This article offers you a solid foundation for the Certified Information Systems Security Professional (CISSP) exam. This article is designed for readers and students who want to study for the CISSP certification exam.
The CISSP exam is governed by the International Information Systems Security Certification Consortium, Inc. (ISC)2 organization.
- CISSP – MCQ – Security Management Practices
- CISSP – MCQ – Access Control Systems
- CISSP – MCQ – Telecommunications and Network Security
- CISSP – MCQ – Cryptography
- CISSP – MCQ – Security Architecture and models
- CISSP – MCQ – Operations Security
- CISSP – MCQ – Applications and Systems Development
- CISSP – MCQ – Business Continuity Planning and Disaster Recovery Planning
- CISSP – MCQ – Law, Investigation and Ethics
- CISSP – MCQ – Physical Security
- CISSP – MCQ – Systems Security Engineering
- CISSP – MCQ – Certification and Accreditation
- CISSP – MCQ – Technical Management
- CISSP – MCQ – U.S. Government Information Assurance (IA) Regulations
(ISC)2 is a global not-for-profit organization. It has four primary mission goals:
- Maintain the Common Body of Knowledge for the field of information systems security
- Provide certification for information systems security professionals and practitioners
- Conduct certification training and administer the certification exams
- Oversee the ongoing accreditation of qualified certification candidates through continued education
In this article, all the questions are related to “Law, Investigation and Ethics” and are as follows:
1) Which one of the following is NOT one of the five system life cycle planning phases as defined in NIST SP 800-14?
- Initiation phase
- Requirements phase
- Implementation phase
- Disposal phase
2) Which one of the following sets of activities BEST describes a subset of the Acquisition Cycle phases as given in NIST SP 800-64, Security Considerations in the Information System Development Life Cycle?
- Mission and business planning, acquisition planning, contract performance, disposal and contract closeout
- Initiation, mission and business planning, acquisition planning, contract performance
- Initiation, acquisition/development, contract performance, disposal and contract closeout
- Mission and business planning, acquisition/development, contract performance, disposal and contract closeout
3) The IATF document 3.1 stresses that information assurance relies on three critical components. Which one of the following answers correctly lists these components?
- People, documentation, technology
- People, defense in Depth, technology
- People, evaluation, certification
- People, operations, technology
4) In the 14 Common IT security Practices listed in NISP SP 800-14, one of the practices addresses having three types of policies in place. Which one of the following items is NOT one of these types of policies?
- A program policy
- An issue specific policy
- A system specific policy
- An enclave specific policy
5) Risk management, as defined in NISP SP 800-30, comprises which three processes?
- Risk assessment, risk mitigation, and evaluation and assessment
- Risk identification, risk mitigation, and evaluation and assessment
- Risk assessment, risk impacts, and risk mitigation
- Risk assessment, risk mitigation, and risk identification
6) In the system development life cycle, SDLC, or system life cycle as it is sometimes called, in which one of the five phases are the system security features configured, enabled, tested, and verified?
7) Which one of the following activities is performed in the Development/Acquisition phase of the SDLC?
- The scope of the IT system is documented.
- The IT system is developed, programmed, or otherwise constructed.
- The system performs its function.
- Disposition of information, hardware, or software.
8) In NIST SP 800-30, risk is defined as a function of which set of the following items?
- Threat likelihood, vulnerabilities, and impact
- Threat likelihood, mission, and impact
- Vulnerabilities, mission and impact
- Threat likelihood, sensitivity, and impact
9) The risk assessment methodology described in NIST SP 800-30 comprises nine primary steps. Which one of the following is NOT one of these steps?
- System Characterization
- Control analysis
- Impact analysis
- Accreditation boundaries
10) The engineering principles for information technology security (EP-ITS), described in NIST SP 800-27, are which one of the following?
- A list of 33 system-level security principles to be considered in the design, development, and operation of an information system
- A list of eight principles and 14 practices derived from OECD guidelines
- Part of the Common Criteria (CC)
- Component of the Defense in Depth Strategy
11) Which one of the following items is NOT one of the activities of the generic systems engineering (SE) process?
