CISSP - Questions with Answers
Advertisement Area

1. Which statement about the SSE-CMM is incorrect?

  1. The SSE-CMM defines two dimensions that are used to measure the capability of an organization to perform specific activities.
  2. The domain dimension consists of all of the practices that collectively define security engineering.
  3. The domain dimension represents practices that indicate process management and institutionalization capability.
  4. The capability dimension represents practices that indicate process management and institutionalization capability

Answer: C

Hint: The SSE-CMM defines two dimmensions that are used to measure the capability of an organization to perform specific activities, the domain dimension and the capability dimension. The domain dimension consists of all of the practices that collectively define security engineering. The capability dimension represents practices that indicate process management and institutionalization capability.

2. Which descrption of the SSE-CMM Level 5 Generic Practice is correct ?

  1. Planned and Tracked
  2. Continuously Improving
  3. Quantitatively Controlled
  4. Performed Informally

Answer: B

Hint: Level 5, Continuously Improving, is the highest level. A statement characterizing this level would be: "A culture of continuous improvement requires a foundation of sound management practice, defined process, and measurable goals".

3. Which statement about testing and evaluation is NOT true ?

  1. A TEMP is required for most large programs.
  2. A DT&E is equivalent to Analytical, Type 1, and Type 2 testing.
  3. A OT&E is equivalent to Type 5 and 6 testing.
  4. A OT&E is equivalent to Type 3 and Type 4 testing.

Answer: C

Hint: In the Defense sector, a TEMP is required for most large programs and includes the planning and implementation of pocedures for the Development Test and Evaluation (DT&E) and the Operational Test and Evaluation (OT&E). DT&E basically equates to the Analytical, Type1, and Type 2 testing, and OT&E is equivalent to Type 3 and Type 4 testing.

4. Which attribute about the Level 1 SSE-CMM Generic Practice is correct ?

  1. Performed Informally
  2. Planned and Tracked
  3. Well Defined
  4. Continuously Improving

Answer: A

Hint: The lowest level, Level 1, Performed Informally, focuses on whether an organization or project performs a process that incorporates the BPs. The attribute of this level simply requires that the BPs are performed.

5. Which choice below is NOT a true statement about good cost control?

  1. Cost control starts with the intiation of corrective action.
  2. Cost control requires good overall cost management.
  3. Cost control requires immediate initiation of corrective action.
  4. Cost control starts with the initial development of cost estimates for the program.

Answer: A

Hint: Cost control starts with the initial development of cost estimates for the program and continues with the functions of cost monitoring, the collection of cost data, the analysis of the data, and the immediate initiation of corrective acion. Cost control requires good overall cost management, including:
- Cost Estimating
- Cost Accounting
- Cost Monitoring
- Cost Analysis and Reporting
- Control Functions

6. Which statement about the SE-CMM is NOT correct?

  1. The SE-CMM describes the essential elements of an organization's systems engineering process that must exist in order to ensure good systems engineering.
  2. The SE-CMM provides a reference to compare existing systems engineering practices against the essential systems engineering elements described in the model.
  3. The SE-CMM goal is to improve the system-or product-engineering process.
  4. The SE-CMM was created to define, improve, and assess security engineering capability.

Answer: D

Hint: The SSE-CMM goal is to define, improve, and assess security-engineering capability, not the SE-CMM. The SE-CMM goal is to improve the system-or product-engineering process. The SE-CMM describes the essential elements of an organization's systems engineering process that must exist in order to ensure good systems engineering. It also provides a reference to compare existing systems engineering practices against the essential systems engineering elements described in the model.

7. Which statement about system security testing and evaluation (ST&E) categories is correct?

  1. Type 1 testing is performed during the later stages of the detail design and development phase.
  2. Type 2 testing is design evaluation conducted early in the system life cycle.
  3. Type 3 testing is performed during he latter stages of the detail design and development phase.
  4. Type 4 testing is conducted during the system operational use and life cycle support phase.

