CISSP-ISSEP : Information Systems Security Engineering Professional : Part 06

CISSP-ISSEP : Information Systems Security Engineering Professional : Part 06

1. In 2003, NIST developed a new Certification & Accreditation (C&A) guideline known as FIPS 199. What levels of potential impact are defined by FIPS 199 Each correct answer represents a complete solution. Choose all that apply. 

   • High
   • Medium
   • Low
   • Moderate

2. Which of the following is a 1996 United States federal law, designed to improve the way the federal government acquires, uses, and disposes information technology

   • Lanham Act
   • Clinger-Cohen Act 
   • Computer Misuse Act
   • Paperwork Reduction Act

3. Which of the following DITSCAPNIACAP model phases is used to show the required evidence to support the DAA in accreditation process and conclude in an Approval To Operate (ATO)

   • Verification
   • Validation 
   • Post accreditation
   • Definition

4. Which of the following categories of system specification describes the technical requirements that cover a service, which is performed on a component of the system

   • Product specification
   • Process specification 
   • Material specification
   • Development specification

5. Which of the following individuals informs all C&A participants about life cycle actions, security requirements, and documented user needs

   • User representative
   • DAA
   • Certification Agent
   • IS program manager

6. Which of the following areas of information system, as separated by Information Assurance Framework, is a collection of local computing devices, regardless of physical location, that are interconnected via local area networks (LANs) and governed by a single security policy

   • Networks and Infrastructures
   • Supporting Infrastructures
   • Enclave Boundaries 
   • Local Computing Environments

7. An Authorizing Official plays the role of an approver. What are the responsibilities of an Authorizing Official Each correct answer represents a complete solution. Choose all that apply.

   • Ascertaining the security posture of the organization’s information system
   • Reviewing security status reports and critical security documents
   • Determining the requirement of reauthorization and reauthorizing information systems when required
   • Establishing and implementing the organization’s continuous monitoring program

8. Which of the following tools demands involvement by upper executives, in order to integrate quality into the business system and avoid delegation of quality functions to junior administrators 

   • ISO 90012000 
   • Benchmarking
   • SEI-CMM
   • Six Sigma

9. In which of the following phases of the interconnection life cycle as defined by NIST SP 800-47, do the organizations build and execute a plan for establishing the interconnection, including executing or configuring appropriate security controls

   • Establishing the interconnection 
   • Planning the interconnection
   • Disconnecting the interconnection
   • Maintaining the interconnection

10. Which of the following refers to a process that is used for implementing information security

    • Classic information security model
    • Certification and Accreditation (C&A) 
    • Information Assurance (IA)
    • Five Pillars model

11. Which of the following individuals is responsible for the oversight of a program that is supported by a team of people that consists of, or be exclusively comprised of contractors

    • Quality Assurance Manager
    • Senior Analyst
    • System Owner
    • Federal program manager

12. Which of the following statements define the role of the ISSEP during the development of the detailed security design, as mentioned in the IATF document Each correct answer represents a complete solution. Choose all that apply.

    • It identifies the information protection problems that needs to be solved.
    • It allocates security mechanisms to system security design elements.
    • It identifies custom security products.
    • It identifies candidate commercial off-the-shelf (COTS)government off-the-shelf (GOTS) security products.

13. Which of the following documents contains the threats to the information management, and the security services and controls required to counter those threats

    • System Security Context
    • Information Protection Policy (IPP) 
    • CONOPS
    • IMM

14. Diane is the project manager of the HGF Project. A risk that has been identified and analyzed in the project 3processes is now coming into fruition. What individual should respond to the risk with the preplanned risk response

    • Project sponsor
    • Risk owner 
    • Diane
    • Subject matter expert

15. Which of the following configuration management system processes defines which items will be configuration managed, how they are to be identified, and how they are to be documented 

    • Configuration verification and audit
    • Configuration control
    • Configuration status accounting
    • Configuration identification

16. Which of the following protocols is built in the Web server and browser to encrypt data traveling over the Internet

    • UDP
    • SSL 
    • IPSec
    • HTTP

17. Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. Which of the following statements are true about Certification and Accreditation Each correct answer represents a complete solution. Choose two.

    • Accreditation is a comprehensive assessment of the management, operational, and technical security controls in an information system.
    • Accreditation is the official management decision given by a senior agency official to authorize operation of an information system.
    • Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system.
    • Certification is the official management decision given by a senior agency official to authorize operation of an information system.

18. Which of the following documents is described in the statement below It is developed along with all processes of the risk management. It contains the results of the qualitative risk analysis, quantitative risk analysis, and risk response planning.

    • Risk management plan
    • Project charter
    • Quality management plan
    • Risk register

19. You work as a security engineer for BlueWell Inc. Which of the following documents will you use as a guide for the security certification and accreditation of Federal Information Systems

    • NIST Special Publication 800-59
    • NIST Special Publication 800-37 
    • NIST Special Publication 800-60
    • NIST Special Publication 800-53

20. What are the subordinate tasks of the Initiate and Plan IA C&A phase of the DIACAP process Each correct answer represents a complete solution. Choose all that apply.

    • Develop DIACAP strategy.
    • Initiate IA implementation plan.
    • Conduct validation activity.
    • Assemble DIACAP team.
    • Register system with DoD Component IA Program.
    • Assign IA controls.