Requirements Pt.1 Flashcards

1
Q

Which term is used to describe the minimum acceptable configuration for a system or component?

  • Guideline
  • Policy
  • Baseline
  • Procedure
A

Baseline

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the primary purpose of doing data classification?

  • To protect against legal liability for a breach
  • To ensure the secure operation of systems by users
  • To protect sensitive data from disclosure
  • To ensure that all data is protected appropriately
A

To ensure that all data is protected appropriately

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a common mistake made in requirements gathering?

  • To overstate skill of developers
  • To focus on use and not security
  • To fix requirements so that they cannot be changed
  • To underestimate time for testing
A

To focus on use and not security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What two terms are commonly used to classify data?

  • Age and usefulness
  • Archival and creation
  • Impact and likelihood
  • Sensitivity and criticality
A

Sensitivity and criticality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which document is used to track all requirements in one central place?

  • Configuration Management Database (CMDB)
  • Requirements Tracking System (RTS)
  • Requirements Traceability Matrix (RTM)
  • Change Control Board (CCB)
A

Requirements Traceability Matrix (RTM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does “protection of IP” refer to?

  • Trade secrets
  • Intelligence policy
  • Improvement processes
  • Internet procedures
A

Trade secrets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What can help ensure that requirements are gathered correctly?

  • To develop a customized solution for each software project
  • To interview managers and system architects
  • To follow external standards and regulations
  • To seek to discover business needs
A

To seek to discover business needs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a characteristic of a “good” overarching security policy?

  • Complex/detailed
  • Technical
  • Comprehensive
  • Understandable
A

Understandable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the main purpose of gathering security requirements?

  • To develop a control framework
  • To develop software that meets business requirements
  • To ensure development of a comprehensive test plan
  • To ensure adequate budget and management support
A

To develop a control framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What forms of data must be protected during the data lifecycle?

  • Unclassified
  • Public
  • Deleted
  • Paper
A

Paper

WTF does that even mean

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which term is used to describe the way a new user is registered on the system in a consistent manner?

  • Standard
  • Baseline
  • Recommendation
  • Procedure
A

Procedure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does the term “Big Data” often refer to?

  • Reporting on external data compliance
  • Analysis of unstructured data
  • Protection of highly sensitive data
  • Massive storage of archived data
A

Analysis of unstructured data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is a common problem with software requirements?

  • Inflexible to changing business requirements
  • Too technical and product-oriented
  • Focused on both long and short term needs
  • Insufficient detail and depth
A

Inflexible to changing business requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

In addition to a recognition of a security requirement, what other effect may a policy have on the organization?

  • Additional regulations
  • Increased liability
  • Prioritization of threats
  • Ignorance of risk
A

Increased liability

Policy is an admission of knowledge of actions to be taken… was action taken?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the responsibility of the data or information owner?

  • To monitor and audit for data usage and compliance
  • To limit access to authorized users of a specific system
  • To ensure protection of sensitive data on all systems or procedures
  • To follow data access procedures mandated by the system owner
A

To ensure protection of sensitive data on all systems or procedures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a concern with the long term archiving of electronic data?

  • Size of storage buildings required
  • Lack of replication
  • Network connectivity
  • Age of storage media
A

Age of storage media

17
Q

What is a common method of hiding sensitive data in a database that is accessed by an application?

  • View-based access control
  • Multiple paths to information
  • Logging of all access
  • Constrained User Interface
A

View-based access control

18
Q

What term is used to describe the process of sanitizing production data from improper disclosure?

  • Anonymization
  • Logging
  • Inference
  • Deletion
A

Anonymization

19
Q

Information security is usually considered which type of requirement?

  • Managerial
  • Preventive
  • Non-functional
  • Environmental
A

Non-functional

20
Q

Which of the following are the common roles with regard to data in an information classification program? Each correct answer represents a complete solution. Choose all that apply.

  • Editor
  • Custodian
  • Owner
  • User
  • Security auditor
A

Custodian, Owner, User, Security auditor

  • Owner: Determining what level of classification the information requires. Reviewing the classification assignments at regular time intervals and making changes as the business needs change. Delegating the responsibility of the data protection duties to the custodian.
  • Custodian: Running regular backups and routinely testing the validity of the backup data. Performing data restoration from the backups when necessary. Controlling access adding and removing privileges for individual users
  • User: Must comply with the requirements laid out in policies and procedures.
  • Security auditor: Examines an organization’s security procedures and mechanisms.
21
Q

A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. Which of the following are required to be addressed in a well designed policy? Each correct answer represents a part of the solution. Choose all that apply.

  • What is being secured?
  • Where is the vulnerability, threat, or risk?
  • Who is expected to exploit the vulnerability?
  • Who is expected to comply with the policy?
A
  • What is being secured?
  • Where is the vulnerability, threat, or risk?
  • Who is expected to comply with the policy?
22
Q

Which is the BEST technique to validate whether documented requirements are accurate?

  • Observation
  • Management input
  • Surveys
  • Analysis
A

Observation