Читаем CISSP Practice полностью

In an access validation error, the system is vulnerable because the access control mechanism is faulty. A configuration error occurs when user controllable settings in a system are set so that the system is vulnerable. Race condition error occurs when there is a delay between the time when a system checks to see if an operation is allowed by the security model and the time when the system actually performs the operation.

8. From a risk management viewpoint, new system interfaces are addressed in which of the following system development life cycle (SDLC) phases?

a. Initiation

b. Development/acquisition

c. Implementation

d. Operation/maintenance

8. d. In the operation/maintenance phase of the SDLC, risk management activities are performed whenever major changes are made to an IT system in its operational (production) environment (for example, new system interfaces).

9. System assurance requires which of the following?

1. Proof-of-origin

2. Proof-of-delivery

3. Techniques

4. Metrics

a. 1 and 2

b. 1 and 3

c. 2 and 4

d. 3 and 4

9. d. System assurance is the grounds for confidence that the set of intended security controls in an information system are effective in their application. System assurance requires (i) techniques to achieve integrity, confidentiality, availability, and accountability and (ii) metrics to measure them. Proof-of-origin and proof-of-delivery are required in nonrepudiation.

10. The initiation phase of the security certification and accreditation process does not contain which of the following?

a. Preparation

b. Resource identification

c. Action plan and milestones

d. Security plan acceptance

10. c. The action plan and milestones document is a latter part of security certification and accreditation phases, which describe the measures that have been implemented or planned to correct any deficiencies noted during the assessment of the security controls and to reduce or eliminate known system vulnerabilities.

The other three choices are part of the initiation phase, which is the first phase, where it is too early to develop the action plan and milestones.

11. Which of the following comes first in the security certification and accreditation process of an information system?

a. Security certification

b. Security recertification

c. Security accreditation

d. Security reaccreditation

11. a. The security certification work comes first as it determines the extent to which the security controls in the information system are implemented correctly, operating as intended, and producing the desired system security posture. This assurance is achieved through system security assessments. The security accreditation package documents the results of the security certification.

Recertification and reaccreditation occur periodically and sequentially whenever there is a significant change to the system or its operational environment as part of ongoing monitoring of security controls.

12. Which of the following security accreditation authority’s decision scenarios require justification for the decision?

1. Full accreditation of the system

2. Accredit the system with conditions

3. Deny the system accreditation

4. Defer the system accreditation

a. 1 only

b. 2 only

c. 1, 2, or 3

d. 1, 2, 3, or 4

12. c. The security accreditation authority has three major scenarios to work with: (i) accredit the system fully, (ii) accredit the system with conditions, or (iii) deny the system accreditation. In any case, supporting rationale (justification) for the decision is needed. In some cases, the system accreditation can be deferred based on sudden changes in regulatory requirements or unexpected merger and acquisition activities in the company. Management can come back to the deferred decision later.

13. In the continuous monitoring phase of the security certification and accreditation process, ongoing assessment of security controls is based on which of the following?

a. Configuration management documents

b. Action plan and milestone documents

c. Configuration control documents

d. Security impact analyses documents