risk management strategy is being effectively carried out.

ANS: D is incorrect. The RMF primarily operates at Tier 3.

Question #55

An asset with a value of $600,000 is subject to a successful malicious attack threat twice a year. The asset has an exposure of 30 percent to the threat.

What will be the annualized loss expectancy?

A . $360,000
B . $180,000
C . $280,000
D . $540,000

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The annualized loss expectancy will be $360,000. Annualized loss expectancy (ALE) is the annually expected financial loss to an organization from a threat. The annualized loss expectancy (ALE) is the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE).

It is mathematically expressed as follows:

ALE = Single Loss Expectancy (SLE) * Annualized Rate of Occurrence (ARO)

Here, it is as follows:

SLE = Asset value * EF (Exposure factor)

= 600,000 * (30/100)

= 600,000 * 0.30

= 180,000

= 180,000 * 2

= 360,000

ANS: C, B, and D are incorrect. These are not valid answers.

Question #56

Which of the following are the common roles with regard to data in an information classification program? Each correct answer represents a complete solution. Choose all that apply.

A . Editor
B . Custodian
C . Owner
D . User
E . Security auditor

Reveal Solution Hide Solution

Correct Answer: BCDE
BCDE

Explanation:

The following are the common roles with regard to data in an information classification

program: Owner Custodian User Security auditor The following are the responsibilities of the owner with regard to data in an information classification program: Determining what level of classification the information requires. Reviewing the classification assignments at regular time intervals and making changes as the business needs change. Delegating the responsibility of the data protection duties to the custodian. The following are the responsibilities of the custodian with regard to data in an information classification program: Running regular backups and routinely testing the validity of the backup data Performing data restoration from the backups when necessary Controlling access, adding and removing privileges for individual users The users must comply with the requirements laid out in policies and procedures. They must also exercise due care. A security auditor examines an organization’s security procedures and mechanisms.

Question #57

Which of the following life cycle modeling activities establishes service relationships and message exchange paths?

A . Service-oriented logical design modeling
B . Service-oriented conceptual architecture modeling
C . Service-oriented discovery and analysis modeling
D . Service-oriented business integration modeling

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The service-oriented logical design modeling establishes service relationships and message exchange paths. It also addresses service visibility and crafts service logical compositions.

Question #58

You have a storage media with some data and you make efforts to remove this data. After performing this, you analyze that the data remains present on the media.

Which of the following refers to the above mentioned condition?

A . Object reuse
B . Degaussing
C . Residual
D . Data remanence

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Data remanence refers to the data that remains even after the efforts have been made for removing or erasing the data. This event occurs because of data being left intact by an insignificant file deletion operation, by storage media reformatting, or through physical properties of the storage medium. Data remanence can make unintentional disclosure of sensitive information possible. So, it is required that the storage media is released into an uncontrolled environment.

ANS: C and B are incorrect. These are the made-up disasters.

ANS: A is incorrect. Object reuse refers to reassigning some other object of a storage media that has one or more objects.

Question #59

Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation.

Which of the following statements are true about Certification and Accreditation? Each correct answer represents a complete solution. Choose two.

A . Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system.
B . Accreditation is a comprehensive assessment of the management, operational, and technical security controls in an information system.
C . Accreditation is the official management decision given by a senior agency official to authorize operation of an information system.
D . Certification is the official management decision given by a senior agency official to authorize operation of an information system.

Reveal Solution Hide Solution

Correct Answer: AC
AC

Explanation:

Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. The C&A process is used extensively in the U.S. Federal Government. Some C&A processes include FISMA, NIACAP, DIACAP, and DCID 6/3. Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.

Question #60

The Phase 1 of DITSCAP C&A is known as Definition Phase. The goal of this phase is to define the C&A level of effort, identify the main C&A roles and responsibilities, and create an agreement on the method for implementing the security requirements.

What are the process activities of this phase? Each correct answer represents a complete solution. Choose all that apply.

