[14] CISSP – MCQ – U.S. Government Information Assurance (IA) Regulations

CISSP Multiple Choice Questions MCQ With Answers Techhyme

This article offers you a solid foundation for the Certified Information Systems Security Professional (CISSP) exam. This article is designed for readers and students who want to study for the CISSP certification exam.

The CISSP exam is governed by the International Information Systems Security Certification Consortium, Inc. (ISC)2 organization.

(ISC)2 is a global not-for-profit organization. It has four primary mission goals:

Maintain the Common Body of Knowledge for the field of information systems security
Provide certification for information systems security professionals and practitioners
Conduct certification training and administer the certification exams
Oversee the ongoing accreditation of qualified certification candidates through continued education

In this article, all the questions are related to “Certification and Accreditation” and are as follows:

1) Techniques and concerns that are normally addressed by management in the organization’s computer security program are defined in NIST SP 800-12 as:

Administrative controls
Management controls
Operational controls
Technical controls

2) The National Research Council publication, Computers at Risk, defines an element of computer security as a “requirement intended to assure that systems work properly and service is not denied to authorized users.” Which one of the following elements best fits this definition?

Availability
Assurance
Integrity
Authentication

3) NSTISSI Publication No. 4009, “National Systems Security (INFOSEC) Glossary,” defines the term assurance as:

Requirement that information and programs are changed only in a specified and authorized manner.
Measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual’s authorization to receive specific categories of information.
Measure of confidence that the security features, practices, procedures, and architecture of an IS accurately mediate and enforce the security policy.
Requirement that private or confidential information not be disclosed to unauthorized individuals.

4) The “National Information Systems Security (INFOSEC) Glossary,” defines and information system security term as a “formal determination by an authorized adjudicative office that an individual is authorized access, on a need to know basis, to a specific level of collateral classified information.” This definition refers to which one of the following terms?

Sensitivity of information
Classification of information
Clearance
Compartmentalization

5) In NSTISSI Publication No. 4009, what term is defined as a “document detailing the method, act, process, or effect of using an information system (IS)”?

QUADRANT
Concept of Operations (CONOPS)
Evaluation Assurance Level (EAL)
Information Assurance (IA) architecture

6) Which one of the following definitions best describes the National Information Assurance Partnership (NIAP) according to NSTISSI Publication No. 4009?

Nationwide interconnection of communications networks, computers, databases, and consumer electronics that makes vast amounts of information available to users.
Worldwide interconnections of the information systems of all countries, international and multinational organizations, and international commercial communications.
Joint initiative between NSA and NIST responsible for security testing needs of both IT consumers and producers, promoting the development of technically sound security requirements for IT Products.
First level of the PKI Certification Management Authority that approves the security policy of each Policy Certification Authority (PCA).

7) TEMPEST refers to which one of the following definitions?

Property whereby the security level of an object cannot change while the object is being processed by an IS.
Investigation, study, and control of compromising emanations from IS equipment.
Program establishment for a specific class of classified information that imposes safeguarding and access requirements that exceed those normally required for information at the same classified level.
Unclassified cryptographic equipment

8) Executive Order (E.O.) 13231, issued on October 16, 2001, renamed the National Security Telecommunications and Information System Security Committee (NSTISSC) as which one of the following committees?

Committee for information Systems Security (CISS).
Committee on National Security Systems (CNSS).
Committee on National Infrastructure Protection (CNIP).
Committee for the Protection of National Information Systems (CPNIS)

9) In addressing the security of systems with national security information, E.O. 3231 assigned the responsibilities of developing government-wide policies and overseeing the implementation of government-wide policies, procedures, standards, and guidelines to the:

U.S. Secretary of Defense and the Director of the FBI.
FBI and the Director of Central Intelligence.
NIST and U.S. Secretary of Defense.
U.S. Secretary of Defense and the Director of Central Intelligence.

10) Which one of the following characteristics is NOT associated with the definition of a national security system?

Contains classified information
Involved in industrial commerce
Supports intelligence activities
Involved with the command and control of military forces

11) In 2002, the U.S. Congress enacted the E-Government Act (Public Law 107-347). Title 3 of the E-Government Act was written to provide for a number of protections of Federal information systems, including to “provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets.” Title 3 of the E-Government Act is also known as the :

Computer Security Act (CSA)
Computer Fraud and Abuse Act (CFAA)
Federal Information Security Management Act (FISMA)
Cyber Security Enhancement Act

12) FISMA assigned which one of the following entities the responsibility of overseeing the security policies and practices of U.S. government agencies?

The FBI.
The U.S. Secretary of Defense.
The Director of the Office of Management and Budget (OMB).
The Director of Central Intelligence.