Answer: D

Hint: Testing and evaluation processes often involve several stages of testing,categories, or phases, such as;
- Analytical - Design evaluations conducted early in the system life cycle using computerized techniques such as CAD,CAM, CALS, simulation, rapid prototyping, and other related approaches.
- Type 1 testing - The evaluation of system components in the laboratory using bench test models and service test models, designed to verify performance and physical characteristics.
- Type 2 testing - Testing performed during the latter stages of the detail design and develpoment phase whe preproduction prototype equipment and software are available.
- Type 3 testing - Tests conducted after initial system qualification and prior to the completion of the production or construction phase. This is the first time that all elements of the system are operated and evaluated on an integrated basis.
- Type 4 testing - Testing conducted during the system operational use and life-cycle support phase, intended to povide further knowledge of the system in the user environment.

8. Which choice is NOT an activity in the cost control process?

  1. Identifying potential suppliers
  2. Developing a functional cost data collection capability
  3. Developing the costs as estimated for each task
  4. Creating a procedure for cost evaluation

Answer: A

Hint: Answer A is an activity of outsourcing. The cost control process includes:
1. Define the elements of work, as extracted from the SOW
2. Integrate the tasks defined in the WBS
3. Develop the costs, as estimated for each task
4. Develop a functional cost data collection and reporting capability
5. Develop a procedure for evaluation and quick corrective action

9. Which choice does NOT describe a common outsourcing activity?

  1. Review of proposals
  2. Develop a functional cost reporting capability
  3. Contract negotiation
  4. Development of an RFP

Answer: B

Hint: Developing a functional cost reporting capability is a function of Cost Control. The order of activities for the outsourcing process is:
1. Identification of Potential Suppliers
2. Development of a Request for Proposal (RFP)
3. Review and Evaluation of Supplier Proposals
4. Selection of Suppliers and Contract Negotiation
5. Supplier Monitoring and Control

10. Which choice is NOT an accurate description of an activity level of the WBS?

  1. Level 1 may be used as the basis for the authorization of the program work.
  2. Program budgets are usually prepared at level 1.
  3. Level 2 identifies the various projects that must be completed.
  4. Program schedules are generally prepared at level 3.

Answer: B

Hint: The WBS structure generally includes three levels of activity:
- Level 1- Identifies the entire program scope of work to be produced and delivered. Level 1 may be used as the basis for the authorization of the program work.
- Level 2- Identifies the various projects, or categories of activity, that must be completed in response to program requirements. Program budgets are usually prepared at this level.
- Level 3- Identifies the activities, functions, major tasks, and/or components of the system that are directly subordinate to the Level 2 items. Program schedules are generally prepared at this level

11. Which choice below is NOT a phase in the IDEAL model?

  1. Authorizing
  2. Learning
  3. Diagnosing
  4. Establishing

Answer: A

Hint: The five phases of the IDEAL model are:
- Initiating - Laying the groundwork for a successful improvement effort
- Diagnosing - Determining where you are relative to where you want to be
- Establishing - Planning the specifics of how you will reach your destination
- Acting - Doing the work according to the plan
Learning - Learning from the experience and improving your ability

12. Which choice below best describes systems engineering, as defined in the SSE-CMM?

  1. An intergrated composite of people, products, and processes that provides a capability to satisfy a need or objective.
  2. The selective application of scientific and engineering efforts to intergrate the efforts of all engineering disciplines and specialities into the total engineering effort.
  3. A narrative with description of the work required for a given project.
  4. The contracting with one or more outside suppliers for the procurement and acquisition of materials and services.

Answer: B

Hint: The definition of systems engineering on which thw SE-CMM is based is defined as the selective application of scientific and engineering efforts to:
- Transform an operational need into a description of the system configuration that best satisfies the operational need according to the measures of effectiveness
- Integrate related technical parameters and ensure the compatibility of all physical, functional, and technical program interfaces in a manner that optimizes the total system definition and design
- Integrate the efforts of all engineering disciplines and specialties into the total engineering effort
Answer A describes a system, answer C describes the SOW, and answer D describes outsourcing.

