CISSP - Questions with Answers
Advertisement Area

1. Techniques and concerns that are normally addressed by mamagement in the organization's computer security program are defined in NIST SP 800-12 as:

  1. Administrative controls
  2. Management controls
  3. Operational controls
  4. Technical controls

Answer: B

Hint: Answer A is a distracter. Answer C, operational controls, are security controls that are usually implemented by people instead of systems. Answer D, technical control, are security controls that the computer system executes.

2. The National Research Council publication, Computers at Risk, defines an element of computer security as a "requirement Intended to assure that systems work properly and sercice is not denied to authorized users," Which one of the following elements best fits this definition?

  1. Availability
  2. Assurance
  3. Integrity
  4. Authentication

Answer: A

3. NSTISSI Publication No.4009, "National Information Systems Security (INFOSEC) Glossary," defines the term assurance as:

  1. Requirement that information and programs are changed only in a specified and authorized manner
  2. Measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's authorization to receive specific categories of information
  3. Measure of confidence that the security features, practices, procedures, and architecture of an IS accurately mediate and enforce the security policy
  4. Requirement that private or confidential information not be disclosed to unauthorized individuals

Answer: C

Hint: Answer A is a definition of data integrity, answer B defines authentication, and answer D describes confidentiality.

4. The "National Information Systems Security (INFOSEC) Glossary," defines an information system security term as a "formal determination by an authorized adjudicative office that an individual is authorized aqccess, on a need to know basis, to a specific level of collateral clasified information," This definition refers to which one of the following terms?

  1. Sensitivity of information
  2. Classification of information
  3. Clearance
  4. Compartmentalization

Answer: C

Hint: Answer A and B are distracters. Answer D refers to a "nonhierarchical grouping of sensitive information used to control access to data more finely than with hierarchical security classification alone," as defined in NSTISSI Publication No, 4009.

5. In NSTISSI Publication No. 4009, what term is defined as a " document detailing the method, act, process, or effect of using an information system (IS)"?

  1. QUADRANT
  2. Concept of Operations (CONOPS)
  3. Evaluation Assurance Level (EAL)
  4. Information Assurance (IA) architecture

Answer: B

Hint: Answer A, QUADRANT, refers to technology that provides tamper-proof protection to cryptographic equipment. Answer C defines "a set of assurance requirements that represent a point on the Common Criteria predefined assurance scale," and answer D is a "framework that assigns and portrays IA roles and behavior among all IT assets, and prescribes rules for interaction and connection"

6. Which one of the following definitions best describes the National Information Assurance Partnership (NIAP) according to NSTISSI Publication No, 4009?

  1. Nationwide interconnection of communications networks, computers, databases, and consumer electronics that makes vast amounts of information available to users.
  2. Worldwide interconnections of the information systems of all countries, international and multinational organizations, and international commercial communications
  3. Joint initiative between NSA and NIST responsible for security testing needs of both IT consumers and producers, promoting the development of technically sound security requirements for IT products
  4. First level of the PKI Certification Management Authority that approves the security policy of each Policy Certification Authority (PCA)

Answer: C

Hint: Answer A refers to the National Infrastructure (NII), answer B defines the Global Information Infrastructure (GII), and answer D defines a Policy Approving Authority (PAA).

7. TEMPEST refers to which one of the following defenitions?

  1. Property whereby the security level of an object cannot change while the object is being processed by an IS
  2. Investigation, study, and control of compromising emanations from IS equipment
  3. Program established for a specific class of classified information that imposes safeguarding and access requirements that exceed those normally required for information at the same classified level
  4. Unclassified cryptograpic equipment

Answer: B

Hint: Answer A refers to the concept of Tranquillity, answer C refers to a Special Access Program (SAP), and answer D is distracter.

8. Executive Order (E.O.) 13231, issued on October 16, 2001, renamed the National Security Telecommunications and Information Systems Security Committee (NSTISSC) as which one of the following committees?

  1. Committee for information System Security (CISS)
  2. Committee on National Security Systems (CNSS)
  3. Committee on National Infrastructure Protection (CNIP)
  4. Committee for the Protection of National Information Systems (CPNIS)

Answer: B

Hint: The other answers are distracters.