13) Which information system security-related Act requires government agencies to perform periodic assessments of risk, develop policies and procedures that are based on risk assessments, conduct security awareness training, perform periodic testing and evaluation of the effectiveness of information security policies, and implement procedures for detecting, reporting, and responding to security incidents?

Computer Security Act (CSA)
Federal Information Security Management Act (FISMA)
Computer Fraud and Abuse Act (CFAA)
Cyber Security Enhancement Act

14) FISMA charged which one of the following entities to develop information systems security standards and guidelines for federal agencies?

FBI
DoD
NSA
NIST

15) The general formula for categorization of an information type developed in FIPS Publication 199, “Standards for Security Categorization of Federal information and Information Systems,” is which one of the following?

SC (information type) = {(confidentiality, risk), (integrity, risk), (availability, risk)}
SC (information type) = {(confidentiality, impact), (integrity, impact), (availability, impact)}
SC (information type) = {(assurance, impact), (integrity, impact), (authentication, impact)}
SC (information type) = {(confidentiality, controls), (integrity, controls), (availability, controls)}

16) Circular A-130 directs that an oversight function should be performed consisting of the use of information technology planning reviews, fiscal budget reviews, information collection budget reviews, management reviews, and such other measures as deemed necessary to evaluate the adequacy and efficiency of each agency’s information resources management and compliance with Circular, which one of the following individuals does the Circular designate as being responsible for this oversight function?

The Secretary of Commerce
The Director of the Office of Management and Budget
The U.S. Secretary of Defense
The Director of NSA

17) The National Computer Security Center Publication NCSC-TG-004-88 includes a definition that refers to the characteristic of a system that “performs its intended function in an unimpaired manner, free from deliberate, inadvertent, or unauthorized manipulation of the system.” This characteristic defines which one of the following terms?

Data integrity
System integrity
Enterprise integrity
Risk integrity

18) Which one of the following terms best describes a secure telecommunications or associated cryptographic component that is unclassified but governed by a special set of control requirements, as defined in NSTISSI Publication 4009?

Controlled cryptographic item (CCI) assembly
Controlled cryptographic item (CCI) component
Controlled cryptographic item (CCI)
Crypto-ignition key (CIK)

19) What is the definable perimeter encompassing all hardware, firmware, and software components performing critical COMSEC functions, such as key generation and key handling and storage?

COMSEC area
COMSEC compartment
COMSEC partition
COMSEC boundary

20) What process involves the five steps of identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures?

Operations security
Application security
Administrative security
Management security

21) Information that has been determined pursuant to Executive Order 12958 or any predecessor order to require protection against unauthorized disclosures is known as:

Protected information (PI)
National security information (NSI)
Personally identifiable information (PII)
Secure information (SI)

22) An area that, when staffed, must be occupied by two or more appropriately cleared individuals who remain within sight of each other is referred to as which one of the following terms?

No-lone zone
Restricted area
Protected occupancy zone
Cleared area

23) According to NSTISSI Publication 4009, the process of identifying and applying countermeasures commensurate with the value of the assets protected based on a risk assessment is called:

Vulnerability assessment
Continuity planning
Risk management
Risk control

24) In the context of information systems security, the abbreviation ST&E stands for which one of the following terms?

Security training and evaluation
Security test and evaluation
Security test and engineering
Sensitivity test and evaluation

25) Which one of the following designations refers to a product that is a classified or controlled cryptographic item endorsed by the NSA for securing classified and sensitive U.S. government information, when appropriately keyed?

Cleared product
Type 3 product
Type 1 product
Type 2 product

26) Which one of the following items is NOT one of the responsibilities of the Committee on National Security Systems (CNSS) for the security of national security systems?

Providing a forum for the discussion of policy issues
Setting national policy
Providing operational procedures, direction, and guidance
Requiring agencies to identify and provide information security protections commensurate with the risk and magnitude of the harm to information or information systems of government agencies.

27) FISMA, Title 3 of the E-Government Act of 2002, reserves the responsibility for standards associated with the national defense establishment to which of the following entities?

DoD and NSA
DoD and CIA
CIA and NSA
CIA and NIST

28) FIPS Publication 199, “Standards for Security Characterization of Federal Information and Information Systems, NIST Pre-Publication Final Draft,” December 2003, characterizes 3 levels of potential impact on organizations or individuals based on the objectives of confidentiality, integrity, and availability. What is the level of impact specified in Publication 199 for the following description of integrity: “The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.”?

High
Moderate
Low
Severe

29) Referring to question 28, the following impact description refers to which one of the three security objectives and which corresponding level of impact: “The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.”?

Confidentiality – Low
Availability – Moderate
Availability – Low
Availability – High

30) DoD Directive 8500.1, “Information Assurance (IA),” October 4, 2002, specifies a defense-in-depth approach that integrates the capabilities of which set of the following entities?