Thor Flashcards

1
Q

Privacy by Design

A
  1. Proactive not reactive
  2. As default setting
  3. Embedded into design
  4. End-to-end security
  5. High priority
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

ransomware attack

A

Contact Legal department

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

trademark

A

it’s important to first conduct a trademark search. This is a critical step to ensure that the trademark you’re planning to use is not already registered or in use by another company.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the primary role of the confidentiality principle in information security

A

to prevent unauthorized disclosure of sensitive information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is a common method for calculating the financial impact of a security breach on an organization?

A

Annual loss expectancy (ALE) is a commonly used method for calculating the financial impact of a security breach on an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the primary difference between a vulnerability and an exploit?

A

A vulnerability is a weakness in a system, while an exploit is an intentional attack on that weakness.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

PII

A

address is PII, but UserId isnt.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the most appropriate method to ensure data on the SSDs is completely unrecoverable?

A

The ATA Secure Erase command is designed specifically for the effective deletion of all data on SSDs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following is the MOST effective method for de-identifying personal data?

A

Redacting data:
de-identifying personal data as it can still leave other potentially identifying information intact

Statistical techniques are considered to be the most effective methods for de-identifying personal data. Techniques can include noise addition, permutation, data swapping, and more complex methods like differential privacy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What type of security policy would be MOST effective for protecting sensitive data in a cloud environment?

A

data classification policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of these types of data destruction would we use to ensure there is no data remanence on our PROM, flash memory, and SSD drives?

A

Incinerating

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Classification levels

A

CPSP

Confidential
Private
Sensitive
Public

Top secret
Secret
Confidential
Unclassified

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following is the FIRST principle that should be considered when assessing and implementing secure design principles in network architectures?

A

Least privilege

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following is the most important aspect of a cloud-native security strategy?

  • Regularly performing security assessments and vulnerability scans of the cloud infrastructure
  • Deploying security tools and technologies that are specifically designed for use in the cloud
  • Ensuring that data is encrypted at rest and in transit
  • Implementing strong passwords and multi-factor authentication for all cloud accounts
A

Deploying security tools and technologies that are specifically designed for use in the cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the MOST important step in the cryptography process?

A

Establishing trust between the sender and recipient: This step is incredibly important. It involves verifying the identities of the parties (authentication) and ensuring that they can be trusted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following best describes the Graham-Denning model?

A

The Graham-Denning model is a framework for identifying and selecting appropriate security controls for an organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Chinese wall model

A

Brewer and Nash model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which of the following is the MOST effective method to prevent Spectre attacks?

A

Updating operating systems: Spectre is a hardware vulnerability that affects microprocessors that perform branch prediction.

This is because Spectre is a hardware vulnerability that exploits the speculative execution feature of microprocessors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Distance-Vector vs Link-State

A

Distance-vector: based on the distance and a vector (number of hops)

Link-state: build a topology database of the network

Link state routing protocols can assess the network’s state more holistically, taking into account factors like bandwidth and latency, rather than simply counting hops as distance vector protocols do.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Our networking department is recommending we use a baseband solution for an implementation. Which of these is a KEY FEATURE of those?

A

Baseband communication refers to a communication method in which data is sent over a single, dedicated line. This means that only one signal is transmitted at a time, with the entire bandwidth of the network cable being utilized. This differs from broadband communication, which allows multiple signals to be transmitted simultaneously by dividing the bandwidth into multiple channels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is a broadcast domain?

A

A broadcast domain is a logical division of a computer network, in which all nodes can reach each other by broadcast at the data link layer.

In simpler terms, a broadcast domain is a network segment where data is sent to every device in the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is the primary purpose of a DMZ (Demilitarized Zone)?

A

to act as a buffer zone between the untrusted outside world (like the internet) and the trusted internal network (like a private corporate network).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which of the following is NOT a common use case for DNP3 (Distributed Network Protocol 3) in cyber security?

A

Video surveillance, on the other hand, typically uses other protocols and technologies for transmission of video data over IP networks. The protocol that is often used is the Real Time Streaming Protocol (RTSP) rather than DNP3.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which of the following is the MOST likely definition of Data Terminal Equipment (DTE)?

A

Data Terminal Equipment (DTE) refers to any device or equipment that is used to transmit and receive data over a network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which of the following is the BEST method for detecting errors in data transmission?

