Requirements Pt.2 Flashcards

1
Q

What is the core principle of the OpenSAMM approach?

  • Complete testing of code in a minimal amount of time
  • Deliver tangible gains in software assurance in iterative steps
  • Ensure effective use of previously created modules
  • Reduce errors in the requirements gathering process
A

Deliver tangible gains in software assurance in iterative steps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is PCI-DSS an example of?

  • A internal control matrix
  • An external regulation
  • An industry standard of good practice
  • An international law
A

An industry standard of good practice

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

In additon to scope and budget, the term ‘iron triangle’ is often used to describe the problem of changing requirements in relation to which area?

  • Technology
  • Testing
  • Staffing
  • Schedule
A

Schedule

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which is the BEST technique to validate whether documented requirements are accurate?

  • Analysis
  • Surveys
  • Management input
  • Observation
A

Observation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the primary goal of SafeCODE?

  • Rapid deployment
  • Product marketing
  • Vendor compliance
  • Software assurance
A

Software assurance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does the term “Secure State” refer to in regards to data protection?

  • Protecting data whenever it is on public networks
  • Providing access controls and logging to all data
  • Defining appropriate security-related procedures for all data
  • Maintaining compliance with policy at all times during the data lifecycle
A

Maintaining compliance with policy at all times during the data lifecycle

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a requirement for software that is subject to external requirements or regulations?

  • Protect all data from compromise
  • Generate logs and accountability
  • Mandate restricted access
  • Demonstrate compliance
A

Demonstrate compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a risk associated with data privacy?

  • Authorized access
  • Obfuscation of data
  • Aggregation of data
  • Quantity of data
A

Aggregation of data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following standards lists a code of practice for information security management?

  • ISO/IEC 27005
  • ISO/IEC 27002
  • ISO/IEC 27004
  • ISO/IEC 27001
A

ISO/IEC 27002: Code of practice for information security management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a common problem with many current software development methodologies?

  • Too structured and formal for practical use
  • Inability to adapt to changing requirements
  • Too much about process and not enough about resource utilization
  • Too high level and not enough detail
A

Inability to adapt to changing requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What risk is associated with conducting an anonymous employee survey?

  • The risk of incorrect or incomplete data
  • The risk of disclosure when dealing with a small population
  • The risk of misuse of data to determine employee productivity
  • The risk of data loss or deletion
A

The risk of disclosure when dealing with a small population

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following organizations assists the President in overseeing the preparation of the federal budget and to supervise its administration in Executive Branch agencies?

  • OMB
  • NIST
  • NSA/CSS
  • DCAA
A

NIST

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following individuals inspects whether the security policies, standards, guidelines, and procedures are efficiently performed in accordance with the company’s stated security objectives?

  • Information system security professional
  • Data owner
  • Senior management
  • Information system auditor
A

Information system security professional
or
Senior management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Why would a developer need to know about OWASP?

  • To avoid creating software with known vulnerabilities
  • To use cryptographic algorithms effectively
  • To speed up requirements development
  • To ensure better architectural design
A

To avoid creating software with known vulnerabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which document is used to track all requirements in one central place?

  • Configuration Management Database (CMDB)
  • Requirements Tracking System (RTS)
  • Requirements Traceability Matrix (RTM)
  • Change Control Board (CCB)
A

Requirements Traceability Matrix (RTM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following are the tasks performed by the owner in the information classification schemes? Each correct answer represents a part of the solution. Choose three.

  • To make original determination to decide what level of classification the information requires, which is based on the business requirements for the safety of the data
  • To review the classification assignments from time to time and make alterations as the business requirements alter
  • To perform data restoration from the backups whenever required
  • To delegate the responsibility of the data safeguard duties to the custodian
A
  • To make original determination to decide what level of classification the information requires, which is based on the business requirements for the safety of the data
  • To review the classification assignments from time to time and make alterations as the business requirements alter
  • To delegate the responsibility of the data safeguard duties to the custodian
17
Q

ISO 27003 is an information security standard published by ISO and IEC. Which of the following elements does this standard contain? Each correct answer represents a complete solution. Choose all that apply.

  • Inter-Organisation Co-operation
  • Information Security Risk Treatment
  • CSFs (Critical Success Factors)
  • System requirements for certification bodies
  • Terms & Definitions
  • Guidance on process approach
A
  • CSFs (Critical Success Factors)
  • Guidance on process approach

NOTE: Going to need to be aware at a high-ish level of the different security standards

18
Q

Which of the following describes the acceptable amount of data loss measured in time?

  • Recovery Point Objective (RPO)
  • Recovery Time Objective (RTO)
  • Recovery Consistency Objective (RCO)
  • Recovery Time Actual (RTA)
A

Recovery Time Objective (RTO)

19
Q

Which of the following are the responsibilities of a custodian with regard to data in an information classification program? Each correct answer represents a complete solution. Choose three.

  • Performing data restoration from the backups when necessary
  • Running regular backups and routinely testing the validity of the backup data
  • Determining what level of classification the information requires
  • Controlling access, adding and removing privileges for individual users
A
  • Performing data restoration from the backups when necessary
  • Running regular backups and routinely testing the validity of the backup data
  • Controlling access, adding and removing privileges for individual users