- Discover needs
- Define system requirements
- Obtain accreditation
- Assess effectiveness
12) The elements of Discover information protection needs, Develop detailed security design, and Assess information protection effectiveness are part of what process:
- The systems engineering (SE) process
- The information systems security engineering process (ISSE)
- The system development life cycle (SDLC)
- The risk management process
13) In the ISSE process, information domains are defined under the Discover Information Protection Needs Process. Which one of the following tasks is NOT associated the information domain?
- Identify the members of the domain
- List the information entities that are under control in the domain
- Identify the applicable privileges, roles, rules, and responsibilities of the users in the domain
- Map security mechanisms to security design elements in the domain.
14) In the Discover Information Protection Needs activity of the ISSE process, the information systems security engineer must document the elements of this activity, including roles, responsibilities, threats, strengths, security services, and priorities. These items form the basis of which one of the following:
- Threat matrix
- Functional analysis
- Information protection policy (IPP)
15) As part of the Define System Security Requirements activity of the ISSE process, the information systems security engineer identifies and selects a solution set that can satisfy the requirements of the IPP. Which one of the following elements is NOT a component of the solution set?
- Functional decomposition
- Preliminary security concept of operations (CONOPS)
- System context
- System requirements
16) The information systems security engineer’s tasks of cataloging candidate commercial off-the-shelf (COTS) products, government off-the-shell (GOTS) products, and custom security products are performed in which one of the following ISSE process activities?
- Define System Security Requirements
- Develop Detailed Security Design
- Implement System Security
- Design System Security Architecture
17) Which ISSE activity includes conducting unit testing of components, integration testing, and developing installation and operational procedures?
- Assess Information Protection Effectiveness.
- Develop Detailed Security Design.
- Implement System Security.
- Design System Security Architecture.
18) Security certification is performed in which phase of the SDLC?
- Implementation phase
- Validation phase
- Development/Acquisition phase
- Operations/Maintenance phase
19) The certification and accreditation process receives inputs from the ISSE process. These inputs are which one of the following items?
- Certification documentation
- Certification recommendations
- Accreditation decision
- Evidence and documentation
20) Which one of the following items is NOT part of an implementation-independent protection profile (PP) of the Common Criteria (CC)?
- Security objectives
- Information assurance requirements
- Security-related functional requirements
- Defense of the enclave boundary
21) Which one of the following is NOT one of the technology focus areas of the Defense in Depth strategy?
- Defend the certificate management
- Defend the network and infrastructure
- Defend the computing environment
- Defend the supporting infrastructure
22) Security categorization is part of which phase of the SDLC?
23) The Defense in Depth strategy identifies five types of attacks on information systems as listed in IATF document 3.1. Which one of the following types of attacks is NOT one of these five types?
24) Which one of the following items is NOT an activity under the Acquisition/Development phase of the SDLC?
- Preliminary risk assessment
- Security functional requirements analysis
- Cost considerations and reporting
- Development security evaluation
25) Which one of the following types of enclaves is NOT of those categorized in the U.S. federal and defense computing environments?
26) According to NIST SP 800-64, which phase of the SDLC includes the activities of functional statement of need, market research, cost-benefit analysis, and a cost analysis?
27) Which one of the following models is an evolutionary model used to represent the acquisition management process?
- The acquisition process model
- The Spiral model
- The Waterfall model
- The acquisition/development model
28) In NIST SP 800-30, a threat is defined as which one of the following items?
- Intent and method targeted at the intentional exploit of a vulnerability.
- The likelihood that a given threat-source will exercise a particular potential vulnerability, and the resulting impact of that adverse event on the organization.
- The potential for a threat-source to exercise a specific vulnerability.
- A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised and result in a security breach or a violation of the system’s security policy.
29) Questionnaires, on-site interviews, review of documents, and automated scanning tools are primarily used to gather information for which one of the following steps of the risk assessment process?
- System characterization
- Risk determination
- Vulnerability identification
- Control analysis
30) In performing an impact analysis as part of the risk assessment process, three important factors should be considered in calculating the negative impact. Which one of the following items is NOT one of these factors?
- The sensitivity of the system and its data
- The management of the system
- The mission of the system
- The criticality of the system, determined by its value and the value of the data to the organization.