Читаем CISSP Practice полностью

42. Which of the following occurs after delivery and installation of a new information system under acquisition?

a. Unit testing

b. Subsystem testing

c. Full system testing

d. Integration and acceptance testing

42. d. Integration and acceptance testing occurs after delivery and installation of the new information system. The unit, subsystem and full system testing are not conducted for an acquired system but conducted for the in-house developed system. The integration and acceptance testing is conducted for an acquired system.

43. Which of the following should be done prior to final system deployment for operation?

a. Conduct a security certification process.

b. Describe the known vulnerabilities in the system.

c. Establish control verification techniques to provide confidence.

d. Document the safeguards that are in place to protect the system.

43. a. Prior to final system deployment, a security certification should be conducted to ensure that security controls established in response to security requirements are included as part of the system development process. The other three choices are part of the scope of the security certification process.

44. The security accreditation decision reflects which of the following?

a. Test-based decision

b. Risk-based decision

c. Evaluation-based decision

d. Results-based decision

44. b. The security accreditation decision is a risk-based decision that depends heavily, but not exclusively, on the security testing and evaluation results produced during the security control verification process. The security accreditation focuses on risk, whereas system accreditation focuses on an evaluation based on tests and their results.

45. Which of the following are the two key information security steps of the operation phase within the system development life cycle (SDLC)?

1. Information preservation

2. Security accreditation

3. Configuration management and control

4. Continuous monitoring

a. 1 and 2

b. 2 and 3

c. 1 and 4

d. 3 and 4

45. d. Managing and controlling the configuration of the system and providing for a process of continuous monitoring are the two key information security steps of the operation/maintenance phase of an SDLC. Information preservation is an activity of the disposal phase, whereas security accreditation is an activity of the implementation phase of an SDLC.

46. Which of the following are ways to accomplish ongoing monitoring of security control effectiveness?

1. Security reviews

2. Self-assessments

3. Security test and evaluation

4. Independent security audits

a. 1 and 2

b. 2 and 3

c. 1 and 4

d. 1, 2, 3, and 4

46. d. The ongoing monitoring of security control effectiveness can be accomplished in a variety of ways including security reviews, self-assessments, security test and evaluation, and independent security audits.

47. Which of the following is a good definition of security control monitoring?

a. Verifying the continued effectiveness of security controls over time

b. Verifying the continued efficiency of security controls over time

c. Verifying the development effectiveness of security controls over time

d. Verifying the planning effectiveness of security controls over time

47. a. Organizations need periodic and continuous testing and evaluation of the security controls in an information system to ensure that the controls are effective in their application. Security-control monitoring means verifying the continued effectiveness of those controls over time.

48. Which of the following statements is not true about a system development life cycle (SDLC) process?

a. Systems undergo improvements in technology.

b. Security plans evolve with the follow-on system.

c. There is a definitive end to an SDLC.

d. Much of previous operational controls are relevant to the follow-on system.