A . Negotiation
B . Registration
C . Document mission need
D . Initial Certification Analysis

Reveal Solution Hide Solution

Correct Answer: ABC
ABC

Explanation:

The Phase 1 of DITSCAP C&A is known as Definition Phase. The goal of this phase is to define the C&A level of effort, identify the main C&A roles and responsibilities, and create an agreement on the method for implementing the security requirements. The Phase 1 starts with the input of the mission need. This phase comprises three process activities: Document mission need Registration Negotiation ANS: D is incorrect. Initial Certification Analysis is a Phase 2 activity.

Question #61

Which of the following NIST Special Publication documents provides a guideline on network security testing?

A . NIST SP 800-42
B . NIST SP 800-53A
C . NIST SP 800-60
D . NIST SP 800-53
E . NIST SP 800-37
F . NIST SP 800-59

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

NIST SP 800-42 provides a guideline on network security testing.

ANS: E, D, B, F, and C are incorrect. NIST has developed a suite of documents for conducting Certification & Accreditation (C&A). These documents are as follows: NIST Special Publication 800-37: This document is a guide for the security certification and accreditation of Federal Information Systems. NIST Special Publication 800-53: This document provides a guideline for security controls for Federal Information Systems. NIST Special Publication 800-53A. This document consists of techniques and procedures for verifying the effectiveness of security controls in Federal Information System. NIST Special Publication 800-59: This document is a guideline for identifying an information system as a National Security System. NIST Special Publication 800-60: This document is a guide for mapping types of information and information systems to security objectives and risk levels.

Question #62

Which of the following tools is used to attack the Digital Watermarking?

A . Steg-Only Attack
B . Active Attacks
C . 2Mosaic
D . Gifshuffle

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

2Mosaic is a tool used for watermark breaking. It is an attack against a digital watermarking

system. In this type of attack, an image is chopped into small pieces and then placed together. When this image is embedded into a web page, the web browser renders the small pieces into one image. This image looks like a real image with no watermark in it. This attack is successful, as it is impossible to read watermark in very small pieces.

ANS: D is incorrect. Gifshuffle is used to hide message or information inside GIF images. It is done by shuffling the colormap. This tool also provides compression and encryption.

ANS: B and A are incorrect. Active Attacks and Steg-Only Attacks are used to attack Steganography.

Question #63

You and your project team have identified the project risks and now are analyzing the probability and impact of the risks.

What type of analysis of the risks provides a quick and high-level review of each identified risk event?

A . Quantitative risk analysis
B . Qualitative risk analysis
C . Seven risk responses
D . A risk probability-impact matrix

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Qualitative risk analysis is a high-level, fast review of the risk event. Qualitative risk analysis qualifies the risk events for additional analysis.

Question #64

What component of the change management system is responsible for evaluating, testing, and documenting changes created to the project scope?

A . Project Management Information System
B . Integrated Change Control
C . Configuration Management System
D . Scope Verification

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The change management system is comprised of several components that guide the change request through the process. When a change request is made that will affect the project scope. The Configuration Management System evaluates the change request and documents the features and functions of the change on the project scope.

Question #65

You work as a project manager for BlueWell Inc. You with your team are using a method or a (technical) process that conceives the risks even if all theoretically possible safety measures would be applied. One of your team member wants to know that what is a residual risk.

What will you reply to your team member?

A . It is a risk that remains because no risk response is taken.
B . It is a risk that can not be addressed by a risk response.
C . It is a risk that will remain no matter what type of risk response is offered.
D . It is a risk that remains after planned risk responses are taken.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Residual risks are generally smaller risks that remain in the project after larger risks have been addressed. The residual risk is the risk or danger of an action or an event, a method or a (technical) process that still conceives these dangers even if all theoretically possible safety measures would be applied. The formula to calculate residual risk is (inherent risk) x (control risk) where inherent risk is (threats vulnerability).

ANS: B is incorrect. This is not a valid statement about residual risks.

ANS: C is incorrect. This is not a valid statement about residual risks.

ANS: A is incorrect. This is not a valid statement about residual risks.

Question #66

You are the project manager of the NNN project for your company. You and the project team are working together to plan the risk responses for the project. You feel that the team has successfully completed the risk response planning and now you must initiate what risk process it is.

