Читаем CISSP Practice полностью

Gray-box testing can be looked at as anything that is not tested in white-box or black-box. An integration testing is performed to examine how units interface and interact with each other with the assumption that the units and the objects (for example, data) they manipulate have all passed their unit tests.

29. System integration is performed in which of the following system development life cycle (SDLC) phases?

a. Initiation

b. Development/acquisition

c. Implementation

d. Operation/maintenance

29. c. The new system is integrated at the operational site where it is to be deployed for operation. Security control settings and switches are enabled.

30. Formal risk assessment is conducted in which of the following system development life cycle (SDLC) phases?

a. Initiation

b. Development/acquisition

c. Implementation

d. Operation/maintenance

30. b. Formal risk assessment is conducted in the development/acquisition phase to identify system protection requirements. This analysis builds on the initial (preliminary or informal) risk assessment performed during the initiation phase, but will be more in-depth and specific.

31. Which of the following system development life cycle (SDLC) phases establishes an initial baseline of hardware, software, and firmware components for the information system?

a. Initiation

b. Development/acquisition

c. Implementation

d. Operation/maintenance

31. d. Configuration management and control procedures are critical to establishing an initial baseline of hardware, software, and firmware components for the information system. This task is performed in the operation/maintenance phase so that changes can be tracked and monitored. Prior to this phase, the system is in a fluid state, meaning that initial baselines cannot be established.

32. Controlling and maintaining an accurate inventory of any changes to an information system is possible due to which of the following?

a. Configuration management and controls

b. Continuous monitoring

c. Security certification

d. Security accreditation

32. a. Configuration management and controls, which is a part of system operation and maintenance phase, deals with controlling and maintaining an accurate inventory of any changes to the system. Security certification and security accreditation are part of system implementation phase, whereas continuous monitoring is a part of operation and maintenance phase.

33. Which of the following does not facilitate self-assessments or independent security audits of an information system?

a. Internal control reviews

b. Penetration testing

c. Developing security controls

d. Security checklists

33. c. System assessors or auditors do not develop security controls due to loss of objectivity in thinking and loss of independence in appearance. Security controls should be built by system designers and developers prior to performing internal control reviews, conducting penetration testing, or using security checklists by system assessors or auditors. Internal control reviews, penetration testing, and security checklists simply facilitate self-assessments or independent audits of an information system later.

34. In the needs-determination task of the system development life cycle (SDLC) initiation phase, which of the following optimizes the organization’s system needs within budget constraints?

a. Fit-gap analysis

b. Risk analysis

c. Investment analysis

d. Sensitivity analysis

34. c. Investment analysis is defined as the process of managing the enterprise information system portfolio and determining an appropriate investment strategy. The investment analysis optimizes the organization’s system needs within budget constraints.

Fit-gap analysis identifies the differences between what is required and what is available; or how two things fit or how much gap there is between them. Risk analysis is determining the amount of risk and sensitivity analysis can determine the boundaries of the risk in terms of changing input values and the accompanying changes in output values.