CISSP-ISSEP Topic 3
QUESTION NO: 88
In which of the following DIACAP phases is residual risk analyzed
A. Phase 2
B. Phase 3
C. Phase 5
D. Phase 1
E. Phase 4
Answer: E
QUESTION NO: 89
Which of the following CNSS policies describes the national policy on controlled access protection
A. NSTISSP No. 101
B. NSTISSP No. 200
C. NCSC No. 5
D. CNSSP No. 14
Answer: B
QUESTION NO: 90
Which of the following agencies is responsible for funding the development of many technologies such as computer networking, as well as NLS
A. DARPA
B. DTIC
C. DISA
D. DIAP
Answer: A
QUESTION NO: 91
Which of the following organizations is a USG initiative designed to meet the security testing, evaluation, and assessment needs of both information technology (IT) producers and consumers
A. NSA
B. NIST
C. CNSS
D. NIAP
Answer: D
QUESTION NO: 92
The risk transference is referred to the transfer of risks to a third party, usually for a fee, it creates a contractual-relationship for the third party to manage the risk on behalf of the performing organization. Which one of the following is NOT an example of the transference risk response
A. Warranties
B. Performance bonds
C. Use of insurance
D. Life cycle costing
Answer: D
QUESTION NO: 93
You work as a security engineer for BlueWell Inc. According to you, which of the following
DITSCAPNIACAP model phases occurs at the initiation of the project, or at the initial C&A effort of a legacy system
A. Post Accreditation
B. Definition
C. Verification
D. Validation
Answer: B
QUESTION NO: 94 CORRECT TEXT
SIMULATION
Fill in the blank with an appropriate phrase. A ____________________ is defined as any activity that has an effect on defining, designing, building, or executing a task, requirement, or procedure.
Answer:
technical effort
QUESTION NO: 95
According to which of the following DoD policies, the implementation of DITSCAP is mandatory for all the systems that process both DoD classified and unclassified information?
A. DoD 8500.2
B. DoDI 5200.40
C. DoD 8510.1-M DITSCAP
D. DoD 8500.1 (IAW)
Answer: D
QUESTION NO: 96
Which of the following federal laws are related to hacking activities Each correct answer represents a complete solution. Choose three.
A. 18 U.S.C. 1030
B. 18 U.S.C. 1029
C. 18 U.S.C. 2510
D. 18 U.S.C. 1028
Answer: A,B,C
QUESTION NO: 97
Which of the following Registration Tasks notifies the DAA, Certifier, and User Representative that the system requires C&A Support
A. Registration Task 4
B. Registration Task 1
C. Registration Task 3
D. Registration Task 2
Answer: D
QUESTION NO: 98
Which of the following are the most important tasks of the Information Management Plan (IMP)
Each correct answer represents a complete solution. Choose all that apply.
A. Define the Information Protection Policy (IPP).
B. Define the System Security Requirements.
C. Define the mission need.
D. Identify how the organization manages its information.
Answer: A,C,D
QUESTION NO: 99
FIPS 199 defines the three levels of potential impact on organizations. Which of the following potential impact levels shows limited adverse effects on organizational operations, organizational assets, or individuals
A. Moderate
B. Medium
C. High
D. Low
Answer: D
QUESTION NO: 100
The principle of the SEMP is not to repeat the information, but rather to ensure that there are processes in place to conduct those functions. Which of the following sections of the SEMP template describes the work authorization procedures as well as change management approval processes
A. Section 3.1.8
B. Section 3.1.9
C. Section 3.1.5
D. Section 3.1.7
Answer: B
QUESTION NO: 101
Which of the of following departments protects and supports DoD information, information systems, and information networks that are critical to the department and the armed forces during the day-to-day operations, and in the time of crisis
A. DIAP
B. DARPA
C. DTIC
D. DISA
Answer: A
QUESTION NO: 102
Which of the following organizations incorporates building secure audio and video communications equipment, making tamper protection products, and providing trusted microelectronics solutions
A. DTIC
B. NSA IAD
C. DIAP
D. DARPA
Answer: B
QUESTION NO: 103
Which of the following federal laws establishes roles and responsibilities for information security, risk management, testing, and training, and authorizes NIST and NSA to provide guidance for security planning and implementation
A. Computer Fraud and Abuse Act
B. Government Information Security Reform Act (GISRA)
C. Federal Information Security Management Act (FISMA)
D. Computer Security Act
Answer: B
QUESTION NO: 104
Which of the following DITSCAP C&A phases takes place between the signing of the initial version of the SSAA and the formal accreditation of the system
A. Phase 3
B. Phase 2
C. Phase 4
D. Phase 1
Answer: B
QUESTION NO: 105
Which of the following is a standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system
A. SSAA
B. TCSEC
C. FIPS
D. FITSAF
Answer: B
QUESTION NO: 106
What NIACAP certification levels are recommended by the certifier Each correct answer represents a complete solution. Choose all that apply.