A

cyclic redundancy check (CRC)

While hash functions can be used to check the integrity of data, they are not typically used for detecting transmission errors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

One of our clients has asked us to review their wireless network security and make recommendations for improving authentication. What protocol is often used in wireless networks to authenticate users before granting access to network resources?

A

RADIUS (Remote Authentication Dial-In User Service) is a protocol that is often used in wireless networks to authenticate users before granting them access to network resources. RADIUS servers receive user connection requests, authenticate the user, and then return the configuration information necessary for the device to deliver service to the user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which of the following is the MOST complex component of L2TP (Layer 2 Tunneling Protocol)?

A

Tunnel management is the process of establishing, maintaining, and terminating L2TP tunnels, which involves negotiation between the L2TP client and server, as well as handling any errors or issues that may arise during the tunnel’s lifetime.

Encapsulation is the process of wrapping data in a protocol-specific format to be transmitted over a network, which is a relatively straightforward process in L2TP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is the layer of the OSI model that is responsible for providing services to the application layer, such as data formatting and error checking?

A

The transport layer is responsible for providing services to the application layer, such as data formatting and error checking. This layer ensures that the whole message arrives intact and in order, overseeing both error correction and flow control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

In our identity and access management, we are talking about the IAAA model. Which of these is NOT one of the A’s of that model?

A

Availability

Identity, Authentication, Authorization, and Accountability/Auditing

30
Q

Which access control model would be most effective in improving control over data access and managing user privileges, given the regulatory context and the need for stringent access controls?

A

Mandatory Access Control (MAC) is designed for environments that require high security and strict control over data access

Discretionary Access Control (DAC) can provide flexibility, but it can also lead to inconsistencies and potential security risks if not properly managed.

31
Q

Which of the following metrics is the BEST indicator of the accuracy of a biometric system?

A

Equal Error Rate (EER)

Crossover Error Rate (CER)

32
Q

Which of the following is the MOST important factor to consider when analyzing network device log files for security incidents?

A

The source of the logs provides information about where the potential security incident originated, which is critical for identifying and mitigating threats. Understanding the source can help security analysts trace back the attacker’s steps and uncover vulnerabilities in the network.

33
Q

Which of the following is the PRIMARY indicator that a company has met the requirements of a SOC 2 audit?

A

Establishing appropriate controls for security and availability: The SOC 2 (System and Organization Controls) audit is a type of audit designed to assess a service organization’s systems in terms of their security, availability, processing integrity, confidentiality, and privacy. The primary focus of a SOC 2 audit is on the organization’s non-financial reporting controls as they relate to the security and availability of a system. The primary indicator that a company has met the requirements of a SOC 2 audit is its establishment of appropriate controls for security and availability.

Regular risk assessments alone do not indicate that a company has met all the requirements of a SOC 2 audit. The audit examines how well an organization has established and is operating controls in numerous areas, not just its ability to identify and assess risk.

34
Q

Question 120: Incorrect
In order to ensure the safety of ThorTeaches.com’s sensitive data, it is crucial to identify any potential vulnerabilities or threats in the system. Which of the following is a method of identifying potential vulnerabilities and threats in a system?

  • Risk Assessment
  • Security audit
A

Security audits are one of the most effective methods to identify potential vulnerabilities and threats in a system. A security audit is a systematic evaluation of the security of a company’s information system by measuring how well it conforms to a set of established criteria.

A risk assessment is a method for identifying potential risks that could harm an organization. While it can help identify threats and vulnerabilities as part of the larger process, its main focus is to assess the potential impact of risks, their likelihood, and helps to prioritize risks based on these factors, rather than specifically identifying vulnerabilities and threats in a system.

35
Q

Which of the following is the MOST common type of investigation?

A

Criminal

36
Q

Which of the following is the LEAST common type of cybercrime?

A

Ransonware

37
Q

As part of our disaster recovery response, we are paying a provider to keep a copy of our servers and data. The servers are to remain down always, with the exception of patches and database syncs and are only to be spun up if we have a disaster. What would this be called?

A

subscription site

38
Q

Question 101: Incorrect
Which of the following is the PRIMARY indicator used in User Entity and Behavior Analytics (UEBA) to detect anomalies in user behavior?

