Enterprise Security Management Practices ◾ 71
© 2011 by Taylor & Francis Group, LLC
8. Security boundary is important to establishing
a. Who will be doing the certication eort
b. Scoping the security eort
c. Determining which regulations and laws apply
d. If the system will need an Internet connection or not
9. e Implementation Phase System Development Life Cycle includes
a. Conducting an initial security test
b. Identifying security solutions
c. Determining if the security is acceptable to operate
d. Dening the system security requirements
10. e ISSMP’s job is to provide security support at the end of which phase in
the System Development Life Cycle?
a. Disposition and Disposal
b. Operation and Maintenance
c. Implementation
d. Initiation
11. Risk assessments are done in which phases of the System Development Life Cycle?
a. Initiation
b. Initiation and Implementation
c. Implementation and Disposition and Disposal
d. Initiation, Implementation, and Operations and Maintenance
12. Who sets the information security standards for the public sector?
a. National Security Agency (NSA)
b. International Organization for Standardization (ISO)
c. National Institute of Standards and Technology (NIST)
d. International Electrotechnical Commission (IEC)
13. Families of controls are identied in which of the following documents?
a. NIST Special Publication 800-53
b. ISO 27002
c. DODI-8500.2
d. All the above
14. e ISSMP decides between using quantitative and qualitative risk assess-
ment based on
a. e budget process
b. reats
c. Vulnerabilities
d. Management decision processes
15. Assurances are those activities that provide management with what about
security solutions?
a. Due diligence
b. Protection
72 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
c. Cost eectiveness
d. ROI
16. Which of the following provides a measurement of how well an organization’s
process includes the capability of continuously improving its processes?
a. Common Criteria Evaluation and Validation Scheme
b. OCTAVE
c. Software Engineering Institute’s Capability Maturity Model
d. Commonly Accepted Security Practices and Regulations
17. Interconnections with other systems outside the system security boundary
can have the following eects on a system:
a. Increased dependencies to support the other system’s security requirements
b. Requirement to notify when a security event occurs on your system
c. Obligation to inform the other system when outages are going to occur
d. All the above
18. Annual Loss Expectancy and ROI are expressed in the following units:
a. Currency and percentage
b. Percentage and level of risk
c. Cost of security and percentage
d. Percentage and cost savings
19. Plan of Actions and Milestones (POA&M) is
a. A security plan
b. A management tool
c. A list of all the systems security solutions
d. A checklist of actions for monitoring security during the Implementation
Phase
20. e ideal presentation to senior managers should follow which of the follow-
ing rules?
a. 20-page justication
b. Five slides
c. Answer all the questions that the audience could ask
d. Be presented in ve minutes
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.