Читаем CISSP Practice полностью

On the other hand, approve, implement, and deny choices do not require additional testing and analysis because management is already satisfied with the testing and analysis.

21. During the initiation phase of a system development life cycle (SDLC) process, which of the following tasks is not typically performed?

a. Preliminary risk assessment

b. Preliminary system security plans

c. High-level security test plans

d. High-level security system architecture

21. c. A security-test-plan, whether high level or low level, is developed in the development/acquisition phase. The other three choices are performed in the initiation phase.

22. Security controls are designed and implemented in which of the following system development life cycle (SDLC) phases?

a. Initiation

b. Development/acquisition

c. Implementation

d. Disposal

22. b. Security controls are developed, designed, and implemented in the development/acquisition phase. Additional controls may be developed to support the controls already in place or planned.

23. Product acquisition and integration costs are determined in which of the following system development life cycle (SDLC) phases?

a. Initiation

b. Development/acquisition

c. Implementation

d. Disposal

23. b. Product acquisition and integration costs that can be attributed to information security over the life cycle of the system are determined in the development/acquisition phase. These costs include hardware, software, personnel, and training.

24. A formal authorization to operate an information system is obtained in which of the following system development life cycle (SDLC) phases?

a. Initiation

b. Development/acquisition

c. Implementation

d. Disposal

24. c. In the implementation phase, the organization configures and enables system security features, tests the functionality of these features, installs or implements the system, and finally, obtains a formal authorization to operate the system.

25. Which of the following gives assurance as part of system’s security and functional requirements defined for an information system?

a. Access controls

b. Background checks for system developers

c. Awareness

d. Training

25. b. Security and functional requirements can be expressed as technical (for example, access controls), assurances (for example, background checks for system developers), or operational practices (for example, awareness and training).

26. System users must perform which of the following when new security controls are added to an existing application system?

a. Unit testing

b. Subsystem testing

c. Full system testing

d. Acceptance testing

26. d. If new security controls are added to an existing application system or to a support system, system users must perform additional acceptance tests of these new controls. This approach ensures that new controls meet security specifications and do not conflict with or invalidate existing controls.

27. Periodic reaccreditation of a system is done in which of the following system development life cycle (SDLC) phases?

a. Initiation

b. Development/acquisition

c. Implementation

d. Operation/maintenance

27. d. Documenting information system changes and assessing the potential impact of these changes on the security of a system is an essential part of continuous monitoring and key to avoiding a lapse in the system security reaccreditation. Periodic reaccreditation is done in the operation phase.

28. Which of the following tests is driven by system requirements?

a. Black-box testing

b. White-box testing

c. Gray-box testing

d. Integration testing

28. a. Black-box testing, also known as functional testing, executes part or all the system to validate that the user requirement is satisfied.

White-box testing, also known as structural testing, examines the logic of the units and may be used to support software requirements for test coverage, i.e., how much of the program has been executed.