A

Most frequently accessed data: UEBA (User and Entity Behavior Analytics) is a cybersecurity process that takes note of the normal conduct of users and then detects any anomalous behavior or instances when they deviate from these patterns

39
Q

If we are looking for information on a specific system’s hardware, which of our plans could we find that in?

A

Technical Environment Document

40
Q

Database transactions require atomicity, consistency, isolation, and durability, also referred to as the ACID model. What is atomicity focused on?

A

Atomicity in the ACID model of database transactions refers to the ‘all or nothing’ principle.

41
Q

code of ethics

A
  1. protect society, the common good, necessary public trust and confidence, and the infrastructure
  2. act honorably, honestly, justly, responsibly, and legally
  3. provide diligent and competent service to principals
  4. advance and protect the profession.
42
Q

Ransomware and Malware affect which of the following principles of security the most respectively?

A

Availability and Integrity

43
Q

Your organization has hired a new Security Architect who has experience with products from a particular vendor and is therefore inclined to use their suite of products. She suggests your team replaces the existing tools with the products of her chosen vendor. What is the primary concept missing from this action?

  1. Risk Assessment
  2. Due Diligence
  3. Due care
  4. Strategic Alignment
A

4

44
Q

Data Leakage is the primary cause of concern for which of the following organizational processes?

  1. Acquisitions
  2. Divestitures
  3. Change control
  4. Governance
A

4

45
Q

The Stuxnet (2010) Advance Persistent Threat (APT) impacted specialized hardware equipment and included many zero-day attacks. What is the best way to safeguard organizations against such attacks?

  1. Define security policies that ensure defense in depth
  2. Deploy IPS/IDS, firewalls with strict ingress/ egress rules
  3. Classify organization’s infra and apply approriate safeguards based on the criticality
  4. Perform risk management and define safeguards accordingly
A

1

46
Q

Which law requires banks to share privacy notices with their customers in written form.

A

GLBA

47
Q

Your organization, a health service provider, has acquired a new health-based Cloud Product that registers users and collects their Personally Identifiable Information (PII). What is the first step you as a Cybersecurity Expert will do to analyze the Privacy Requirements of the new product?

A

The first step to evaluating the privacy requirements of any product will be to identify, evaluate, and document the data collected by that product. Once you know what data has been collected from the user, you can identify what data is relevant and ensure you are only collecting that which is necessary

48
Q

An employee is drafting a document that will provide detailed information on how a security system in the company will be implemented. Which document is being prepared?

  1. Guideline
  2. Policy
  3. Procedure
  4. Baseline
A

Procedure

49
Q

What is the best way to safeguard your organization against the use of external storage devices by employees/business partners who have access to the organizational resources?

  1. Install Intrusion Detection/Prevention Software
  2. Disable the USB Ports on all the machines
  3. Install third party tools which detect and block the use of
    external storage devices
  4. Define Security Policy, standards, procedures, and guidelines
    against the use of external devices
A

4

50
Q

Based on a recent incident, you found that the Recovery Time Objective (RTO) of a critical server crossed the determined Maximum Tolerable Downtime (MTD). Which is the best way to reduce the RTO and bring it within the agreeable limits?

Incremental Backups
Differential Backups
High Availability
Fault Tolerance

A

High Availability

51
Q

Which of the following Security Control Models defines Separation of Duties?

A

Clark Wilson

52
Q

Which of the following layers is NOT a part of the application layer in the TCP/IP Model as compared to the described OSI Layers?

  • Application
  • Presentation
  • Network
  • Session
A

Presentation

53
Q

Which of the following OSI layers add trailers to the received payload? Select all anwers that apply.

A

Data Link & Physical

54
Q

Your organization wants to adopt IPv6. Given that not all your organization’s existing network equipment currently supports it, which of the following options is FALSE with respect to the adoption of IPv6 (Internet Protocol)?

  • IPv6 uses 128 bits addressing
  • IPv6 and IPv4 can co-exist on the same network
  • With IPv6, Domain Name Service (DNS) is no longer required
  • With IPv6, Network Address Translation (NAT) is no longer required
A

3

55
Q

Faraday cage

A

A Faraday cage is an enclosure that prevents electromagnetic radiation from entering or exiting the enclosed area. This will prevent the Wi-Fi signal from exiting the room and isolate it within the coffee shop.

56
Q

Bluejacking
Bluesmacking
Bluesnarfing
Bluebugging

A

Bluejacking, the attacker sends an unsolicited message to the target device using a Bluetooth connection.

