CISSP - Questions with Answers
Advertisement Area

1. Which one of the following is NOT one of the five system life cycle planning phases as defined in NIST SP 800-14?

  1. Initiation phase
  2. Requirements phase
  3. Implementation phase
  4. Disposal phase

Answer: B

Hint: The requirements phase is not one of the five system cycle planning phases. The other two phases of the system life cycle are the Development/Acquisition phase and the Operations phase.

2. Which one of the following sets of activities BEST describes a subset of the Acquisition Cycle phases as given in NIST SP 800-64, Security Considerations in the Information System Development Life Cycle?

  1. Mission and bussiness planning, acquisition planning, contract performance, disposal and contract closeout
  2. Initiation, mission and business planning, acquisition planning, contract performance
  3. Initiation, acquisition/development, contract performance, disposal and contract closeout
  4. Mission and business planning , acquisition/development, contract performance, disposal and contract closeout

Answer: A

Hint: The other answers are distracters comprising components of the SDLC and the Acquisition cycle.

3. The IATF document 3.1 stresses that information assurance relies on three critical components. Which one of the following answers correctly lists these components?

  1. People, documentation, technology
  2. People, Defense in Depth, technology
  3. People, evaluation , certification
  4. People, operations, technology

Answer: D

Hint: The other answers are distracters.

4. In the 14 Common IT security Practices listed in NIST SP 800-14, one of the practices addresses having three types of pollicies in place. Which one of the following items is NOT one of these types of policies?

  1. A program policy
  2. An issue specific policy
  3. A system specific policy
  4. An enclave specific policy

Answer: D

Hint: A program policy is used to create and define a computer security program; an issue specific policy addresses specific areas and issues; and a system specific policy focuses on decisions made by management.

5. Risk management, as defined in NIST SP 800-30, comprises which three processes?

  1. Risk assessment, risk mitigation, and evaluation and assessment
  2. Risk identification, risk mitigation, and evaluation and assessment
  3. Risk assessment, risk impacts, and risk mitigation
  4. Risk assessment, risk mitigation, and risk identification

Answer: A

Hint: The other answers are distracters

6. In the system development life cycle, SDLC,or system life cycle as it is sometimes called, in which one of the five phases are the system security features configured, enabled, tested, and verified?

  1. Operation/maintenance
  2. Development/acquisition
  3. Implementation
  4. Initiation

Answer: C

7. Which one of the following activities is performed in the Development/Acquisition phase of the SDLC ?

  1. The scope of the IT system is documented.
  2. The IT system is developed, programmed, or otherwise constructed.
  3. The system performs its function.
  4. Disposition of information, hardware, or software.

Answer: B

Hint: Answers A refers to the Initiation phase; answer C refers to the Operation/Maintenance phase; and answer D refers to the Disposal phase.

8. In NIST,SP 800-30, risk is defined as a function of which set of the following items?

  1. Threat likelihood, vulnerabilities, and impact
  2. Threat likelihood, mission, and impact
  3. Vulnerabilities, mission and impact
  4. Threat likelihood, sensitivity, and impact

Answer: A

Hint: The other answers are distracters.

9. The risk assessment methodology described in NIST SP 800-30 comprises nine primary steps. Which one of the following is NOT one of these steps?

  1. System characterization
  2. Control analysis
  3. Impact analysis
  4. Accreditation boundaries

Answer: D

Hint: Delineating accreditation boundaries is a subset of answer A, system characterization.

10. The engineering principle for information technology security (EP-ITS), described in NIST SP 800-27, are which one of the following ?

  1. A list of 33 system-level security principles to be considered in the design, development, and operation of an information system
  2. A list of eight principles and 14 practices derived from OECD guidelines
  3. Part of the Common Criteria (CC)
  4. Component of the Defence in Depth strategy

Answer: A

Hint: Answer B describes the principles and practices found in NIST SP 800-14. Answers C and D are distacters.

11. Which one of the following items is NOT one of the activities of the generic systems engineering (SE) process?

  1. Discover needs
  2. Define system requirements
  3. Obtain accreditation
  4. Assess effectiveness

Answer: C

Hint: Obtain accreditation is not one of the SE process activities, The other SE process activities are Design system architecture, develop detailed design, and implement system.

12. The elements of Discover infomation protection needs, Develop detailed security design, and Assess information protection effectiveness are part of what process:

  1. The systems engineering (SE) process
  2. The information systems security engineering process (ISSE)
  3. The system development life cycle (SDLC)
  4. The risk management process

Answer: B

13. In the ISSE process, information domains are defined under the Discover Information Protection Needs pocess. Which one of the following tasks is NOT associated the information domain ?

  1. Identify the members of the domain
  2. List the information entities that are under control in the domain
  3. Identify the applicable privileges, roles, rules, and responsibilities of the users in the domain
  4. Map security mechanisms to security design elements in the domain.

Answer: D

Hint: This task is performed under the Develop Detailed Security Design activity.

14. In the Discover Information Protection Needs activity of the ISSE process, the information systems security engineer must document the elements of this activity, including roles, responsibilities, threats, strengths, security services, and priorities. These items form the basis of which one of the following;

  1. Threat matrix
  2. Functional analysis
  3. Synthesis
  4. Information protection policy (IPP)

Answer: D

Hint: The other answers are distracters.

15. As part of the Define System Security Requirements activity of the ISSE process the information system security engineer identifies and selects a solution set that can satisfy the requirements of the IPP. Which one of the following elements is NOT a component of the solution set?

  1. Functional decomposition
  2. Preliminary security concept of operations (CONOPS)
  3. System context
  4. System requirements

Answer: A

Hint: Functional decomposition is part of the Design System Security Architecture acivity of the ISSE process.

