CISSP-ISSEP Topic 2
QUESTION NO: 46
Which of the following principles are defined by the IATF model Each correct answer represents a complete solution. Choose all that apply.
A. The degree to which the security of the system, as it is defined, designed, and implemented, meets the security needs.
B. The problem space is defined by the customer’s mission or business needs.
C. The systems engineer and information systems security engineer define the solution space, which is driven by the problem space.
D. Always keep the problem and solution spaces separate.
Answer: B,C,D
QUESTION NO: 47
Which of the following cooperative programs carried out by NIST conducts research to advance the nation’s technology infrastructure
A. Manufacturing Extension Partnership
B. NIST Laboratories
C. Baldrige National Quality Program
D. Advanced Technology Program
Answer: B
QUESTION NO: 48
Which of the following persons in an organization is responsible for rejecting or accepting the residual risk for a system
A. System Owner
B. Information Systems Security Officer (ISSO)C. Designated Approving Authority (DAA)
D. Chief Information Security Officer (CISO)
Answer: C
QUESTION NO: 49
Which of the following assessment methodologies defines a six-step technical security evaluation
A. FITSAF
B. OCTAVE
C. FIPS 102
D. DITSCAP
Answer: C
QUESTION NO: 50
What are the subordinate tasks of the Implement and Validate Assigned IA Control phase in the
DIACAP process Each correct answer represents a complete solution. Choose all that apply.
A. Conduct activities related to the disposition of the system data and objects.
B. Combine validation results in DIACAP scorecard.
C. Conduct validation activities.
D. Execute and update IA implementation plan.
Answer: B,C,D
QUESTION NO: 51
Which of the following memorandums reminds the Federal agencies that it is required by law and policy to establish clear privacy policies for Web activities and to comply with those policies
A. OMB M-01-08
B. OMB M-03-19
C. OMB M-00-07
D. OMB M-00-13
Answer: D
QUESTION NO: 52
Lisa is the project manager of the SQL project for her company. She has completed the risk response planning with her project team and is now ready to update the risk register to reflect the risk response. Which of the following statements best describes the level of detail Lisa should include with the risk responses she has created
A. The level of detail must define exactly the risk response for each identified risk.
B. The level of detail is set of project risk governance.
C. The level of detail is set by historical information.
D. The level of detail should correspond with the priority ranking.
Answer: D
QUESTION NO: 53
You work as a security manager for BlueWell Inc. You are going through the NIST SP 800-37 C&A methodology, which is based on four well defined phases. In which of the following phases of NIST SP 800-37 C&A methodology does the security categorization occur
A. Continuous Monitoring
B. Initiation
C. Security Certification
D. Security Accreditation
Answer: B
QUESTION NO: 54
You work as a systems engineer for BlueWell Inc. You are working on translating system requirements into detailed function criteria. Which of the following diagrams will help you to show all of the function requirements and their groupings in one diagram
A. Activity diagram
B. Functional flow block diagram (FFBD)
C. Functional hierarchy diagram
D. Timeline analysis diagram
Answer: C
QUESTION NO: 55
Which of the following phases of DITSCAP includes the activities that are necessary for the continuing operation of an accredited IT system in its computing environment and for addressing the changing threats that a system faces throughout its life cycle
A. Phase 1, Definition
B. Phase 3, Validation
C. Phase 4, Post Accreditation Phase
D. Phase 2, Verification
Answer: C
QUESTION NO: 56
Which of the following Security Control Assessment Tasks evaluates the operational, technical, and the management security controls of the information system using the techniques and measures selected or developed
A. Security Control Assessment Task 3
B. Security Control Assessment Task 1
C. Security Control Assessment Task 4
D. Security Control Assessment Task 2
Answer: A
QUESTION NO: 57
The Phase 2 of DITSCAP C&A is known as Verification. The goal of this phase is to obtain a fully integrated system for certification testing and accreditation. What are the process activities of this phase Each correct answer represents a complete solution. Choose all that apply.