9. In addressing the security of systems with national security information, E.O.13231 assigned the responsibilities of developing government-wide policies and overseeing the implementation of government-wide policies, procedures, standards, and guidelines to the:

  1. U.S. Secretary of Defense and the Director of the FBI
  2. FBI and the Director of Central Intelligence
  3. NIST and the U.S.Secretary of Defense
  4. U.S. Secretary of Defense and the Director of Central Intelligence

Answer: D

10. Which one of the following characteristics is NOT associated with the definition of a national security system?

  1. Contains classified information
  2. Involved in industrial commerce
  3. Supports intelligence activities
  4. Involved with the command and control of military forces

Answer: B

Hint: Additional characteristics of a national information system include employing cryptographic activities related to national security, associated with equipment that is an integral part of a weapon or weapons system(s), and critical to the direct fulfillment of military or intelligence missions.

11. In 2002, the U.S. Congress enacted the E-Government Act (Public Law 107-347). Title III of the E-Government Act was written to provide for a number of protections of Federal information systems, including to "provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets" Title III of the E-Government Act is also known as the:

  1. Computer Security Act (CSA)
  2. Computer Fraud and Abuse Act (CFAA)
  3. Federal Information Security Management Act (FISMA)
  4. Cyber Security Enhancement Act

Answer: C

12. FISMA assigned which one of the following entities the responsibility of overseeing the security policies and practices of U.S. government agencies?

  1. The FBI
  2. The U.S. Secretary of Defense
  3. The Director of the Office of Management and Budget (OMB)
  4. The Director if Central Intelligence

Answer: C

Hint: Standards associated with national defense are still the responsibility of the DoD and NSA.

13. Which information system security-related Act requires government agencies to perform periodic assessments of risk, develop policies and procedures that are based on risk assessments, conduct security awareness training, perform periodic testing and evaluation of the effectiveness of information security policies, and implement procedures for detecting, reporting, and responding to security incidents?

  1. Computer Security Act (CSA)
  2. Federal Information Security Management Act (FISMA)
  3. Computer Fraud and Abuse Act (CFAA)
  4. Cyber Security Enhancement Act

Answer: B

14. FISMA changed which one of the following entities to develop information system security standards and guidelines for federal agencies ?

  1. FBI
  2. DoD
  3. NSA
  4. NIST

Answer: D

15. The general formula for categorization of an information type developed in FIPS Publication 199, "Standards for Security Categorization of Fedral Information and information Systems," is which one of the following?

  1. SCinformation type = {(confidentiality, risk), (integrity, risk), (availability, risk)}
  2. SCinformation type = {(confidentiality, impact), (integrity, impact), (availability, impact)}
  3. SCinformation type = {(assurance, impact), (integrity, impact), (authentication, impact)}
  4. SCinformation type = {(confidentiality, controls), (integrity, controls), (availability, controls)}

Answer: C

Hint: The other answers are distracters

16. Circular-A-130 directs that an oversight function should be performed consisting of the use of information technology planning reviews, fiscal budget reviews, information collection budget reviews, management reviews, and efficiency of each agency's information resources management and compliance with the Circular. Which one of the following individuals does the Circular designate as being responsible for this oversight function?

  1. The Security of Commerce
  2. The Director of the Office of Management and Budget
  3. The U.S. Secretary of Defense
  4. The Director of NSA

Answer: B

17. The National Computer Security Center Publication NCSC-TG-004-88 includes a definition that refers to the characteristic of a system that "performs its intended function in an unimpaired manner, free from deliberate, inadvertent, or unauthorized manipulation of the system," This characteristic defines which one of the following terms?

  1. Data integrity
  2. System integrity
  3. Enterprise integrity
  4. Risk integrity

Answer: B

18. Which one of the following terms best describes a secure telecommunications or associated cryptographic component that is unclassified but governed by a special set of control requirements, as defined in NSTISSI Publication 4009?

  1. Controlled cryptograhic item(CCI) assembly
  2. Controlled cryptographic item (CCI) component
  3. Controlled cryptographic item (CCI)
  4. Crypto-ignition key (CIK)

Answer: C

Hint: Answer A refers to a device embodying a communications security (COMSEC) design that NSA has approved as a CCI. Answer B is part of a CCI that does not perform the entire COMSEC function but depends upon the host equipment, or assembly, to complete and operate the COMSEC function. Answer D is a device or electronic key used to unlock the secure mode of cryptp-equipment.

19. What is a definable perimeter encompassing all hardware, firmware, and software components performing critical COMSEC functions, such as key generation and key handling and storage?