16. The information systems security engineer's tasks of cataloging candidate commercial off-the-shelf (COTS) products, government off-the-shelf (GOTS) products, and custom security products are performed in which one of the following ISSE process activities ?

  1. Define System Security Requirements
  2. Develop Detailed Security Design
  3. Implement System Security
  4. Design Sysmtem Security Architecture

Answer: B

17. Which ISSE activity includes conducting unit testing of components, integration testing, and developing installation and operational procedures?

  1. Assess Information Protection Effectiveness
  2. Develop Detailed Security Design
  3. Implement System Security
  4. Design System Security Architecture

Answer: C

18. Security certification is performed in which phase of the SDLC ?

  1. Implementation phase
  2. Validation phase
  3. Development/Acquisition phase
  4. Operations/Maintenance phase

Answer: A

Hint: Answer B, Validation, is not a phase of the SDLC. Answers C and D are additional phases of the SDLC.

19. The certification and accreditation process receives inputs from the ISSE process. These inputs are which one of the following items?

  1. Certification documentation
  2. Certification recommendation
  3. Accreditation decision
  4. Evidence and documentation

Answer: D

Hint: Answers A, B, and C are outputs of the Certification and Accreditation process

20. Which one of the following items is NOT part of an Implementation-independent protection profile (PP) of the Common Criteria (CC)?

  1. Security objectives
  2. Information assurance requirements
  3. Security-related functional requirements
  4. Defense of the enclave boundary

Answer: D

Hint: Defense of the enclave boundary is addressed in the Defense in Depth strategy.

21. Which one of the following is NOT one of the technology focus areas of the Defense in Depth strategy?

  1. Defend the certificate management
  2. Defend the network and infrastructure
  3. Defend the computing environment
  4. Defend the supporting infrastructure

Answer: A

22. Security categorization is part of which phase of the SDLC ?

  1. Initiation
  2. Acquisition/Development
  3. Implementation
  4. Requirements

Answer: A

Hint: Security categorization defines low, moderate, or high levels of potential impact on organizations as a result of a security breach. Answers B and C are other phases of the SDLC. Answer D is not a phase of the SDLC.

23. The Defense in Depth strategy identifies five types of attacks on information systems as listed in IATF document 3.1. Which one of the following types of attacks is NOT one of the these five types?

  1. Passive
  2. Active
  3. Close-in
  4. Outsider

Answer: D

Hint: The other two types of attacks are insider and distribution.

24. Which one of the following items is NOT an activity under the Acquisition/Develpoment phase of the SDLC ?

  1. Preliminary risk assessment
  2. Security functional requirements analysis
  3. Cost considerations and reporting
  4. Developmental security evaluation

Answer: A

Hint: This activity is performed in the initiation phase of the SDLC. Additional activities under the acquisition/development phase of the SDLC are risk assessment, assurance requirements analysis security, security planning, and security control development.

25. Which one of the following types of enclaves is NOT of those categorized in the U.S. federal and defense computing environments?

  1. Private
  2. Public
  3. Classified
  4. Secure

Answer: D

26. According to NIST SP 800-64, which phase of the SDLC includes the activities of functional statement of need, market research, cost-benefit analysis, and a cost analysis ?

  1. Initiation
  2. Acquisition/Development
  3. Implementation
  4. Operations/Maintenance

Answer: B

Hint: Additional activities under this phase include requirements analysis, alternatives analysis, and a software conversion study.

27. Which one of the following models is an evolutionary model used to represent the acquisition management process?

  1. The acquisition process model
  2. The Spiral model
  3. The Waterfall model
  4. The acquisition/development model

Answer: B

Hint: This model depicts the acquisition management process as a set of phases and decision points in a circular repredentation. The other answers are distracters.

28. In NIST SP 800-30, a threat is defined as which one of the following items ?

  1. Intent and method targeted at the intentional exploit of a vulnerability
  2. The likelihood that a given threat-source will exercise a particular potential vulnerability, and the resulting impact of that adverse event on the organization
  3. The potential for a threat-source to exercise a specific vulnerability
  4. A few or weakness in system security procedures, design, implementation, or internal controls that could be exercised and result in a security breach or a violation of the system's security policy

Answer: C

Hint: Answer A is a threat-source, answer B defines risk, and answer D is the definition of vulnerability.

29. Questionnaires, on-site interviews, review of documents, and automated scanning tools are primarily used to gather information for which one of the followingsteps of the risk assessm ent process?

  1. System characterization
  2. Risk determination
  3. Vulnerability identification
  4. Control analysis

Answer: A

30. In performing an impact analysis as part of the risk assessment process, three important factors should be considered in calculating the negative Impact. Which one of the following items is NOT one of the these factors?

  1. The sensitivity of the system and its data
  2. The management of the system
  3. The mission of the system
  4. The criticality of the system, determined by its value and the value of the data to the organization

Answer: B

Suggested Read Articles:
Contents/Index
  1. Chapter 1 (30 Questions)
  2. Chapter 2 (30 Questions)
  3. Chapter 3 (46 Questions)
  4. Chapter 4 (35 Questions)
  5. Chapter 5 (34 Questions)
  6. Chapter 6 (30 Questions)
  7. Chapter 7 (30 Questions)
  8. Chapter 8 (32 Questions)
  9. Chapter 9 (30 Questions)
  10. Chapter 10 (30 Questions)
  11. Chapter 11 (30 Questions)
  12. Chapter 12 (30 Questions)
  13. Chapter 13 (30 Questions)
  14. Chapter 14 (30 Questions)
Advertisement Area