CISSP-ISSEP - Information Systems Security Engineering Professional
Go back to ISC2
You work as a security engineer for BlueWell Inc. Which of the following documents will you use as a guide for the security certification and accreditation of Federal Information Systems
NIST Special Publication 800-37
Which of the following memorandums reminds the departments and agencies of the OMB principles for including and funding security as an element of agency information technology systems and architectures and of the decision criteria which is used to evaluate security for information systems investments
Which of the following individuals reviews and approves project deliverables from a QA perspective
Quality assurance manager
Which of the following certification levels requires the completion of the minimum security checklist and more in-depth, independent analysis
Certification and Accreditation (C&A or CnA) is a process for implementing information security. Which of the following is the correct order of C&A phases in a DITSCAP assessment
Definition, Verification, Validation, and Post Accreditation
DoD 8500.2 establishes IA controls for information systems according to the Mission Assurance Categories (MAC) and confidentiality levels. Which of the following MAC levels requires high integrity and medium availability
Which of the following are the most important tasks of the Information Management Plan (IMP) Each correct answer represents a complete solution. Choose all that apply.
Define the Information Protection Policy (IPP).
Define the mission need.
Identify how the organization manages its information.
Which of the following NIST documents describes that minimizing negative impact on an organization and a need for sound basis in decision making are the fundamental reasons organizations implement a risk management process for their IT systems
NIST SP 800-30
Lisa is the project manager of the SQL project for her company. She has completed the risk response planning with her project team and is now ready to update the risk register to reflect the risk response. Which of the following statements best describes the level of detail Lisa should include with the risk responses she has created
The level of detail should correspond with the priority ranking.
Which of the following acts promote a risk-based policy for cost effective security Each correct answer represents a part of the solution. Choose all that apply.
Paperwork Reduction Act (PRA)
Which of the following are the ways of sending secure e-mail messages over the Internet Each correct answer represents a complete solution. Choose two.
A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. What are the different types of policies Each correct answer represents a complete solution. Choose all that apply.
Which of the following categories of system specification describes the technical, performance, operational, maintenance, and support characteristics for the entire system
Which of the following phases of NIST SP 800-37 C&A methodology examines the residual risk for acceptability, and prepares the final security accreditation package
You work as an ISSE for BlueWell Inc. You want to break down user roles, processes, and information until ambiguity is reduced to a satisfactory degree. Which of the following tools will help you to perform the above task
Information Management Model (IMM)
Which of the following Security Control Assessment Tasks evaluates the operational, technical, and the management security controls of the information system using the techniques and measures selected or developed
Security Control Assessment Task 3
Which of the following tools demands involvement by upper executives, in order to integrate quality into the business system and avoid delegation of quality functions to junior administrators
Which of the following are the functional analysis and allocation tools Each correct answer represents a complete solution. Choose all that apply.
Functional flow block diagram (FFBD)
Timeline analysis diagram
Functional hierarchy diagram
Which of the following elements of Registration task 4 defines the operating system, database management system, and software applications, and how they will be used
Which of the following protocols is built in the Web server and browser to encrypt data traveling over the Internet
Which of the following Net-Centric Data Strategy goals are required to increase enterprise and community data over private user and system data Each correct answer represents a complete solution. Choose all that apply.
Which of the following responsibilities are executed by the federal program manager
Ensure justification of expenditures and investment in systems engineering activities.
Coordinate activities to obtain funding.
Review and approve project plans.
Which of the following Registration Tasks sets up the system architecture description, and describes the C&A boundary
Registration Task 4
Which of the following types of cryptography defined by FIPS 185 describes a cryptographic algorithm or a tool accepted by the National Security Agency for protecting classified information
Type I cryptography
Which of the following is a 1996 United States federal law, designed to improve the way the federal government acquires, uses, and disposes information technology
TQM recognizes that quality of all the processes within an organization contribute to the quality of the product. Which of the following are the most important activities in the Total Quality Management Each correct answer represents a complete solution. Choose all that apply.