A. Basic System Review
B. Basic Security Review
C. Maximum Analysis
D. Comprehensive Analysis
E. Detailed Analysis
F. Minimum Analysis
Answer: B,D,E,F
QUESTION NO: 107
NIST SP 800-53A defines three types of interview depending on the level of assessment conducted. Which of the following NIST SP 800-53A interviews consists of informal and ad hoc interviews
A. Abbreviated
B. Significant
C. Substantial
D. Comprehensive
Answer: A
QUESTION NO: 108 CORRECT TEXT
SIMULATION
Fill in the blanks with an appropriate phrase. A ________ is an approved build of the product, and can be a single component or a combination of components.
Answer:
development baseline
QUESTION NO: 109
Your project has several risks that may cause serious financial impact should they happen. You have studied the risk events and made some potential risk responses for the risk events but management wants you to do more. They’d like for you to create some type of a chart that identified the risk probability and impact with a financial amount for each risk event. What is the likely outcome of creating this type of chart
A. Risk response plan
B. Quantitative analysis
C. Risk response
D. Contingency reserve
Answer: D
QUESTION NO: 110
Which of the following processes provides a standard set of activities, general tasks, and a management structure to certify and accredit systems, which maintain the information assurance and the security posture of a system or site
A. ASSET
B. NSA-IAM
C. NIACAPD. DITSCAP
Answer: C
QUESTION NO: 111
Certification and Accreditation (C&A or CnA) is a process for implementing information security.
Which of the following is the correct order of C&A phases in a DITSCAP assessment
A. Definition, Validation, Verification, and Post Accreditation
B. Verification, Definition, Validation, and Post Accreditation
C. Verification, Validation, Definition, and Post Accreditation
D. Definition, Verification, Validation, and Post Accreditation
Answer: D
QUESTION NO: 112
Which of the following federal agencies has the objective to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life
A. National Institute of Standards and Technology (NIST)
B. National Security Agency (NSA)
C. Committee on National Security Systems (CNSS)
D. United States Congress
Answer: A
QUESTION NO: 113 CORRECT TEXT
SIMULATION
Fill in the blank with an appropriate phrase. The ____________ helps the customer understand and document the information management needs that support the business or mission.
Answer:
systems engineer
QUESTION NO: 114
Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls. Which of the following are the international information security standards Each correct answer represents a complete solution. Choose all that apply.
A. Organization of information security
B. Human resources security
C. Risk assessment and treatment
D. AU audit and accountability
Answer: A,B,C
QUESTION NO: 115
Which of the following certification levels requires the completion of the minimum security checklist, and the system user or an independent certifier can complete the checklist
A. CL 2
B. CL 3
C. CL 1
D. CL 4
Answer: C
QUESTION NO: 116
Which of the following cooperative programs carried out by NIST provides a nationwide network of local centers offering technical and business assistance to small manufacturers
A. NIST Laboratories
B. Advanced Technology Program
C. Manufacturing Extension Partnership
D. Baldrige National Quality Program
Answer: C
QUESTION NO: 117
Which of the following DoD directives defines DITSCAP as the standard C&A process for the
Department of Defense
A. DoD 5200.22-M
B. DoD 8910.1
C. DoD 5200.40
D. DoD 8000.1
Answer: C
QUESTION NO: 118
You work as a security engineer for BlueWell Inc. According to you, which of the following statements determines the main focus of the ISSE process