A. Assessment of the Analysis Results
B. Certification analysis
C. Registration
D. System development
E. Configuring refinement of the SSAA
Answer: A,B,D,E
QUESTION NO: 58
You work as a Network Administrator for PassGuide Inc. You need to secure web services of your company in order to have secure transactions. Which of the following will you recommend for providing security
A. HTTP
B. VPN
C. SMIME
D. SSL
Answer: D
QUESTION NO: 59
Which of the following processes illustrate the study of a technical nature of interest to focused audience, and consist of interim or final reports on work made by NIST for external sponsors, including government and non-government sponsors
A. Federal Information Processing Standards (FIPS)
B. Special Publication (SP)
C. NISTIRs (Internal Reports)
D. DIACAP
Answer: C
QUESTION NO: 60 CORRECT TEXT
SIMULATION
Fill in the blank with an appropriate phrase. __________ seeks to improve the quality of process outputs by identifying and removing the causes of defects and variability in manufacturing and business processes.
Answer:
Six Sigma
QUESTION NO: 61
You work as a security engineer for BlueWell Inc. You are working on the ISSE model. In which of the following phases of the ISSE model is the system defined in terms of what security is needed
A. Define system security architecture
B. Develop detailed security design
C. Discover information protection needs
D. Define system security requirements
Answer: D
QUESTION NO: 62
TQM recognizes that quality of all the processes within an organization contribute to the quality of the product. Which of the following are the most important activities in the Total Quality
Management Each correct answer represents a complete solution. Choose all that apply.
A. Quality renewal
B. Maintenance of quality
C. Quality costs
D. Quality improvements
Answer: A,B,D
QUESTION NO: 63 CORRECT TEXT
SIMULATION
Fill in the blank with the appropriate phrase. The ____________ is the risk that remains after the implementation of new or enhanced controls.
Answer:
residual risk
QUESTION NO: 64
Which of the following is designed to detect unwanted attempts at accessing, manipulating, and disabling of computer systems through the Internet
A. DAS
B. IDS
C. ACL
D. Ipsec
Answer: B
QUESTION NO: 65
Which of the following security controls is standardized by the Internet Engineering Task Force
(IETF) as the primary network layer protection mechanism
A. Internet Key Exchange (IKE) Protocol
B. SMIME
C. Internet Protocol Security (IPSec)
D. Secure Socket Layer (SSL)
Answer: C
QUESTION NO: 66
Which of the following DoD policies provides assistance on how to implement policy, assign responsibilities, and prescribe procedures for applying integrated, layered protection of the DoD information systems and networks
A. DoD 8500.1 Information Assurance (IA)
B. DoDI 5200.40
C. DoD 8510.1-M DITSCAP
D. DoD 8500.2 Information Assurance Implementation
Answer: D
QUESTION NO: 67
Which of the following is a document, usually in the form of a table, that correlates any two baseline documents that require a many-to-many relationship to determine the completeness of the relationship
A. FIPS 200
B. NIST SP 800-50
C. Traceability matrix
D. FIPS 199
Answer: C
QUESTION NO: 68
The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statements are true about ISSO and ISSE Each correct answer represents a complete solution. Choose all that apply.
A. An ISSE manages the security of the information system that is slated for Certification &
Accreditation (C&A).
B. An ISSE provides advice on the impacts of system changes.
C. An ISSE provides advice on the continuous monitoring of the information system.
D. An ISSO manages the security of the information system that is slated for Certification &
Accreditation (C&A).
E. An ISSO takes part in the development activities that are required to implement system changes.
Answer: B,C,D
QUESTION NO: 69 CORRECT TEXT
SIMULATION
For interactive and self-paced preparation of exam ISSEP, try our practice exams.
Practice exams also include self assessment and reporting features!
Fill in the blank with an appropriate word. _______ has the goal to securely interconnect people and systems independent of time or location.
Answer:
Netcentric
QUESTION NO: 70
Which of the following configuration management system processes keeps track of the changes so that the latest acceptable configuration specifications are readily available
A. Configuration Identification
B. Configuration Verification and Audit
C. Configuration Status and Accounting
D. Configuration Control
Answer: C
QUESTION NO: 71
Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and systems
A. SSAA
B. FITSAF
C. FIPS
D. TCSEC
Answer: A
QUESTION NO: 72
Your company is covered under a liability insurance policy, which provides various liability coverage for information security risks, including any physical damage of assets, hacking attacks, etc. Which of the following risk management techniques is your company using
A. Risk acceptanceB. Risk mitigation
C. Risk avoidance
D. Risk transfer
Answer: D
QUESTION NO: 73
Which of the following responsibilities are executed by the federal program manager
A. Ensure justification of expenditures and investment in systems engineering activities.
B. Coordinate activities to obtain funding.
C. Review project deliverables.
D. Review and approve project plans.
Answer: A,B,D
QUESTION NO: 74
Which of the following approaches can be used to build a security program Each correct answer represents a complete solution. Choose all that apply.
