Practice Exam Flashcards
Which of the following persons is responsible for testing and verifying whether the security policy is properly implemented and the derived security solutions are adequate or not?
A. Data owner
B. Data custodian
C. User
D. Auditor
D. Auditor
Which of the following professionals plays the role of a monitor and takes part in the organizations configuration management process?
A. Senior Agency Information Security Officer
B. Authorizing Official
C. Common Control Provider
D. Chief Information Officer
C. Common Control Provider
FISMA charges which one of the following agencies with the responsibility of overseeing the security policies and practices of all agencies of the executive branch of the Federal government?
A. Office of Management and Budget (OMB)
B. National Institute of Standards and Technology (NIST)
C. National Security Agency (NSA)
D. Department of Justice
Office of Management and Budget (OMB)
The British Standard BS7799 was the basis for which of the following standards?
A. ISO/IEC 154508
B. ISO/IEC 17799
C. ICO/ICE 17799
D. Executive Order (E.O.) 13231
B. ISO/IEC 17799
Subsequent to a security breach, which of the following techniques are used with the intention to limit the extent of damage caused by the incident?
A. Corrective controls
B. Preventive controls
C. Change controls
D. Incident controls
A. Corrective controls
Which role in the security authorization process is responsible for organizational information systems?
A. IS program manager
B. Designated authorizing official
C. Certification agent
D. User representative
B. Designated authorizing official
Which of the following is not a standard phase in the System Authorization Process?
A. Pre certification
B. Post authorization
C. Post certification
D. Certification
C. Post certification
This is a standard that sets essential requirements for assessing the effectiveness of computer security controls built into a computer system?
A. FITSAF
B. TCSEC
C. FIPS
D. SSAA
B. TCSEC
An assessment procedure consists of a set of which things, each with an associated set of potential assessment methods and assessment objects?
A. Assessment objectives
B. Security controls
C. Operational requirements
D. Assessment objects
A. Assessment objectives
B. Security controls
C. Operational requirements
D. Assessment objects
A. Assessment objectives
Which of the following statements best describes the difference between the role of a data owner and the role of a data custodian?
A. The data owner implements the information classification scheme after the initial assignment by the custodian.
B. The custodian implements the information classification scheme after the initial assignment by the operations manager.
C. The data custodian implements the information classification scheme after the initial assignment by the data owner.
D. The custodian makes the initial information classification assignments and the operations manager implements the scheme.
C. The data custodian implements the information classification scheme after the initial assignment by the data owner.
NIST SP 800 53A defines three types of interview depending on the level of assessment conducted. Which of the following NIST SP 800 53A interviews consists of informal and ad hoc interviews?
A. Substantial
B. Abbreviated
C. Comprehensive
D. Significant
B. Abbreviated
NIST SP 800 53A defines three types of interview depending on the level of assessment conducted. Which of the following NIST SP 800 53A interviews consists of informal and ad hoc interviews?
A. Substantial
B. Abbreviated
C. Comprehensive
D. Significant
B. Abbreviated
What assessment procedure is designed to work with and complement the assessment procedures to contribute to the grounds for confidence in the effectiveness of the security controls employed in the information system?
A. Extended
B. Subordinate
C. Based
D. Cross control
A. Extended
In which type of access control do user ID and password system come under?
A. Physical
B. Administrative
C. Power
D. Technical
D. Technical
This stakeholders involvement is required to determine acceptable residual risk and also advises the development team if the risks associated with eventual operation of the system appear to be unacceptable.
A. Authorization Official
B. Acceptance Official
C. Accreditation Officer
D. Assessment Officer
B. Acceptance Official