Which of the following risk processes is repeated after the plan risk responses to determine if the overall project risk has been satisfactorily decreased?

A . Quantitative risk analysis
B . Risk identification
C . Risk response implementation
D . Qualitative risk analysis

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The quantitative risk analysis process is repeated after the plan risk responses to determine if the overall project risk has been satisfactorily decreased.

ANS: D is incorrect. Qualitative risk analysis is

not repeated after the plan risk response process.

ANS: B is incorrect. Risk identification is an ongoing process that happens throughout the project.

ANS: C is incorrect. Risk response implementation is not a project management process.

Question #67

Which of the following statements is true about residual risks?

A . It is the probabilistic risk after implementing all security measures.
B . It can be considered as an indicator of threats coupled with vulnerability.
C . It is a weakness or lack of safeguard that can be exploited by a threat.
D . It is the probabilistic risk before implementing all security measures.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The residual risk is the risk or danger of an action or an event, a method or a (technical) process that still conceives these dangers even if all theoretically possible safety measures would be applied. The formula to calculate residual risk is (inherent risk) x (control risk) where inherent risk is (threats vulnerability).

ANS: B is incorrect. In information security, security risks are considered as an indicator of threats coupled with vulnerability. In other words, security risk is a probabilistic function of a given threat agent exercising a particular vulnerability and the impact of that risk on the organization. Security risks can be mitigated by reviewing and taking responsible actions based on possible risks.

ANS: C is incorrect. Vulnerability is a weakness or lack of safeguard that can be exploited by a threat, thus causing harm to the information systems or networks. It can exist in hardware , operating systems, firmware, applications, and configuration files. Vulnerability has been variously defined in the current context as follows: 1.A security weakness in a Target of Evaluation due to failures in analysis, design, implementation, or operation and such. 2.Weakness in an information system or components (e.g. system security procedures, hardware design, or internal controls that could be exploited to produce an information-related misfortune.) 3.The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the system, network, application, or protocol involved.

Question #68

To help review or design security controls, they can be classified by several criteria . One of these criteria is based on their nature.

According to this criterion, which of the following controls consists of incident response processes, management oversight, security awareness, and training?

A . Compliance control
B . Physical control
C . Procedural control
D . Technical control

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Procedural controls include incident response processes, management oversight, security

awareness, and training.

ANS: B is incorrect. Physical controls include fences, doors, locks, and fire

extinguishers.

ANS: D is incorrect. Technical controls include user authentication (login) and logical access controls, antivirus software, and firewalls.

ANS: A is incorrect. The legal and regulatory, or compliance controls, include privacy laws, policies, and clauses.

Question #69

A Web-based credit card company had collected financial and personal details of Mark before issuing him a credit card. The company has now provided Mark’s financial and personal details to another company.

Which of the following Internet laws has the credit card issuing company violated?

A . Trademark law
B . Security law
C . Privacy law
D . Copyright law

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The credit card issuing company has violated the Privacy law. According to the Internet Privacy law, a company cannot provide their customer’s financial and personal details to other companies.

ANS: A is incorrect. Trademark laws facilitate the protection of trademarks around the world.

ANS: B is incorrect. There is no law such as Security law.

ANS: D is incorrect. The Copyright law protects original works or creations of authorship including literary, dramatic, musical, artistic, and certain other intellectual works.

Question #70

There are seven risks responses that a project manager can choose from.

Which risk response is appropriate for both positive and negative risk events?

A . Acceptance
B . Transference
C . Sharing
D . Mitigation

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Only acceptance is appropriate for both positive and negative risk events. Often sharing is used for low probability and low impact risk events regardless of the positive or negative effects the risk event may bring the project. Acceptance response is a part of Risk Response planning process.

Acceptance response delineates that the project plan will not be changed to deal with the risk. Management may develop a contingency plan if the risk does occur. Acceptance response to a risk event is a strategy that can be used for risks that pose either threats or opportunities. Acceptance response can be of two types: Passive acceptance: It is a strategy in which no plans are made to try or avoid or mitigate the risk. Active acceptance: Such responses include developing contingency reserves to deal with risks, in case they occur. Acceptance is the only response for both threats and opportunities.