13. Which choice below is NOT a benefit of the WBS?

  1. The WBS facilitates the initial allocation of budgets.
  2. The WBS facilitates the initial allocation of costs.
  3. The system can easily be described through the logical breakout of its elements into work packages.
  4. The WBS intergrates the efforts of all engineering disciplines and specialties into the total engineering effort.

Answer: D

Hint: The WBS provides many benefits such as :
- Provides for the reporting of system technical performance measures (TPMs)
- Theentire security system can easily be defined by the breakout of its elements in to discreate work packages
- Aids in linking objectives and activities with available resources
- Facilitates budgeting and cost reporting
- Responsibility assignment can readily be identified through the assignment of tasks
- Provides a greater probability that every activity will be accounted for
Answer D describes a benefit of systems engineering.

14. Which choice is NOT an element of the Statement of Work (SOW)?

  1. An identification of the input requirements from other tasks
  2. A description of specific results to be achieved
  3. Management of security awareness, training, and education programs
  4. A proposed schedule for delivery of the product

Answer: C

Hint: The Statement of Work(SOW) is a narrative description of the work required for a given project. It includes:
- Summary statement of the tasks to be accomplished
- Identification of the input requirements from other tasks, including tasks accomplished by the customer and supplier
- References to applicable specifications, standards, procedures, and related documentation
- Description of the specific results to be achieved and a proposed schedule of delivery
Answer C is an example of an SSE-CMM Best Practice.

15. Which statement below best describes the difference between a Type 1 testing and evaluation category and a Type 2 category?

  1. Type 1 testing is the evaluation of system components in the laboratory, designed to verify performance and physical characteristics.
  2. Type 2 testing is the evaluation of system components in the laboratory, designed to verify performance and physical characteristics.
  3. Type 1 testing establishes design evaluations conducted early in the system life cycle.
  4. Type 2 testing is conducted after initial system qualification and prior to the completion of the production or construction phase.

Answer: A

Hint: Answer B describes Type 1 testing, answer C describes the Analytical stage of testing and answer D describes Type 3 testing

16. Which choice has the outourcing acticities listed in their proper order?

  1. Review and evaluation of supplier proposals, supplier monitoring and control, development of a Request For Proposal (RFP), and selection of suppliers.
  2. Development of a Request For Proposal (RFP), review and selection of suppliers.
  3. Development of a Request For Proposal (RFP), review and evaluation of supplier proposals, selection of suppliers, and supplier monitoring and control.
  4. Review and evaluation of supplier proposals (RFP), and supplier monitoring and control.

Answer: C

17. Which answer Best describes a Statement of Work (SOW)?

  1. A narrative description of the work required for a given project.
  2. An integrated composite of people, products, and processes that provides a capability to satisfy a need or objective.
  3. The contracting with one or more outside suppliers for the procurement and acquisition of materials and services.
  4. The development of a functional cost reporting capability.

Answer: A

Hint: The Statement of Work is a narrative description of the work required for a given project. Answer B describes a system as defined by the SE-CMM, answer C describes outsourcing, and answer D describes a function of Cost Control.

18. Which statement about SSE-CMM Base Practices is correct?

  1. BPs are mandatory characteristics that must exist within an implemented security engineering process before an organization can claim satisfaction in a given PA.
  2. BPs are ordered in degrees of maturity and are grouped to form and distinguish among five levels os security engineering maturity.
  3. BPs are ordered in degrees of maturity and are grouped to form and distinguish among 22 levels of security engineering maturity.
  4. BPs are optional characteristics that must within an implemented security engineering process before an organization can claim satisfaction in a given PA.

Answer: A

Hint: BPs are mandatory characteristics that must exist within an implemented security engineering process before an organization can claim satisfaction in a given PA. The GPs are ordered in degrees of maturity and are grouped to form and distinguish among five levels of security engineering maturity. The other answers are distracters.