  1. COMSEC area
  2. COMSEC compartment
  3. COMSEC partition
  4. COMSEC boundary

Answer: D

Hint: Answers A, B, and C are distracters

20. What process involves the five steps of identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures ?

  1. Operations security
  2. Application security
  3. Administrative security
  4. Management security

Answer: A

Hint: The other answers are distracters.

21. Information that has been determined pursuant to Executive Order 12958 or any predecessor order to require protection against unauthorized disclosures is known as:

  1. Protected information (PI)
  2. National security infomation (NSI)
  3. Personality identifiable information (PII)
  4. Secure information (SI)

Answer: B

Hint: Answer A and D are distracters. Answer C, PII, is usually associated with privacy. An example of PII is a person's health care information.

22. An area that, when staffed, must be occupied by two or more appropriately cleared individuals who remain within sight of each other is referred to as which one of the following terms?

  1. No-lone zone
  2. Restricted area
  3. Protected occupancy zone
  4. Cleared area

Answer: A

Hint: The other answwers are distracters.

23. According to NSTISSI Publication 4009, the pocess of identifying and applying countermeasures commensurate with the value of the assets protected based on a risk assessment is called:

  1. Vulnerability assessment
  2. Continuity planning
  3. Risk management
  4. Risk control

Answer: C

24. In the context of information systems security, the abbreviation ST&E stands for which one of the following terms?

  1. Security training and evaluation
  2. Security test and evaluation
  3. Security test and engineering
  4. Sensitivity test and evaluation

Answer: B

Hint: The other answers are distracters.

25. Which one of the following designations refers to a product that is a classified or controlled cryptographic item endorsed by the NSA for securing classified and sensitive U.S. government information, when appropriately keyed ?

  1. Cleared product
  2. Type 3 product
  3. Type 1 product
  4. Type 2 product

Answer: C

Hint: Answers A and B are distracters. Answer D, a Type 2 product, defines unclassified cryptographic equipment, assemblies, or components endorsed by the NSA for in national security systems as defined in Title 40 U.S.C. Section 1452.

26. Which one of the following items is NOT one of responsibilities of the Committee on National Security Systems (CNSS) for the security of national security systems?

  1. Providing a forum for the discussion of policy issues
  2. Setting national policy
  3. Providing operational procedures, direction, and guidance.
  4. Requiring agencies to identify and provide information security protections commensurate with the risk and magnitude of the harm to information or information systems of government agencies.

Answer: D

Hint: This responsibility is assigned to the OMB

27. FISMA, Title III of the E- Government Act of 2002, reserves the responsibility for standards associated with the national defense establishment to which of the following entities ?

  1. DoD and NSA
  2. DoD and CIA
  3. CIA and NSA
  4. CIA and NIST

Answer: A

28. FIPS Publication 199, "Standards for Security Characterization of Federal Information and Information Systems, NIST Pre-Publication Final Draft," December 2003, characterizes 3 levels of potential impact on organizations or individuals based on the objectives of confidentiality, Integrity, and availability. What is the level of impact specified in Publication 199 for the following description of integrity," The unauthorized modification or destrction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals"?

  1. High
  2. Moderate
  3. Low
  4. Service

Answer: B

29. Referring to question 28, the following impact description refers to which one of the three security objectives and which corresponding level of impact: "The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets or individuals"?

  1. Confidentiality - Low
  2. Availability - Moderate
  3. Availability - Low
  4. Availability - High

Answer: C

30. DoD Directive 8500, 1, "Information Assurance (IA)", October 4, 2002, specifies a defense-in-depth that intergrates the capabilities of which set of the following wntities?

  1. Personnel, operations, and technology
  2. Personnel, research and development, and technology
  3. Operations, resources, and technology
  4. Personnel, operations, and resources

Answer: A

Suggested Read Articles:
Contents/Index
  1. Chapter 1 (30 Questions)
  2. Chapter 2 (30 Questions)
  3. Chapter 3 (46 Questions)
  4. Chapter 4 (35 Questions)
  5. Chapter 5 (34 Questions)
  6. Chapter 6 (30 Questions)
  7. Chapter 7 (30 Questions)
  8. Chapter 8 (32 Questions)
  9. Chapter 9 (30 Questions)
  10. Chapter 10 (30 Questions)
  11. Chapter 11 (30 Questions)
  12. Chapter 12 (30 Questions)
  13. Chapter 13 (30 Questions)
  14. Chapter 14 (30 Questions)
Advertisement Area