Bluesmacking is a Denial of Service (DoS) attack on the target device.

Bluesnarfing is a network attack where the attacker connects to the target device using Bluetooth and gains access to confidential data like email or photos.

Bluebugging allows an attacker to take remote control of your device over a Bluetooth connection.

57
Q

An Internet Service Provider (ISP) has branch offices in different regions connected to its head office. The branches function as independent Autonomous Systems (ASs) and connect to the head office through the internet. Each branch has its own Autonomous System Number (ASN) and serves customers in the respective regions. Which of the following is the MOST LIKELY protocol demonstrated in the scenario?

Routing Information Protocol (RIP)
Border Gateway Protocol (BGP)
Internetwork Packet Exchange (IPX)
Open Shortest Path First (OSPF)

A

BGP is a path vector routing protocol that connects separate Autonomous Systems (ASs) of service providers and is the most scalable routing protocol.

Option 1 is incorrect because RIP is a routing protocol that uses the hop count to determine the best path to a remote network. Though it works well in interior networks, it does not work in interconnect exterior networks such as different ASs.

Option 3 is incorrect as IPX is a non-IP network and routed protocol used in telephony systems but not to connect ASs.

Option 4 is incorrect because OSPF is a link-state routing protocol used to connect interior networks within an enterprise but not ASs.

58
Q

FRR vs Sensitivity

A

Increase sensitivity and FRR increases

59
Q

In the Kerberos Authentication mechanism, the Key Distribution Center (KDC) requires all accounts to use pre-authentication. Pre-authentication is used to restrict which of the following attacks?

A

Password guessing

60
Q

Thor is referring to various standards to list security controls that may be used in
the application that is under development. Which is the LEAST likely publication
Thor can use?

ISO 27002
NIST SP 800-53A
COBIT 2019
NIST SP 800-53

A

COBIT does not contain a prescriptive list of security controls; it is used to assess the design and effectiveness of whatever controls have been implemented to reach the security objectives. The best two sources are ISO 27002 (ISMS Code of Practice) and NIST SP 800-53 (Appendix I - Recommended Security Controls). NIST SP 800-53A (Security and Privacy Controls) is also useful.

61
Q

Question 71: Incorrect
Beth is building a new application and she wants to implement the Clark-Wilson
model of security. What is the BEST way to achieve this?

Provide a drop-down menu showing all possible subcommands.
Ensure users cannot read down to a classification below their security clearance level.
Ensure users cannot write down to a classification below their clearance level.
Provide a constrained interface, SO that commands are shown but dimmed if the user does not have sufficient privileges.

A

Clark-Wilson focus on integrity.

  • separation of duty
  • The principle of well-formed trans action is defined as a trans action where the user is unable manipulate data arbitrarily, but only in constrained (limitations or boundaries) ways that preserve or ensure the integrity of the data. A security system in which transactions are well-formed

The purpose of a constrained interface is to limit or restrict the actions according to the user’s privileges. The use of such an interface is a practical implementation of the Clark-Wilson model of separation of duty. A drop-down menu with all possible subcommands is a restricted interface but does not limit the actions according to the user’s privileges. Ensuring users cannot read down is the Biba model of integrity. Ensuring users cannot write down is the Bell-LaPadula model of confidentiality.

62
Q

Ping of Deaths

Smurf

Fraggle

ICMP

Land attack

A

Ping of Death: Oversized packets

Smurf: ICMP Echo Request

Fraggle: UDP

ICMP: Alter route table

Land attack: source, destination 设为一致,TCP SYN

63
Q

As a Chief Information Security Officer (CISO) of a cloud service provider, you are
assessing the threats related to TCP (Transmission Control Protocol) and UDP (User
Datagram Protocol) protocols used in your infrastructure. You are also considering
mitigations to address the specific threats associated with these protocols.
Considering the key characteristics of TCP and UP and the potential attacks they
could face, which of the following scenarios represents the most significant risk to
your infrastructure that requires immediate mitigation?