ANS: C is incorrect. Sharing is a positive risk response that shares an opportunity for all parties involved in the risk event.

ANS: B is incorrect. Transference is a negative risk event that transfers the risk ownership to a third party, such as vendor, through a contractual relationship.

ANS: D is incorrect. Mitigation is a negative risk event that seeks to lower the probability and/or impact of a risk event.

Question #71

You work as a Security Manager for Tech Perfect Inc. In the organization, Syslog is used for computer system management and security auditing, as well as for generalized informational, analysis, and debugging messages. You want to prevent a denial of service (DoS) for the Syslog server and the loss of Syslog messages from other sources.

What will you do to accomplish the task?

A . Use a different message format other than Syslog in order to accept data.
B . Enable the storage of log entries in both traditional Syslog files and a database.
C . Limit the number of Syslog messages or TCP connections from a specific source for a certain time period.
D . Encrypt rotated log files automatically using third-party or OS mechanisms.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

In order to accomplish the task, you should limit the number of Syslog messages or TCP connections from a specific source for a certain time period. This will prevent a denial of service (DoS) for the Syslog server and the loss of Syslog messages from other sources.

ANS: D is incorrect. You can encrypt rotated log files automatically using third-party or OS mechanisms to protect data confidentiality.

ANS: A is incorrect. You can use a different message format other than Syslog in order to accept data for aggregating data from hosts that do not support Syslog.

ANS: B is incorrect. You can enable the storage of log entries in both traditional Syslog files and a database for creating a database storage for logs.

Question #72

You work as a project manager for a company. The company has started a new security software project. The software configuration management will be used throughout the lifecycle of the project. You are tasked to modify the functional features and the basic logic of the software and then make them compatible to the initial design of the project.

Which of the following procedures of the configuration management will you follow to accomplish the task?

A . Configuration status accounting
B . Configuration control
C . Configuration audits
D . Configuration identification

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Configuration control is a procedure of the Configuration management. Configuration control is a set of processes and approval stages required to change a configuration item’s attributes and to re-baseline them. It supports the change of the functional and physical attributes of software at various points in time, and performs systematic control of changes to the identified attributes.

ANS: C is incorrect. Configuration audits confirm that the configuration identification for a configured item is accurate, complete, and will meet specified program needs. Configuration audits are broken into functional and physical configuration audits. They occur either at delivery or at the moment of effecting the change. A

functional configuration audit ensures that functional and performance attributes of a configuration item are achieved, while a physical configuration audit ensures that a configuration item is installed in accordance with the requirements of its detailed design documentation.

ANS: D is incorrect. Configuration identification is the process of identifying the attributes that define every aspect of a configuration item. A configuration item is a product (hardware and/or software) that has an end-user purpose. These attributes are recorded in configuration documentation and baselined. Baselining an attribute forces formal configuration change control processes to be effected in the event that these attributes are changed.

ANS: A is incorrect. The configuration status accounting procedure is the ability to record and report on the configuration baselines associated with each configuration item at any moment of time. It supports the functional and physical attributes of software at various points in time, and performs systematic control of accounting to the identified attributes for the purpose of maintaining software integrity and traceability throughout the software development life cycle.

Question #73

Which of the following areas of information system, as separated by Information Assurance Framework, is a collection of local computing devices, regardless of physical location, that are interconnected via local area networks (LANs) and governed by a single security policy?

A . Local Computing Environments
B . Networks and Infrastructures
C . Supporting Infrastructures
D . Enclave Boundaries

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The areas of information system, as separated by Information Assurance Framework, are as

follows: Local Computing Environments: This area includes servers, client workstations, operating system, and applications. Enclave Boundaries: This area consists of collection of local computing devices, regardless of physical location, that are interconnected via local area networks (LANs) and governed by a single security policy. Networks and Infrastructures: This area provides the network connectivity between enclaves. It includes operational area networks (OANs), metropolitan area networks (MANs), and campus area networks (CANs). Supporting Infrastructures: This area provides security services for networks, client workstations, Web servers, operating systems, applications, files, and single-use infrastructure machines

Question #74

Which of the following is a signature-based intrusion detection system (IDS) ?

