Читаем CISSP Practice полностью

Security accreditation is the formal authorization by the accrediting (management) official for system operation and an explicit acceptance of risk. It is usually supported by a review of the system, including its management, operational, and technical controls.

A system certification is conducted first and system accreditation is next because the former supports the latter. Security certification and security accreditation processes follow the system certification and system accreditation processes.

70. Which of the following is a nonresident virus?

a. Master boot sector virus

b. File infector virus

c. Macro virus

d. Boot-sector infector

70. c. Macro viruses are nonresident viruses. A resident virus is one that loads into memory, hooks one or more interrupts, and remains inactive in memory until some trigger event. All boot viruses and most common file viruses are resident viruses. Macro viruses are found in documents, not in disks.

71. Backdoors are which of the following?

a. They are entry points into a computer program.

b. They are choke points into a computer program.

c. They are halt points into a computer program.

d. They are exit points into a computer program.

71. a. Programmers frequently create entry points (backdoors) into a program for debugging purposes and/or insertion of new program codes at a later date. The other three choices do not apply here because they do not deal with entry points.

72. Most Trojan horses can be prevented and detected by which of the following?

a. Removing the damage

b. Assessing the damage

c. Installing program change controls

d. Correcting the damage

72. c. Most Trojan horses can be prevented and detected by a strong program change control in which every change is independently examined before being put into use. After a Trojan horse is detected, the cure is to remove it. Next, try to find all the damage it has done and correct that damage.

73. From a risk analysis viewpoint, what does the major vulnerable area in a computer application system include?

a. Internal computer processing

b. System inputs and outputs

c. Telecommunications and networks

d. External computer processing

73. b. The biggest vulnerable area is in the manual handling of data before it is entered into an application system or after it has been retrieved from the system in hard copy form. Because human intervention is significant here, the risk is higher. Controls over internal and external computer processing and telecommunications and the network can be made stronger with automated controls.

74. Which of the following is most likely to be tampered or manipulated with?

a. Configuration file

b. Password file

c. Log file

d. System file

74. c. A log file is most likely to be tampered (manipulated) with either by insiders or outsiders because it contains unsuccessful login attempts or system usage. A configuration file contains system parameters. A password file contains passwords and user IDs, whereas a system file contains general information about computer system hardware and software.

75. Which of the following software assurance processes is responsible for ensuring that any changes to software outputs during the system development process are made in a controlled and complete manner?

a. Software configuration management processes

b. Software project management processes

c. Software quality assurance processes

d. Software verification and validation processes

75. a. The objectives of the software configuration management (SCM) process are to track the different versions of the software and ensure that each version of the software contains the exact software outputs generated and approved for that version. SCM is responsible for ensuring that any changes to any software outputs during the development processes are made in a controlled and complete manner.

The objective of the project management process is to establish the organizational structure of the project and assign responsibilities. This process uses the system requirements documentation and information about the purpose of the software, criticality of the software, required deliverables, and available time and resources to plan and manage the software development and software assurance processes. It establishes or approves standards, monitoring and reporting practices, and high-level policy for quality, and it cites policies and regulations.