19. As per SE-CMM, which statement defining a system is incorrect?

  1. An interacting combination of elements that are viewed in relation to function
  2. A continuous cycle of evaluating the current status of an organization, making improvements, and repeating the cycle.
  3. An assembly of things or parts forming a complex or unitary whole
  4. An integrated composite of people. products, and processes that provides a capability to satisfy a need or objective

Answer: B

Hint: In the SE-CMM, a system is defined as:
- An integrated composite of people, products, and processes that provides a capability to satisfy a need or objective.
- An assembly of things or parts forming a complex or unitary whole; a collection of components organized to accomplish a specific function or set of functions.
- An interacting combination of elements that are viewed in relation to function.
Answer B describes process improvement.

20. Which choice below best describes the purpose of the Learning phase of the IDEAL model?

  1. The Learning phase is the implementation phase and requires the greatest level of effort of all the phases both in terms of resources and time.
  2. The Learning phase is both the final stage of the initial process improvement cycle and the initial phase of the next process improvement effort.
  3. In the Learning phase, it is imperative that an understanding of the organization's current and desired future state of process maturity be established.
  4. In the Learning phase, a detailed plan of action based on the goals of the effort and the recommendations developed during the Diagnosing phase is developed.

Answer: B

Hint: The Learning phase is both the final stage of the initial process improvement cycle and the initial phase of the next process improvement effort. Based on the analysis of the improvement effort itself, the lessons learned are translated into recommendations for improving subsequent efforts. Answer A describes the Acting phase, answer C descibes the Diagnosing phase, and answer D describes the Establishing phase.

21. Which statement about the System Engineering Management Plan (SEMP) is NOT true?

  1. Development program planning and control is a SEMP element.
  2. The goal of SEMP is to establish a continuous cycle of evaluating the current status of the organization.
  3. The SEMP contains detailed statements of how the systems security engineering functions are to be carried out during development.
  4. The security systems engineering process is a SEMP element.

Answer: B

Hint: The SEMP contains detailed statements of how the systems security engineering functions are to be carried out during development. Two elements of the SEMP are:
- Development program planning and control
- Security systems engineering process
Answer B describes a goal of process improvement.

22. Which choice has the correct order of activities in the IDEAL model?

  1. Learning, Initiating, Diagnosing, Establishing, and Acting
  2. Initiating, Learning, Diagnosing, Establishing, and Acting
  3. Learning, Diagnosing, Initiating, Estblishing, and Acting
  4. Initiating, Diagnosing, Establishing, Acting, and Learning

Answer: D

Hint: The order of activities in the IDEAL model is Initiating, Diagnosing, Establishing, Acting, and Learning.

23. Which choice is an incorrect statement regarding the Systems Engineering Management Plan (SEMP)?

  1. The SEMP covers all management functions associated with the performance of security systems engineering activities for a given program.
  2. It starts as an outline and is updated as security system developpment process goes on.
  3. It contains detailed statements of how the systems security engineering functions are to be crried out during development.
  4. The SEMP is a static document, intended to remain unchanged.

Answer: D

Hint: The SEMP is intended to be a dynamic document. It starts as an outline, is updated as the security system development process goes on, and contains detailed statements of how the systems security engineering functions are to be carried out during development. The SEMP covers all management functions associated with the performance of security systems engineering activities for a given program.

24. Which choice best describes an outsourced supplier?

  1. A broad class of external organizations that provide products, components, materials, and/or services to a producer or prime contractor.
  2. An interacting combination of people, products, and processes that provides a capability to satisfy a need or objective,
  3. An interacting combination of elements that are viewd in relation to function.
  4. Practices that indicate process management and institutionalization capability.

Answer: A

Hint: The term suppliers is defined here as a broad class of external organizations that provide products, components, materials, and/or services to a producer or prime contractor. Answer B and C describe a system, and answer D is a distracter.

25. Which statement below best describes the main premise of process improvement?

  1. Major changes must be sponsored by senior management.
  2. The quality of services producted is a direct function of the quality of the associated development and maintenance processes.
  3. Focus on fixing the process, not assigning blame.
  4. All supplliers must be security vetted prior to contracting.