A . RealSecure
B . StealthWatch
C . Tripwire
D . Snort

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Snort is a signature-based intrusion detection system. Snort is an open source network intrusion prevention and detection system that operates as a network sniffer. It logs activities of the network that is matched with the predefined signatures. Signatures can be designed for a wide range of traffic, including Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). The three main modes in which Snort can be configured are as follows: Sniffer mode: It reads the packets of the network and displays them in a continuous stream on the console. Packet logger mode: It logs the packets to the disk. Network intrusion detection mode: It is the most complex and configurable configuration, allowing Snort to analyze network traffic for matches against a user-defined rule set.

ANS: B is incorrect. StealthWatch is a behavior-based intrusion detection system.

ANS: A is incorrect. RealSecure is a network-based IDS that monitors TCP, UDP and ICMP traffic and is configured to look for attack patterns.

ANS: C is incorrect.

Tripwire is a file integrity checker for UNIX/Linux that can be used for host-based intrusion detection.

Question #75

Which of the following statements about the availability concept of Information security management is true?

A . It ensures that modifications are not made to data by unauthorized personnel or processes.
B . It determines actions and behaviors of a single individual within a system.
C . It ensures reliable and timely access to resources.
D . It ensures that unauthorized modifications are not made to data by authorized personnel or processes.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The concept of availability ensures reliable and timely access to data or resources. In other words, availability ensures that the systems are up and running when needed. The availability concept also ensures that the security services are in working order.

ANS: A and D are incorrect. The concept of integrity ensures that modifications are not made to data by unauthorized personnel or processes. It also ensures that unauthorized modifications are not made to data by authorized personnel or processes.

ANS: B is incorrect. Accountability determines the actions and behaviors of an individual within a system, and identifies that particular individual. Audit trails and logs support accountability.

Question #76

A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization.

Which of the following are required to be addressed in a well designed policy? Each correct answer represents a part of the solution. Choose all that apply.

A . What is being secured?
B . Where is the vulnerability, threat, or risk?
C . Who is expected to exploit the vulnerability?
D . Who is expected to comply with the policy?

Reveal Solution Hide Solution

Correct Answer: ABD
ABD

Explanation:

A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. A well designed policy addresses the following:

What is being secured?

– Typically an asset. Who is expected to comply with the policy?

– Typically employees. Where is the vulnerability, threat, or risk?

– Typically an issue of integrity or responsibility.

Question #77

The Phase 4 of DITSCAP C&A is known as Post Accreditation. This phase starts after the system has been accredited in Phase 3.

What are the process activities of this phase? Each correct answer represents a complete solution. Choose all that apply.

A . Security operations
B . Maintenance of the SSAA
C . Compliance validation
D . Change management
E . System operations
F . Continue to review and refine the SSAA

Reveal Solution Hide Solution

Correct Answer: ABCDE
ABCDE

Explanation:

The Phase 4 of DITSCAP C&A is known as Post Accreditation. This phase starts after the system has been accredited in the Phase 3. The goal of this phase is to continue to operate and manage the system and to ensure that it will maintain an acceptable level of residual risk. The process activities of this phase are as follows: System operations Security operations Maintenance of the SSAA Change management Compliance validation Ans: F is incorrect. It is a Phase 3 activity.

Question #78

You work as a security engineer for BlueWell Inc.

Which of the following documents will you use as a guide for the security certification and accreditation of Federal Information Systems?

A . NIST Special Publication 800-60
B . NIST Special Publication 800-53
C . NIST Special Publication 800-37
D . NIST Special Publication 800-59

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

NIST has developed a suite of documents for conducting Certification & Accreditation (C&A).

These documents are as follows: NIST Special Publication 800-37: This document is a guide for the security certification and accreditation of Federal Information Systems.