A. Design information systems that will meet the certification and accreditation documentation.
B. Identify the information protection needs.
C. Ensure information systems are designed and developed with functional relevance.
D. Instruct systems engineers on availability, integrity, and confidentiality.
Answer: B
QUESTION NO: 119
Which of the following is NOT an objective of the security program
A. Security education
B. Information classification
C. Security organization
D. Security plan
Answer: D
QUESTION NO: 120
The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the most senior executive in an enterprise. What are the responsibilities of a Chief Information Officer Each correct answer represents a complete solution. Choose all that apply.
A. Proposing the information technology needed by an enterprise to achieve its goals and then working within a budget to implement the plan
B. Preserving high-level communications and working group relationships in an organization
C. Establishing effective continuous monitoring program for the organization
D. Facilitating the sharing of security risk-related information among authorizing officials
Answer: A,B,C
QUESTION NO: 121
Which of the following is a temporary approval to operate based on an assessment of the implementation status of the assigned IA Controls
A. IATO
B. DATO
C. ATOD. IATT
Answer: A
QUESTION NO: 122
Which of the following phases of the ISSE model is used to determine why the system needs to be built and what information needs to be protected
A. Develop detailed security design
B. Define system security requirements
C. Discover information protection needs
D. Define system security architecture
Answer: C
QUESTION NO: 123
Which of the following Net-Centric Data Strategy goals are required to increase enterprise and community data over private user and system data Each correct answer represents a complete solution. Choose all that apply.
A. Understandability
B. Visibility
C. Interoperability
D. Accessibility
Answer: B,D
QUESTION NO: 124
Which of the following acts assigns the Chief Information Officers (CIO) with the responsibility to develop Information Technology Architectures (ITAs) and is also referred to as the Information
Technology Management Reform Act (ITMRA)
A. Paperwork Reduction Act
B. Computer Misuse Act
C. Lanham Act
D. Clinger Cohen Act
Answer: D
QUESTION NO: 125
Which of the following types of CNSS issuances describes how to implement the policy or prescribes the manner of a policy
A. Advisory memoranda
B. Instructions
C. Policies
D. Directives
Answer: B
QUESTION NO: 126
The Concept of Operations (CONOPS) is a document describing the characteristics of a proposed system from the viewpoint of an individual who will use that system. Which of the following points are included in CONOPS Each correct answer represents a complete solution. Choose all that apply.
A. Strategies, tactics, policies, and constraints affecting the system
B. Organizations, activities, and interactions among participants and stakeholders
C. Statement of the structure of the system
D. Clear statement of responsibilities and authorities delegated
E. Statement of the goals and objectives of the system
Answer: A,B,D,E
QUESTION NO: 127
Which of the following processes describes the elements such as quantity, quality, coverage, timelines, and availability, and categorizes the different functions that the system will need to perform in order to gather the documented mission business needs
A. Functional requirements
B. Operational scenarios
C. Human factors
D. Performance requirements
Answer: A
QUESTION NO: 128
Which of the following DoD policies establishes IA controls for information systems according to the Mission Assurance Categories (MAC) and confidentiality levels
A. DoD 8500.1 Information Assurance (IA)
B. DoD 8500.2 Information Assurance Implementation
C. DoDI 5200.40
D. DoD 8510.1-M DITSCAP
Answer: B
QUESTION NO: 129 CORRECT TEXT
SIMULATION
Fill in the blank with an appropriate phrase. _________________ is used to verify and accredit systems by making a standard process, set of activities, general tasks, and management structure.
Answer:
DITSCAPNIACAP
QUESTION NO: 130 CORRECT TEXT
SIMULATION
Fill in the blank with an appropriate phrase. The ______________ process is used for allocating performance and designing the requirements to each function.
