01. During the Implement Systems Security engineering process, the information systems security engineer provides inputs to C&A process activities (replaced by A&A process activities in NIST 800-37). As part of the A&A process activities, the information systems security engineer provides input to the system-level control assessments.
Findings from a system-level control assessment may necessitate an update to the:
a) System-level risk assessment
b) Organizational risk assessment
c) Marketing strategy
d) None of the above
02. The risk management framework is composed of which of the following steps?
a) Prepare, conduct, select, implement, assess, authorize, monitor
b) Prepare, categorize, select, implement, assess, authorize, dispose
c) Conduct, categorize, select, implement, assess, communicate, monitor
d) Prepare, categorize, select, implement, assess, authorize, monitor
03. Although the primary reason for gathering evidence during an incident is to resolve the incident, it may also be needed for ____________________:
a) System engineering purposes
b) Audit and compliance
c) Legal proceedings
d) All of the above
04. In order to select the security control baseline, the organization must first determine:
a) The sensitivity of information to be processed by the system
b) The sensitivity of information to be stored by the system
c) The color scheme of the user interface
d) None of the above
05. In order for a system to be deemed absolutely trustworthy, it must meet the following criteria:
a) Provides protection sufficient to achieve freedom from those conditions that can cause a loss of assets with unacceptable consequences
b) Defines the context of emergent system properties including, for example, agility, maintainability, reliability, resilience, safety, scalability, and survivability
c) Offers the latest technology interface
d) None of the above
06. The characteristics of an agile project lifecycle include:
a) Dynamic requirements, activities repeated until correct, frequent small deliveries, and speed
b) Dynamic requirements, activities repeated until correct, frequent small deliveries, and customer value via frequent deliveries and feedback
c) Dynamic requirements, activities repeated until correct, frequent small deliveries, and managed cost
d) Dynamic requirements, activities repeated until correct, single delivery, single delivery, and speed
07. During the Implement Systems Security engineering process, the information systems security engineer provides inputs to C&A process activities (replaced by A&A process activities in NIST 800-37). As part of the A&A process activities, the information systems security engineer provides input to the authorization package.
The authorization package consists of the:
a) Security ,plan plan of action and milestone, and security assessment report
b) Security plan, plan of action and milestone, and security assessment plan
c) Security assessment plan, plan of action and milestone, and security assessment plan
d) Security assessment plan, plan of action and milestone, and security assessment report
08. Least privilege should include only those system elements that are necessary for its ______________.
a) Security
b) Functionality
c) Compliance
d) All of the above
09. The Systems Security Engineer will often be asked to prepare a set of risk responses as a result of the risk management process. What type of risk cannot be accepted, avoided, shared, or transferred?
a) Risk avoidance
b) Risk transfer
c) Risk mitigation
d) Risk acceptance
10. In order to determine the risk-based decision on the level of sanitization the organization must complete an assessment of:
a) Integrity
b) Confidentiality
c) Availability
d) Innovation