NIST Special Publication 800-53: This document provides a guideline for security controls for Federal Information Systems. NIST Special Publication 800-53A. This document consists of techniques and procedures for verifying the effectiveness of security controls in Federal Information System. NIST Special Publication 800-59: This document is a guideline for identifying an information system as a National Security System. NIST Special Publication 800-60: This document is a guide for mapping types of information and information systems to security objectives and risk levels.

Question #79

Which of the following is an example of over-the-air (OTA) provisioning in digital rights management?

A . Use of shared secrets to initiate or rebuild trust.
B . Use of software to meet the deployment goals.
C . Use of concealment to avoid tampering attacks.
D . Use of device properties for unique identification.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Over- the- air provisioning is a mechanism to deploy MIDlet suites over a network. It is a method of distributing MIDlet suites. MIDlet suite providers install their MIDlet suites on Web servers and provide a hypertext link for downloading. A user can use this link to download the MIDlet suite either through the Internet microbrowser or through WAP on his device. Over-the-air provisioning is required for end-to-end encryption or other security purposes in order to deliver copyrighted software to a mobile device. For example, use of shared secrets to initiate or rebuild trust.

ANS: D and C are incorrect. The use of device properties for unique identification and the use of concealment to avoid tampering attacks are the security challenges in digital rights management (DRM).

ANS: B is incorrect. The use of software and hardware to meet the deployment goals is a distracter.

Question #80

The service-oriented modeling framework (SOMF) provides a common modeling notation to address alignment between business and IT organizations.

Which of the following principles does the SOMF concentrate on? Each correct answer represents a part of the solution. Choose all that apply.

A . Architectural components abstraction
B . SOA value proposition
C . Business traceability
D . Disaster recovery planning
E . Software assets reuse

Reveal Solution Hide Solution

Correct Answer: ABCE
ABCE

Explanation:

The service-oriented modeling framework (SOMF) concentrates on the following principles: Business traceability Architectural best-practices traceability Technological traceability SOA value proposition Software assets reuse SOA integration strategies Technological abstraction and generalization Architectural components abstraction Ans: D is incorrect. The service-oriented modeling framework (SOMF) does not concentrate on it.

Question #81

Which of the following DoD directives is referred to as the Defense Automation Resources Management Manual?

A . DoD 8910.1
B . DoD 7950.1-M
C . DoDD 8000.1
D . DoD 5200.22-M
E . DoD 5200.1-R

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The various DoD directives are as follows:

DoD 5200.1-R: This DoD directive refers to the ‘Information Security Program Regulation’. DoD 5200.22-

M: This DoD directive refers the ‘National Industrial Security Program Operating Manual’. DoD 7950.1-M: This DoD directive refers to the ‘Defense Automation Resources Management Manual’. DoDD 8000.1: This DoD directive refers to the ‘Defense Information Management (IM) Program’. DoD 8910.1: This DoD directive refers to the ‘Management and Control of Information Requirements’.

Question #82

Which of the following access control models are used in the commercial sector? Each correct answer represents a complete solution. Choose two.

A . Biba model
B . Clark-Biba model
C . Clark-Wilson model
D . Bell-LaPadula model

Reveal Solution Hide Solution

Correct Answer: AC
AC

Explanation:

The Biba and Clark-Wilson access control models are used in the commercial sector. The Biba model is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity. The model is designed so that subjects may not corrupt data in a level ranked higher than the subject, or be corrupted by data from a lower level than the subject. The Clark-Wilson security model provides a foundation for specifying and analyzing an integrity policy for a computing system.

ANS: D is incorrect. The Bell-LaPadula access control model is mainly used in military systems.

ANS: B is incorrect. There is no such access control model as Clark-Biba.

Question #83

Which of the following testing methods verifies the interfaces between components against a software design?

A . Regression testing
B . Integration testing
C . Black-box testing
D . Unit testing

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Integration testing is a software testing that seeks to verify the interfaces between components against a software design. Software components may be integrated in an iterative way or all together ("big bang"). Normally the former is considered a better practice since it allows interface issues to be localized more quickly and fixed. Integration testing works to expose defects in the interfaces and interaction between the integrated components (modules). Progressively larger groups of tested software components corresponding to elements of the architectural design are integrated and tested until the software works as a system.