TCP being used in your web server architecture, making it susceptible to SYN flood attacks
UP being used for online multi-player gaming on your gaming servers, potentially opening the possibility for Fraggle attacks
UDP being used for live video streaming services you provide, increasing the risk of Smurf attacks
TCP being utilized for transmitting sensor data in your loT (Internet of Things) products, opening the possibility for sequence number prediction attacks

A

The correct answer: Given the severe implications of a SYN flood attack on a TCP-based web server architecture. In such an attack, the attacker initiates a large number of TCP connections but never completes the three-way handshake. This leaves the server holding a vast number of partially open connections, consuming resources, potentially leading to a Denial of Service (DoS) as the server might be unable to handle legitimate requests. The impact on a web server - a crucial part of the infrastructure that often faces the public internet - could be enormous, leading to significant downtime and potential loss of business. The incorrect answers: Fraggle attacks against UDP are indeed a concern, but they may not be as critical in this context. These attacks use UDP and not ICMP, making them potentially more successful, but the damage might be limited given the context. This scenario mentions a gaming server, and while downtime is a problem, the implications may not be as far-reaching as an attack on the web server infrastructure. Smurf attacks utilize ICMP, not UDP, rendering this option less pertinent. These types of attacks might pose a risk to your infrastructure, but as UDP is used for live video streaming in this context, they don’t apply directly. Also, ICMP blocking is common, which may reduce the potential impact of this type of attack. Sequence number prediction attacks on TCP connections are a concern, but in this context, the data being transmitted is from IoT sensors. It’s important to protect IoT data, but this threat may not be as critical in terms of potential damage to the infrastructure as a SYN flood attack on the web server architecture. Modern TCP/IP stack implementations also use random sequence numbers, making these types of attacks more difficult.

64
Q

In her company, access controls are rule-based. Naomi is creating an access control list for files in the financial department’s share. Naomi wants all managers to have read access to any file, but only employees in Accounts Receivable (AR) to be able to update the file and only employees in Accounts Payable (AP) to read the files; no-one else should be permitted access. Given these four rules, what is MOST likely the sequence to place them in the ACL? 1. Deny 2. Allow Managers read access 3. Allow AR update access 4. Allow AP read access

A

3,4,2,1

65
Q

Linda wants to increase the controls over accountability. What method of keeping
the logs is MOST appropriate?

Send log entries to a separate server on TCP port 1433
Send log entries to a separate server on UDP port 514
Keep log entries on a different partition on the hard drive
Send log entries to a separate server on UDP port 162

A

Log entries should be kept off board to prevent tampering, especially by attackers who may have gained privileged access; commonly log entries are sent to the syslog server which listens on UDP port 514. The server that listens on UDP port 162 is the SNMP manager, which is used for network management rather than log entries from servers. The server that listens on TCP port 1433 is a MS-SQL database server; the volume in which log entries are sent will soon overwhelm a database server. Simply placing the on-board log files in a different partition will not prevent attackers from tampering with the logs.

66
Q

As an a IT Security Manager of a large multinational corporation, you’re in the process of reviewing your current routing protocols. The existing protocols are based on RIP (Routing Information Protocol), an older distance-vector protocol that uses hop count as its only metric. You’re considering other routing protocols that could
potentially offer better efficiency and security. If you were to implement changes to the network to enhance its efficiency and security, which feature of the RIP protocol should be most critically evaluated due to its potential impact on network performance?

The built-in loop prevention mechanism.
The use of split horizon to prevent routing loops.
The hold down timer that prevents changes to a specific route for a certain amount of time.
The usage of UDP Port 520 for its transport protocols.

A

The correct answer: The hold down timer is a feature that could have significant implications for network performance. While it’s intended to allow routes to stabilize before the routing table is updated, if set incorrectly or inappropriately for the network’s conditions, it could lead to inefficiencies. For example, it could cause delays in route updates if it’s set too long, or frequent, unnecessary updates if set too short. As a result, it’s a critical feature to evaluate when looking to improve the performance and efficiency of a network using RIP. The incorrect answers: It is true that RIP uses UDP Port 520, but this is more of a technical detail and doesn’t have as significant an impact on overall network performance as other factors. Changing this would require altering the entire protocol, which is more disruptive than adjusting certain settings or features. The built-in loop prevention mechanism is essential to the functioning of RIP and any other routing protocol. Removing or altering this would likely lead to instability and inefficiency, as it could result in routing loops. This is not something to be critically evaluated, but something that should be maintained. Split horizon is another crucial feature that prevents routing loops, which are detrimental to network performance. Although it is worth understanding how it functions and its implications, it isn’t the feature most in need of critical evaluation.