Answer: B

Hint: The basic premise of process improvement is that quality of services produced is a direct function of the quality of the associated development and maintenance processes. Answers A and C describe some knowledge or assumptions required to implement a successful security engineering process improvement activity, but not the main premise. Answer D is a distracter.

26. What is the main purpose of the Work Breakdown Structure (WBS)?

  1. It creats a hierarchical tree of work packages.
  2. It may be a contractual requirement in competitive bid system developments.
  3. It ensures the authorization for the program work.
  4. It ensures that all essential tasks are properly defined, assigned, scheduled, and controlled.

Answer: D

Hint: The Work Breakdown Structure (WBS) is an important technique to ensure that all essential tasks are properly defined, assigned, scheduled, and controlled. It contains a hierarchical structure of the tasks to be accomplished during the project. The WBS may be a contractual requirement in competitive bid system developments. As such, answers A, C, and D are attributes of the WBS, not its main purpose.

27. Which choice os not an activity in the Development Program Planning and Control element of the SEMP?

  1. System Test and Evaluation Strategy
  2. Scheduling and Cost Estimation
  3. Technical Performance Measurement
  4. Statement of work

Answer: A

Hint: Development Program Planning and Control describes the security systems engineering tasks that must be implemented to manage the development phase of the security program, including;
- Statement of Work
- Organizational Structure
- Scheduling and Cost Estimation
- Technical Performance Measurement
Answer A is an activity of the Security Systems Engineering Process element of the SEMP.

28. At what point in the project is the Work Breakdown Structure (WBS) usually created?

  1. After the generation of the SOW and the identification of the organizational structure
  2. After the development of a functional cost data collection and reporting capability
  3. After the costs for each task are estimated
  4. After the development of an RFP before the identification of the organization structure

Answer: A

Hint: After the generation of the SOW and the identification of the organizational structure, one of the initial steps in program planning is the development of the Work Breakdown Structure (WBS). The other answers are distracters.

29. Which choice accurately lists the five levels of security engineering maturity as definednby the SSE-CMM?

  1. Planned and Tracked, Well Defined, Performed Informally, Quantiatively Controlled, and Continuously Improving
  2. Planned and Tracked, Performed Informally, Well defined, Quantiatively Controlled, and Continuously Improving
  3. Performed Informally, Planned and Tracked, Well Defined, Quantiatively Controlled, and Continuously Improving
  4. Performed Informally, Planned and Tracked, Quantitatively Controlled, Well Defined, and Continuously Improving

Answer: C

Hint: The five Levels are: Level 1, Performed Informally, Level 2, Planned and Tracked; Level 3, Well Defined; Level 4, Quantitatively Controlled; and Level 5, Continuously Improving

30. Which choice has the correct order of ativities in the security system design testing process?

  1. Acquisition,Testing, Analysis, Planning, and Correction
  2. Acquisition, Planning, Testing, Analysis, and Correction
  3. Planning, Analysis, Testing, Acquisition, and Correction
  4. Planning Acquisition, Testing, Analysis, and Correction

Answer: D

Hint: The correct order of activities in the security system design testing process is Planning, Acquisition, Testing, Analysis, and Correction

Suggested Read Articles:
Contents/Index
  1. Chapter 1 (30 Questions)
  2. Chapter 2 (30 Questions)
  3. Chapter 3 (46 Questions)
  4. Chapter 4 (35 Questions)
  5. Chapter 5 (34 Questions)
  6. Chapter 6 (30 Questions)
  7. Chapter 7 (30 Questions)
  8. Chapter 8 (32 Questions)
  9. Chapter 9 (30 Questions)
  10. Chapter 10 (30 Questions)
  11. Chapter 11 (30 Questions)
  12. Chapter 12 (30 Questions)
  13. Chapter 13 (30 Questions)
  14. Chapter 14 (30 Questions)
Advertisement Area