Answer:
functional allocation
QUESTION NO: 131
Which of the following tasks describes the processes required to ensure that the project includes all the work required, and only the work required, to complete the project successfully
A. Identify Roles and Responsibilities
B. Develop Project Schedule
C. Identify Resources and Availability
D. Estimate project scope
Answer: D
QUESTION NO: 132
System Authorization is the risk management process. System Authorization Plan (SAP) is a comprehensive and uniform approach to the System Authorization Process. What are the different phases of System Authorization Plan Each correct answer represents a part of the solution.
Choose all that apply.
A. Certification
B. Authorization
C. Post-certification
D. Post-Authorization
E. Pre-certification
Answer: A,B,D,E
QUESTION NO: 133
Which of the following CNSS policies describes the national policy on securing voice communications
A. NSTISSP No. 6
B. NSTISSP No. 7
C. NSTISSP No. 101
D. NSTISSP No. 200
Answer: C
QUESTION NO: 134
Which of the following phases of NIST SP 800-37 C&A methodology examines the residual risk for acceptability, and prepares the final security accreditation package
A. Initiation
B. Security Certification
C. Continuous Monitoring
D. Security Accreditation
Answer: D
QUESTION NO: 135
Which of the following are the phases of the Certification and Accreditation (C&A) process Each correct answer represents a complete solution. Choose two.
A. Auditing
B. Initiation
C. Continuous Monitoring
D. Detection
Answer: B,C
QUESTION NO: 136
Which of the following DITSCAPNIACAP model phases is used to confirm that the evolving system development and integration complies with the agreements between role players documented in the first phase
A. Verification
B. Validation
C. Post accreditation
D. Definition
Answer: A
QUESTION NO: 137
Which of the following are the ways of sending secure e-mail messages over the Internet Each correct answer represents a complete solution. Choose two.
A. PGP
B. SMIME
C. TLS
D. IPSec
Answer: A,B
QUESTION NO: 138
Which of the following memorandums directs the Departments and Agencies to post clear privacy policies on World Wide Web sites, and provides guidance for doing it
A. OMB M-99-18
B. OMB M-00-13
C. OMB M-03-19
D. OMB M-00-07
Answer: A
QUESTION NO: 139
Which of the following categories of system specification describes the technical, performance, operational, maintenance, and support characteristics for the entire system
A. Process specification
B. Product specification
C. Development specification
D. System specification
Answer: D
QUESTION NO: 140
You have been tasked with finding an encryption methodology that will encrypt most types of email attachments. The requirements are that your solution must use the RSA algorithm. Which of the following is your best choice
A. PGP
B. SMIME
C. DES
D. Blowfish
Answer: B
QUESTION NO: 141
Which of the following security controls works as the totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination of which is responsible for enforcing a security policy
A. Trusted computing base (TCB)
B. Common data security architecture (CDSA)
C. Internet Protocol Security (IPSec)
D. Application program interface (API)
Answer: A
QUESTION NO: 142
A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. Which of the following are required to be addressed in a well designed policy Each correct answer represents a part of the solution. Choose all that apply.
A. What is being secured
B. Who is expected to comply with the policy
C. Where is the vulnerability, threat, or risk
D. Who is expected to exploit the vulnerability
Answer: A,B,C
QUESTION NO: 143
Which of the following organizations assists the President in overseeing the preparation of the federal budget and to supervise its administration in Executive Branch agencies
A. NSACSS
B. OMB
C. DCAA
D. NIST
Answer: B
QUESTION NO: 144
Which of the following describes a residual risk as the risk remaining after a risk mitigation has occurred
A. SSAA
B. ISSO
C. DAA
D. DIACAP
Answer: D
QUESTION NO: 145
Della works as a systems engineer for BlueWell Inc. She wants to convert system requirements into a comprehensive function standard, and break the higher-level functions into lower-level functions. Which of the following processes will Della use to accomplish the task
A. Risk analysis
B. Functional allocation
C. Functional analysis
D. Functional baseline
Answer: C
