[12] CISSP – MCQ – Certification and Accreditation

CISSP Multiple Choice Questions MCQ With Answers Techhyme

This article offers you a solid foundation for the Certified Information Systems Security Professional (CISSP) exam. This article is designed for readers and students who want to study for the CISSP certification exam.

The CISSP exam is governed by the International Information Systems Security Certification Consortium, Inc. (ISC)2 organization.

  1. CISSP – MCQ – Security Management Practices
  2. CISSP – MCQ – Access Control Systems
  3. CISSP – MCQ – Telecommunications and Network Security
  4. CISSP – MCQ – Cryptography
  5. CISSP – MCQ – Security Architecture and models
  6. CISSP – MCQ – Operations Security
  7. CISSP – MCQ – Applications and Systems Development
  8. CISSP – MCQ – Business Continuity Planning and Disaster Recovery Planning
  9. CISSP – MCQ – Law, Investigation and Ethics
  10. CISSP – MCQ – Physical Security
  11. CISSP – MCQ – Systems Security Engineering
  12. CISSP – MCQ – Certification and Accreditation
  13. CISSP – MCQ – Technical Management
  14. CISSP – MCQ – U.S. Government Information Assurance (IA) Regulations

(ISC)2 is a global not-for-profit organization. It has four primary mission goals:

  • Maintain the Common Body of Knowledge for the field of information systems security
  • Provide certification for information systems security professionals and practitioners
  • Conduct certification training and administer the certification exams
  • Oversee the ongoing accreditation of qualified certification candidates through continued education

In this article, all the questions are related to “Physical Security” and are as follows:

1) Which statement is NOT true about the NIACAP SSAA?

  • The SSAA is used throughout the entire NIACAP process.
  • The SSAA is a formal agreement among the DAA (s), certifier, user representative, and program manager.
  • The SSAA is used only through Phase 3, Validation.
  • The SSAA documents the conditions of the C&A for an IS.

2) Which choice BEST describes NIACAP Phase 1, Definition?

  • The objective of Phase 1 is to ensure the fully integrated system will be ready for certification testing.
  • The objective of Phase 1 is to produce the required evidence to support the DAA in making an informed decision to grant approval to operate the system (accreditation or Interim Approval to Operate [IATO]).
  • The objective of Phase 1 is to agree on the security requirements, C&A boundary, schedule, level of effort, and resources required.
  • The objective of Phase 1 is to ensure secure system management, operation, and maintenance to preserve an acceptable level of residual risk.

3) Which choice BEST describes NIACAP Phase 3, Accreditation?

  • The objective of Phase 3 is to ensure the fully integrated system will be ready for certification testing.
  • The objective of Phase 3 is to agree on the security requirements, C&A boundary, schedule, level of effort, and resources required.
  • The objective of Phase 3 is to ensure secure system management, operation and maintenance to preserve an acceptable level of residual risk.
  • The objective of Phase 3 is to produce the required evidence to support the DAA in making an informed decision to grant approval to operate the system (accreditation or Interim Approval to Operate [IATO]).

4) Which NIACAP role is also referred to as the accreditor?

  • IS program manager
  • Designated Approving Authority (DAA)
  • Certification agent
  • User representative

5) Which is NOT a NIACAP role?

  • IS program manager
  • Certifier
  • Vendor representative
  • User representative

6) Which is NOT a NIACAP accreditation type?

  • Site accreditation
  • Process accreditation
  • Type accreditation
  • System accreditation

7) Which statement is NOT true about the Designated Approving Authority (DAA)?

  • The DAA determines the existing level of residual risk and makes an accreditation recommendation.
  • The DAA is the primary government official responsible for implementing system security.
  • The DAA is an executive with the authority and ability to balance the needs of the system with the security risks.
  • The DAA can great an accreditation or an interim Approval to Operate (IATO), or may determine that the system’s risks are not at an acceptable level and it is not ready to be operational.

8) Which statement is NOT true about the certification agent?

  • The certifier provides the technical expertise to conduct the certification throughout the system’s life cycle based on the security requirements documented in the SSAA.
  • The certifier determines the acceptable level of residual risk for a system.
  • The certifier determines whether a system is ready for certification and conducts the certification process.
  • The certifier should be independent from the organization responsible for the system development or operation.

9) What is the task of the certifier at the completion of the certification effort?

  • Recommends to the DAA whether or not to accredit the system based on documented residual risk.
  • Provides details of the system and its life cycle management to the DAA.
  • Ensures that the security requirements are integrated in a way that will result in an acceptable level of risk.
  • Keeps all NIACAP participants informed of life cycle actions, security requirements, and documented user needs.

10) Why does NIACAP have a user representative?

  • The user representative is an executive with the authority and ability to balance the needs of the system with the security risks.
  • The user representative is concerned with system availability, access, integrity, functionality, performance, and confidentiality as they relate to the mission environment.
  • The user representative determines the acceptable level of residual risk for a system.
  • The user representative is the primary government official responsible for implementing system security.

11) Which is NOT a responsibility of the NIACAP user representative?

