CISSP-ISSEP : Information Systems Security Engineering Professional : Part 02

CISSP-ISSEP : Information Systems Security Engineering Professional : Part 02

1. Which of the following types of cryptography defined by FIPS 185 describes a cryptographic algorithm or a tool accepted by the National Security Agency for protecting sensitive, unclassified information in the systems as stated in Section 2315 of Title 10, United States Code

   • Type I cryptography
   • Type II cryptography 
   • Type III (E) cryptography
   • Type III cryptography

2. The DoD 8500 policy series represents the Department’s information assurance strategy. Which of the following objectives are defined by the DoD 8500 series Each correct answer represents a complete solution. Choose all that apply.

   • Providing IA Certification and Accreditation
   • Providing command and control and situational awareness
   • Defending systems
   • Protecting information

3. Which of the following cooperative programs carried out by NIST speed ups the development of modern technologies for broad, national benefit by co-funding research and development partnerships with the private sector

   • Baldrige National Quality Program
   • Advanced Technology Program 
   • Manufacturing Extension Partnership
   • NIST Laboratories

4. Which of the following acts is endorsed to provide a clear statement of the proscribed activity concerning computers to the law enforcement community, those who own and operate computers, and those tempted to commit crimes by unauthorized access to computers

   • Computer Fraud and Abuse Act 
   • Government Information Security Reform Act (GISRA)
   • Computer Security Act
   • Federal Information Security Management Act (FISMA)

5. The functional analysis process is used for translating system requirements into detailed function criteria. Which of the following are the elements of functional analysis process Each correct answer represents a complete solution. Choose all that apply.

   • Model possible overall system behaviors that are needed to achieve the system requirements.
   • Develop concepts and alternatives that are not technology or component bound.
   • Decompose functional requirements into discrete tasks or activities, the focus is still on technology not functions or components.
   • Use a top-down with some bottom-up approach verification.

6. Which of the following characteristics are described by the DIAP Information Readiness Assessment function Each correct answer represents a complete solution. Choose all that apply. 

   • It performs vulnerabilitythreat analysis assessment. 
   • It provides for entry and storage of individual system data.
   • It provides data needed to accurately assess IA readiness.
   • It identifies and generates IA requirements.

7. Which of the following phases of NIST SP 800-37 C&A methodology examines the residual risk for acceptability, and prepares the final security accreditation package

   • Initiation
   • Security Certification
   • Continuous Monitoring
   • Security Accreditation

8. Which of the following DoD directives defines DITSCAP as the standard C&A process for the Department of Defense

   • DoD 5200.22-M
   • DoD 8910.1
   • DoD 5200.40 
   • DoD 8000.1

9. Which of the following cooperative programs carried out by NIST provides a nationwide network of local centers offering technical and business assistance to small manufacturers

   • NIST Laboratories
   • Advanced Technology Program
   • Manufacturing Extension Partnership 
   • Baldrige National Quality Program

10. Which of the following certification levels requires the completion of the minimum security checklist, and the system user or an independent certifier can complete the checklist

    • CL 2
    • CL 3
    • CL 1 
    • CL 4

11. The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the most senior executive in an enterprise. What are the responsibilities of a Chief Information Officer Each correct answer represents a complete solution. Choose all that apply.

    • Proposing the information technology needed by an enterprise to achieve its goals and then working within a budget to implement the plan
    • Preserving high-level communications and working group relationships in an organization
    • Establishing effective continuous monitoring program for the organization
    • Facilitating the sharing of security risk-related information among authorizing officials

12. Which of the following is NOT an objective of the security program

    • Security education
    • Information classification
    • Security organization
    • Security plan

13. You work as a security engineer for BlueWell Inc. According to you, which of the following statements determines the main focus of the ISSE process 

    • Design information systems that will meet the certification and accreditation documentation.
    • Identify the information protection needs. 
    • Ensure information systems are designed and developed with functional relevance.
    • Instruct systems engineers on availability, integrity, and confidentiality.

14. Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls. Which of the following are the international information security standards Each correct answer represents a complete solution. Choose all that apply.

    • Organization of information security
    • Human resources security
    • Risk assessment and treatment
    • AU audit and accountability

15. Which of the following processes provides a standard set of activities, general tasks, and a management structure to certify and accredit systems, which maintain the information assurance and the security posture of a system or site

    • ASSET
    • NSA-IAM
    • NIACAP 
    • DITSCAP

16. Your project has several risks that may cause serious financial impact should they happen. You have studied the risk events and made some potential risk responses for the risk events but management wants you to do more. They’d like for you to create some type of a chart that identified the risk probability and impact with a financial amount for each risk event. What is the likely outcome of creating this type of chart

    • Risk response plan
    • Quantitative analysis
    • Risk response
    • Contingency reserve

17. SIMULATION

    Fill in the blanks with an appropriate phrase. A ________ is an approved build of the product, and can be a single component or a combination of components.

    • development baseline

18. SIMULATION

    Fill in the blank with an appropriate phrase. The ____________ helps the customer understand and document the information management needs that support the business or mission.

    • systems engineer

19. Which of the following federal agencies has the objective to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life

    • National Institute of Standards and Technology (NIST) 
    • National Security Agency (NSA)
    • Committee on National Security Systems (CNSS)
    • United States Congress

20. Certification and Accreditation (C&A or CnA) is a process for implementing information security. Which of the following is the correct order of C&A phases in a DITSCAP assessment

    • Definition, Validation, Verification, and Post Accreditation
    • Verification, Definition, Validation, and Post Accreditation
    • Verification, Validation, Definition, and Post Accreditation
    • Definition, Verification, Validation, and Post Accreditation