ANS: A is incorrect. Regression testing focuses on finding defects after a major code change has occurred. Specifically, it seeks to uncover software regressions, or old bugs that have come back. Such regressions occur whenever software functionality that was previously working correctly stops working as intended. Typically, regressions occur as an unintended consequence of program changes, when the newly developed part of the software collides with the previously existing code.

ANS: D is incorrect. Unit testing refers to tests that verify the functionality of a specific section of code, usually at the function level. In an object-oriented environment, this is usually at the class level, and the minimal unit tests include the constructors and destructors. These types of tests are usually written by developers as they work on code (white-box style), to ensure that the specific function is working as expected. One function might have multiple tests, to catch corner cases or other branches in the code. Unit testing alone cannot verify the functionality of a piece of software, but rather is used to assure that the building blocks the software uses work independently of each other.

ANS: C is incorrect. The black-box testing uses external descriptions of the software, including specifications, requirements, and design to derive test cases. These tests can be functional or non-functional, though usually functional. The test designer selects valid and invalid inputs and determines the correct output. There is no knowledge of the test object’s internal structure. This method of test design is applicable to all levels of software testing: unit, integration, functional testing, system and acceptance. The higher the level, and hence the bigger and more complex the box, the more one is forced to use black box testing to simplify. While this method can uncover unimplemented parts of the specification, one cannot be sure that all existent paths are tested.

Question #84

Which of the following statements best describes the difference between the role of a data owner and the role of a data custodian?

A . The custodian makes the initial information classification assignments, and the operations manager implements the scheme.
B . The data owner implements the information classification scheme after the initial assignment by the custodian.
C . The custodian implements the information classification scheme after the initial assignment by the operations manager.
D . The data custodian implements the information classification scheme after the initial assignment by the data owner.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The data owner is responsible for ensuring that the appropriate security controls are in place, for assigning the initial classification to the data to be protected, for approving access requests from other

parts of the organization, and for periodically reviewing the data classifications and access rights. Data owners are primarily responsible for determining the data’s sensitivity or classification levels, whereas the data custodian has the responsibility for backup, retention, and recovery of data. The data owner delegates these responsibilities to the custodian.

ANS: B, A, and C are incorrect. These are not the valid answers.

Question #85

Della works as a security engineer for BlueWell Inc. She wants to establish configuration management and control procedures that will document proposed or actual changes to the information system.

Which of the following phases of NIST SP 800-37 C&A methodology will define the above task?

A . Initiation
B . Security Certification
C . Continuous Monitoring
D . Security Accreditation

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The various phases of NIST SP 800-37 C&A are as follows:

Phase 1: Initiation- This phase includes preparation, notification and resource identification. It performs the

security plan analysis, update, and acceptance. Phase 2: Security Certification- The Security certification phase evaluates the controls and documentation. Phase 3: Security Accreditation- The security accreditation phase examines the residual risk for acceptability, and prepares the final security accreditation package. Phase 4: Continuous Monitoring-This phase monitors the configuration management and control, ongoing security control verification, and status reporting and documentation.

Question #86

Which of the following secure coding principles and practices defines the appearance of code listing so that a code reviewer and maintainer who have not written that code can easily understand it?

A . Make code forward and backward traceable
B . Review code during and after coding
C . Use a consistent coding style
D . Keep code simple and small

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Use a consistent coding style is one of the principles and practices that contribute to defensive coding. This principle defines the appearance of code listing so that a code reviewer and maintainer who have not written that code can easily understand it. For this purpose, all programmers of a team must follow the same guidelines.

ANS: D is incorrect. Keep code simple and small defines that it is easy to verify the software security when a programmer uses small and simple code base.

ANS: A is incorrect. Make code forward and backward traceable defines that traceability is necessary in order to validate requirements, prevent defects, and find and solve inconsistencies among all objects generated in the SDLC phases.

ANS: B is incorrect. Review code during and after coding defines that code must be examined in order to identify coding errors in modules.