A. Right-Up Approach
B. Left-Up Approach
C. Bottom-Up Approach
D. Top-Down Approach
Answer: C,D
QUESTION NO: 75 CORRECT TEXT
SIMULATION
Fill in the blank with the appropriate phrase. __________ provides instructions and directions for completing the Systems Security Authorization Agreement (SSAA).
Answer:
DoDI 5200.40
QUESTION NO: 76
Which of the following acts promote a risk-based policy for cost effective security Each correct answer represents a part of the solution. Choose all that apply.
A. Clinger-Cohen Act
B. Lanham Act
C. Paperwork Reduction Act (PRA)
D. Computer Misuse Act
Answer: A,C
QUESTION NO: 77
Which of the following tasks prepares the technical management plan in planning the technical effort
A. Task 10
B. Task 9
C. Task 7
D. Task 8
Answer: B
QUESTION NO: 78
Which of the following NIST Special Publication documents provides a guideline on network security testing
A. NIST SP 800-60
B. NIST SP 800-37
C. NIST SP 800-59
D. NIST SP 800-42
E. NIST SP 800-53A
F. NIST SP 800-53
Answer: D
QUESTION NO: 79
Which of the following Registration Tasks sets up the system architecture description, and describes the C&A boundary
A. Registration Task 3
B. Registration Task 4
C. Registration Task 2
D. Registration Task 1
Answer: B
QUESTION NO: 80
Stella works as a system engineer for BlueWell Inc. She wants to identify the performance thresholds of each build. Which of the following tests will help Stella to achieve her task
A. Regression test
B. Reliability test
C. Functional test
D. Performance test
Answer: D
QUESTION NO: 81
Which of the following cooperative programs carried out by NIST encourages performance
excellence among U.S. manufacturers, service companies, educational institutions, and healthcare providers
A. Manufacturing Extension Partnership
B. Baldrige National Quality Program
C. Advanced Technology Program
D. NIST Laboratories
Answer: B
QUESTION NO: 82
Your project is an agricultural-based project that deals with plant irrigation systems. You have discovered a byproduct in your project that your organization could use to make a profit. If your organization seized this opportunity it would be an example of what risk response
A. Enhancing
B. Positive
C. Opportunistic
D. Exploiting
Answer: D
QUESTION NO: 83
Which of the following processes provides guidance to the system designers and form the basis of major events in the acquisition phases, such as testing the products for system integration
A. Operational scenarios
B. Functional requirements
C. Human factors
D. Performance requirements
Answer: A
QUESTION NO: 84
The National Information Assurance Certification and Accreditation Process (NIACAP) is the minimum standard process for the certification and accreditation of computer and telecommunications systems that handle U.S. national security information. Which of the following participants are required in a NIACAP security assessment Each correct answer represents a part of the solution. Choose all that apply.
A. Information Assurance Manager
B. Designated Approving Authority
C. Certification agent
D. IS program manager
E. User representative
Answer: B,C,D,E
QUESTION NO: 85
Which of the following is NOT used in the practice of Information Assurance (IA) to define assurance requirements
A. Classic information security model
B. Five Pillars model
C. Communications Management Plan
D. Parkerian Hexad
Answer: C
QUESTION NO: 86
Which of the following NIST documents describes that minimizing negative impact on an organization and a need for sound basis in decision making are the fundamental reasons organizations implement a risk management process for their IT systems
A. NIST SP 800-37
B. NIST SP 800-30
C. NIST SP 800-53
D. NIST SP 800-60
Answer: B
QUESTION NO: 87
Which of the following roles is also known as the accreditor
A. Data owner
B. Chief Information Officer
C. Chief Risk Officer
D. Designated Approving Authority
Answer: D