67
Q

ACL vs Capability Table

A

ACL: It is defined object-wise (resources). 12 File,就要12个Rule。

Capability: It is defined subject-wise (users, processes, and procedures). 5个dept,就要5个Rule即可

68
Q

Federated Identity Management (FIM) and Delegated Identity Management (DIM)

A

DIM is your option to sign into one service with some other credentials. Think “sign in with google/facebook/yahoo” on some other website associated with either.

FIM is when you sign into your google account for example to use all the features of the google suite, youtube and other google ONLY products.

69
Q

As the Chief Information Security Officer (CISO) for a large software development company, you have observed inconsistencies in the execution and tracking of software requirements, including those related to security. This has resulted in multiple software updates where certain requirements were unintentionally overlooked, leading to potential vulnerabilities. You decide to standardize the usage of Requirement Traceability Matrices (RTM) across all development projects. As part of this initiative, what is the most significant aspect you need to emphasize to maximize the effectiveness of RTMs in meeting security requirements and mitigating vulnerabilities?

The RTM should include specific security requirements to
ensure they are considered from the beginning.
The RTM should encompass all the software requirements including
project tasks and deliverable documents.
The RTM should be employed as a dynamic, iterative tool that
adjusts to the changing requirements over time.
The RTM should be updated to reflect the requirements of every new
software version.

A

The correct answer: Employing the RTM as a dynamic, iterative tool that adjusts to changing requirements over time is the most significant aspect. This approach ensures that the RTM stays relevant and useful throughout the software development lifecycle, capturing changes in requirements, project tasks, and deliverable documents, as well as adapting to evolving security landscapes. This continuous adaptation and tracking of requirements are key to avoiding overlooked elements and mitigating potential vulnerabilities. The incorrect answers: Updating the RTM to reflect the requirements of every new software version is an important practice, but it’s not the most significant aspect. This practice ensures that the new requirements are documented, but it doesn’t necessarily ensure that the RTM evolves with changing project needs or that the implementation of these requirements is tracked effectively. Having the RTM encompass all software requirements, including project tasks and deliverable documents, is crucial for comprehensive project management. But the breadth of information included in the RTM is less significant than how this information is used and updated over time, particularly as the requirements and priorities of a project may change. Including specific security requirements in the RTM from the start is a best practice, as it embeds security into the software development process. Nevertheless, while this is important, it does not address the need for these requirements to be adaptable over time in response to changing threats and project objectives.

70
Q

Francis is building the security controls and audit trails into a new application. What is the BEST phase listed below in the system development life cycle (SDLC) for Francis to do this work?

System development phase
System initiation phase
System operations phase
System implementation phase

A

In the system development phase, the system is constructed or acquired from a vendor; during this phase, users and administrators will work with the developers to prepare system controls and audit trails to be used during the system operations phase. It is possible the security controls may have been specified as Non-Functional Requirements in the System requirements phase (not listed as an answer).

71
Q

Natalie needs to be able to determine which versions of the software components constitute the current product. What is the MOST likely tool Natalie can use?

Software configuration management
Bug tracking
Source code repository
Versioning control

A

Software configuration management (SCM) is used to determine what currently constitutes the product; what changes have been made to the product; and what has been the history of the product’s evolution. The other answers do not by themselves determine the combination of components in the current product. Source code repository is where the various software components are stored so they can be reused. Versioning control ensures a branch of code development can revert to a previously known good state. Bug tracking is used to ensure bugs are remedied, tested, and incorporated in the new versions of the source code.

72
Q

Which of the following is the MOST effective strategy for achieving zero-defects in a software development project?

Implementing strict quality control measures throughout the
development process
Relying on rigorous testing to catch defects before release
Setting aggressive deadlines to motivate developers to work faster
Investing in cutting-edge software development tools and technology

A

The correct answer: Implementing strict quality control measures throughout the development process: Software development is a multi-step process where defects can occur at any stage. The most effective strategy for achieving zero-defects is to implement strict quality control measures throughout the development process. This involves adopting quality assurance practices at each stage of the process, from requirement analysis, design, coding, to testing. This way, errors can be detected and rectified as soon as they occur, reducing the probability of defects making it into the final product. This approach is based on the principle of ‘prevention over detection,’ emphasizing preventing defects from occurring in the first place, rather than finding and fixing them later on. This not only reduces the defect rate but also saves time and resources in the long run.