Maintenance of quality
Which of the following DoD directives defines DITSCAP as the standard C&A process for the Department of Defense
Which of the following protocols is used to establish a secure terminal to a remote network device
Which of the following acts assigns the Chief Information Officers (CIO) with the responsibility to develop Information Technology Architectures (ITAs) and is also referred to as the Information Technology Management Reform Act (ITMRA)
Clinger Cohen Act
Which of the following cooperative programs carried out by NIST conducts research to advance the nation's technology infrastructure
Which of the following documents is described in the statement below It is developed along with all processes of the risk management. It contains the results of the qualitative risk analysis, quantitative risk analysis, and risk response planning.
Which of the following organizations is a USG initiative designed to meet the security testing, evaluation, and assessment needs of both information technology (IT) producers and consumers
Which of the following Registration Tasks notifies the DAA, Certifier, and User Representative that the system requires C&A Support
Registration Task 2
Which of the following acts is endorsed to provide a clear statement of the proscribed activity concerning computers to the law enforcement community, those who own and operate computers, and those tempted to commit crimes by unauthorized access to computers
Computer Fraud and Abuse Act
The DoD 8500 policy series represents the Department's information assurance strategy. Which of the following objectives are defined by the DoD 8500 series Each correct answer represents a complete solution. Choose all that apply.
Providing command and control and situational awareness
Which of the following DoD policies establishes IA controls for information systems according to the Mission Assurance Categories (MAC) and confidentiality levels
DoD 8500.2 Information Assurance Implementation
Which of the following documents contains the threats to the information management, and the security services and controls required to counter those threats
Information Protection Policy (IPP)
The Phase 2 of DITSCAP C&A is known as Verification. The goal of this phase is to obtain a fully integrated system for certification testing and accreditation. What are the process activities of this phase Each correct answer represents a complete solution. Choose all that apply.
Assessment of the Analysis Results
Configuring refinement of the SSAA
Which of the following techniques are used after a security breach and are intended to limit the extent of any damage caused by the incident
The National Information Assurance Certification and Accreditation Process (NIACAP) is the minimum standard process for the certification and accreditation of computer and telecommunications systems that handle U.S. national security information. What are the different types of NIACAP accreditation Each correct answer represents a complete solution. Choose all that apply.
Which of the following acts is used to recognize the importance of information security to the economic and national security interests of the United States
Which of the following sections of the SEMP template defines the project constraints, to include constraints on funding, personnel, facilities, manufacturing capability and capacity, critical resources, and other constraints
The National Information Assurance Certification and Accreditation Process (NIACAP) is the minimum standard process for the certification and accreditation of computer and telecommunications systems that handle U.S. national security information. Which of the following participants are required in a NIACAP security assessment Each correct answer represents a part of the solution. Choose all that apply.
Designated Approving Authority
IS program manager
Which of the following federal laws establishes roles and responsibilities for information security, risk management, testing, and training, and authorizes NIST and NSA to provide guidance for security planning and implementation
Government Information Security Reform Act (GISRA)
Which of the following processes culminates in an agreement between key players that a system in its current configuration and operation provides adequate protection controls
Certification and accreditation (C&A)
Under which of the following CNSS policies, NIACAP is mandatory for all the systems that process USG classified information
NSTISSP No. 6
In which of the following phases of the interconnection life cycle as defined by NIST SP 800- 47 does the participating organizations perform the following tasks Perform preliminary activities. Examine all relevant technical, security and administrative issues. Form an agreement governing the management, operation, and use of the interconnection.
Planning the interconnection
Which of the following is NOT used in the practice of Information Assurance (IA) to define assurance requirements
Communications Management Plan
Which of the of following departments protects and supports DoD information, information systems, and information networks that are critical to the department and the armed forces during the day-to-day operations, and in the time of crisis
Which of the following assessment methodologies defines a six-step technical security evaluation