  • The user representative is responsible for the secure operation of a certified and accredited IS.
  • The user representative represents the user community.
  • The user representative determines whether a system is ready for certification and conducts the certification process.
  • The user representative functions as the liaison for the user community throughout the life cycle of the system.

12) Which is NOT an activity in NIACAP Phase 2?

  • System Development and Integration
  • Initial Certification Analysis
  • Refine the SSAA
  • Negotiation

13) Which statement about certification and accreditation (C&A) is NOT correct?

  • Certification is the comprehensive evaluation of the technical and non-technical security features of an information system.
  • C&A is optional for most federal agencies’ security systems.
  • Accreditation is the formal declaration by a DAA approving an information system to operate.
  • C&A consists of formal methods applied to ensure that the appropriate information system security safeguards are in place and that they are functioning per the specifications.

14) Which is NOT an activity in NIACAP Phase 1?

  • Preparation
  • Initial Certification Analysis
  • Registration
  • Negotiation

15) During which NIACAP phase does not Security Test and Evaluation (ST&E) occur?

  • Phase 1
  • Phase 2
  • Phase 3
  • Phase 4

16) Which choice below BEST describes the objective of the Security Test and Evaluation (ST&E)?

  • The objective of the ST&E is to update the SSAA to include changes made during system development and the results of the certification analysis.
  • The objective of the ST&E is to evaluate the integration of COTS software, hardware, and firmware.
  • The objective of the ST&E is to verify that change control and configuration management practices are in place.
  • The objective of the ST&E is to assess the technical implementation of the security design.

17) Penetration Testing is part of which NIACAP Phase?

  • Phase 1
  • Phase 2
  • Phase 3
  • Phase 4

18) The DAA accreditation decision is made at the last step of which phase?

  • Phase 1
  • Phase 2
  • Phase 3
  • Phase 4

19) If the DAA does not accredit the system, what happens?

  • The NIACAP process reverts to Phase 1.
  • The NIACAP process moves on to Phase 4.
  • The NIACAP project is ended.
  • The NIACAP stays in Phase 3 until the system is accredited.

20) What is the main purpose of the post-accreditation phase?

  • To initiate the risk management agreement process among the four principals: the DAA, certifier, program manager, and user representative.
  • To continue to operate and manage the system so that it will maintain an acceptable level of residual risk.
  • To ensure that the SSAA properly and clearly defines the approach and level of effort.
  • To collect Information and documentation about the system, such as capabilities and functions the system will perform.

21) How long does Phase 4 last?

  • Until the initial certification analysis determines whether the IS is ready to be evaluated and tested.
  • Until the DAA reviews the SSAA and makes an accreditation determination.
  • Until the information system is removed from service, a major change is planned for the system, or a periodic compliance validation is required.
  • Until the responsible organizations adopt the SSAA and concur that those objectives have been reached.

22) SSAA maintenance continues under which phase?

  • Phase 1
  • Phase 2
  • Phase 3
  • Phase 4

23) Change management is initiated under which phase?

  • Phase 1
  • Phase 2
  • Phase 3
  • Phase 4

24) How many levels of certification does NIACAP specify to ensure that the appropriate C&A is performed for varying schedule and budget limitations?

  • Two
  • Three
  • Four
  • Five

25) What happens to the SSAA after the NIACAP accreditation?

  • The SSAA becomes the baseline security configuration document.
  • The SSAA is discarded as the project is finished.
  • The SSAA cannot be reviewed or changed.
  • The ISSO can revise the SSAA independently.

26) Which policy document determines that all federal government departments and agencies establish and implement programs mandating the certification and accreditation (C&A) of national security systems under their operational control?

  • DoD 8510.1-M “Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP) Application Manual,” July 31, 2000
  • FIPS PUB102, “Guidelines for Computer Security Certification and Accreditation,” September 27, 1983
  • NSTISS Instruction (NSTISSI) No. 1000, “National Information Assurance Certification and Accreditation Process (NIACAP),” April 2000
  • NSTISS Policy (NSTISSP) NO. 6, “National Policy on Certification and Accreditation of National Security Telecommunications and Information Systems,” 8 April 1994

27) Which assessment methodology below is a self-guided assessment implemented in a series of short workshops focusing on key organizational areas and conducted in three phases?

  • Federal Information Technology Security Assessment Framework (FITSAF)
  • Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
  • Office of Management and Budget (OMB) Circular A-130
  • INFOSEC Assessment Methodology (IAM)

28) Which assessment methodology below is a 6-step comprehensive C&A guide?

  • Federal Information Processing Standard (FIPS) 102
  • Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
  • Federal Information Technology Security Assessment Framework (FITSAF)
  • INFOSEC Assessment Methodology (IAM)

29) Which assessment methodology below was developed by the National Security Agency to assist both assessment suppliers and consumers?

  • Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
  • Federal Information Processing Standard (FIPS) 102
  • Federal Information Technology Security Assessment Framework (FITSAF)
  • INFOSEC Assessment Methodology (IAM)

30) What is the order of phases in a DITSCAP assessment?

  • Verification, Definition, Validation, and Post Accreditation
  • Definition, Verification, Validation, and Post Accreditation
  • Definition, Validation, Verification, and Post Accreditation
  • Validation, Definition, Verification, and Post Accreditation

Leave a Reply