Domain 4

Question 1

Which of the following is NOT a recommended consideration pertaining to application controls?

a) Potential risk
b) End-user opinion
c) Available controls
d) Environment type

Answer 1

End-user opinion

Question 2

Which type of environment has everything organized, controlled and performed from one location?

a) Decentralized
b) Distributed
c) Centralized
d) Compartmentalized

Answer 2

Centralized

Question 3

Which type of environment has multiple independent locations with little or no communications between the entities?

a) Centralized
b) Decentralized
c) Distributed
d) Compartmentalized

Answer 3

Decentralized

Question 4

In the context of Object Oriented Systems, which of the following best describes an object?

a) A function or set of functions accessible only through its Application Program Interfaces (API)
b) A ‘black box’ that receives and sends messages
c) A code module that publishes both its code and data
d) A code subroutine that contains both code and data

Answer 4

A ‘black box’ that receives and sends messages

Question 5

Which type of environment has communication and coordination between multiple locations?

a) Distributed
b) Centralized
c) Decentralized
d) Compartmentalized

Answer 5

Distributed

Question 6

Which of the following is NOT a mode of operation?

a) System High Mode
b) Compartment Mode
c) System Low Mode
d) Multi-level Secure Mode

Answer 6

System Low Mode

Question 7

Which of the following modes is relatively simple and can be implemented with most operating systems?

a) System High Mode
b) Compartment Mode
c) Security Mode
d) Decompartment Mode

Answer 7

System High Mode

Question 8

What is the method ActiveX relies on for security?

a) NTLM
b) Symmetrical encryption
c) Digital signatures
d) Sand-boxing

Answer 8

Digital signatures

Question 9

What is the main reason to consider security in the change control process?

a) To ensure that changes are securely recoded, tested and documented
b) To ensure that id, control and configuration audit is performed in a secure manner
c) To ensure that release, archiving and acceptance testing is performed securely
d) To ensure that security mechanisms are not negatively impacted by the proposed changes

Answer 9

To ensure that security mechanisms are not negatively impacted by the proposed changes

Question 10

At which critical step in the development process does the project manager expect to see the security risks defined?

a) Design analysis
b) System design specifications
c) Project initiation
d) Installation

Answer 10

Project initiation

Question 11

One of the most commonly exploited security vulnerabilities - buffer overflows - are addressed in which phase of the development process?

a) System design specification
b) Design analysis
c) Operation and maintenance
d) Programming and testing

Answer 11

Programming and testing

Question 12

What is the main concern with simply deleting files during the destruction phase of the development process?

a) There is no concern.
b) Deleted data can still be extracted from hard drives.
c) Deleted data still uses up a small portion of the capacity of the hard drive.
d) Ease dropping

Answer 12

Deleted data can still be extracted from hard drives

Question 13

Requiring a biometric fingerprint to enter a server room, followed by a username and password at the system console, followed by a pin to access the application, best represents which operational control?

a) Least privilege
b) Continuity of operations
c) Layered defense
d) Separation of duties

Answer 13

Layered defense

Question 14

Which software development model has unique, discrete, sequential phases?

a) Spiral model
b) Top-down model
c) Waterfall model
d) Bottom-up model

Answer 14

Waterfall model

Question 15

Which mode of operation is difficult to implement and cannot be done with most operating systems?

a) Client/Server Mode
b) Compartment Mode
c) System High Mode
d) System Low Mode

Answer 15

Compartment Mode

Question 16

Which of the following systems can be thought of as a group of independent units that can be requested to perform certain operations or exhibit specific behaviors?

a) Role-Based System
b) Object-Oriented System
c) Access Control System
d) Rapid Prototyping System

Answer 16

Object-Oriented System

Question 17

Which of the following defines an industry standard that enables programs written in different languages and using different platforms and operating systems to interface and communicate?

a) COBRA
b) CORBA
c) BOA
d) DCOM

Answer 17

CORBA

Question 18

There are three commonly used application development methodologies. Which of the following are those three methodologies?

a) RAIN, RAD, and RAT
b) Traditional, modern, and hybrid
c) Open source, closed source, and proprietary
d) Waterfall, spiral, and RAD

Answer 18

Waterfall, spiral, and RAD

Question 19

What are the characteristics of the Waterfall methodology of application development?

a) The project is divided into sequential stages, each with specific milestones
b) The phases of the project seamlessly flow from one into the next
c) While the project’s overall flow is forward, sub-tasks called eddies are spun off as needed
d) As design specifications evolve the project is able to adjust and flow forward

Answer 19

The project is divided into sequential stages, each with specific milestones

Question 20

What is the main factor that drives the spiral model of application development?

a) Risk
b) Cost
c) Performance
d) Availability

Answer 20

Risk

Question 21

What is the fundamental characteristic of the Rapid Application Development (RAD) model of application development?

a) Applications are developed that run very fast
b) 75% of all applications are developed this way
c) Applications have 25% more functionality
d) Applications are developed very quickly

Answer 21

Applications are developed very quickly

Question 22

What is the basic function of output controls?

a) That output is complete and accurate
b) Protection against unauthorized or accidental output of sensitive data
c) Insure that only those who are authorized have access to output
d) To maintain audit trails that trace back to the input data

Answer 22

Insure that only those who are authorized have access to output

Question 23

What function does a reference monitor perform?

a) Maintains the referential integrity of sensitive data
b) Monitors all references to sensitive data
c) Implements the Security Kernel
d) Validation of every single access request

Answer 23

Validation of every single access request

Question 24

What principle is violated when developers review implementation details?

a) Non-disclosure agreement
b) Confidentiality
c) Separation of duties
d) The principle of least privilege

Answer 24

Separation of duties

Question 25

What principle can be described as providing users with the minimum level of privilege required to complete a task?

a) Sand-boxing
b) Fixed function authorization
c) The principle of least privilege
d) Separation of duties

Answer 25

The principle of least privilege

Question 26

What term is used to describe a structured approach to documenting and approving changes to systems?

a) Operations management
b) Change control
c) Systems life cycle management
d) Segregation of duties

Answer 26

Change control

Question 27

What is the name of the application development model in which you start with the lower level details, bundled them into higher level components and finally into a production system?

a) Bottom-up model
b) Object-Oriented model
c) Spiral-up model
d) Component-mode model

Answer 27

Bottom-up model

Question 28

What type of software program operates as an agent on behalf of a user or another program?

a) Bots
b) Applets
c) Processes
d) Bytecode

Answer 28

Bots

Question 29

What is one of the most useful ways of addressing the Availability requirement of the CIA definition of security?

a) Memorandums of Agreement
b) Software life cycle management
c) Operational integrity procedures
d) Service Level Agreements

Answer 29

Service Level Agreements

Question 30

What is it that allows Java to be a cross platform programming language?

a) Java is executed within a virtual sandbox which is processor independent
b) The Java Virtual Machine (JVM) converts the bytecode into machine language for that CPU
c) Java applets are compiled into the bytecode specifically for the requesting processor
d) The Java Virtual Machine (JVM) is compiled in processor independent bytecode

Answer 30

The Java Virtual Machine (JVM) converts the bytecode into machine language for that CPU