FIPS 199 defines the three levels of potential impact on organizations. Which of the following potential impact levels shows limited adverse effects on organizational operations, organizational assets, or individuals?
Answer : B
The potential impact is called low if the loss of confidentiality, integrity, or availability is expected to have a limited adverse effect on
organizational operations, organizational assets, or individuals.
Answer C is incorrect. Such a type of potential impact level does not exist
Answer A is incorrect. The potential impact is known to be moderate if the loss of confidentiality, integrity, or availability is expected to
have a serious adverse effect on organizational operations, organizational assets, or individuals.
Answer D is incorrect. The potential impact is called high if the loss of confidentiality, integrity, or availability is expected to have a
severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Which of the following are the primary functions of configuration management?
Each correct answer represents a complete solution. Choose all that apply.
Answer : B, C, D
The primary functions of configuration management are as follows:
It ensures that the change is implemented in a sequential manner through formalized testing.
It ensures that the user base is informed of the future change.
It analyzes the effect of the change that is implemented on the system.
It reduces the negative impact that the change might have had on the computing services and resources.
Answer A is incorrect. It is not one of the primary functions of configuration management. It is the function of risk avoidance.
What are the subordinate tasks of the Implement and Validate Assigned IA Control phase in the DIACAP process?
Each correct answer represents a complete solution. Choose all that apply.
Answer : A, B, C
The Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) is a process defined by the United States
Department of Defense (DoD) for managing risk.
The subordinate tasks of the Implement and Validate Assigned IA Control phase in the DIACAP process are as follows:
Execute and update IA implementation plan.
Conduct validation activities.
Combine validation results in the DIACAP scorecard.
Answer D is incorrect. The activities related to the disposition of the system data and objects are conducted in the fifth phase of the
DIACAP process. The fifth phase of the DIACAP process is known as Decommission System.
The service-oriented modeling framework (SOMF) introduces five major life cycle modeling activities that drive a service evolution during design-time and run-time. Which of the following activities integrates SOA software assets and establishes SOA logical environment dependencies?
Answer : C
The service-oriented logical architecture modeling integrates SOA software assets and establishes SOA logical environment dependencies. It
also offers foster service reuse, loose coupling and consolidation.
Answer A is incorrect. The service-oriented discovery and analysis modeling discovers and analyzes services for granularity, reusability,
interoperability, loose-coupling, and identifies consolidation opportunities.
Answer B is incorrect. The service-oriented business integration modeling identifies service integration and alignment opportunities
with business domains' processes.
Answer D is incorrect. The service-oriented logical design modeling establishes service relationships and message exchange paths.
A part of a project deals with the hardware work. As a project manager, you have decided to hire a company to deal with all hardware work on the project. Which type of risk response is this?
Answer : C
When you are hiring a third party to own risk, it is known as transference risk response.
Transference is a strategy to mitigate negative risks or threats. In this strategy, consequences and the ownership of a risk is transferred to a
third party. This strategy does not eliminate the risk but transfers responsibility of managing the risk to another party. Insurance is an
example of transference.
Answer B is incorrect. The act of spending money to reduce a risk probability and impact is known as mitigation.
Answer A is incorrect. Exploit is a strategy that may be selected for risks with positive impacts where the organization wishes to ensure
that the opportunity is realized.
Answer D is incorrect. When extra activities are introduced into the project to avoid the risk, this is an example of avoidance.
An attacker exploits actual code of an application and uses a security hole to carry out an attack before the application vendor knows about the vulnerability. Which of the following types of attack is this?
Answer : B
A zero-day attack, also known as zero-hour attack, is a computer threat that tries to exploit computer application vulnerabilities which are
unknown to others, undisclosed to the software vendor, or for which no security fix is available. Zero-day exploits (actual code that can use a
security hole to carry out an attack) are used or shared by attackers before the software vendor knows about the vulnerability. User
awareness training is the most effective technique to mitigate such attacks.
Answer A is incorrect. A replay attack is a type of attack in which attackers capture packets containing passwords or digital signatures
whenever packets pass between two hosts on a network. In an attempt to obtain an authenticated connection, the attackers then resend
the captured packet to the system. In this type of attack, the attacker does not know the actual password, but can simply replay the captured
packet.
Answer C is incorrect. Man-in-the-middle attacks occur when an attacker successfully inserts an intermediary software or program
between two communicating hosts. The intermediary software or program allows attackers to listen to and modify the communication packets
passing between the two hosts. The software intercepts the communication packets and then sends the information to the receiving host.
The receiving host responds to the software, presuming it to be the legitimate client.
Answer D is incorrect. A Denial-of-Service (DoS) attack is mounted with the objective of causing a negative impact on the performance
of a computer or network. It is also known as network saturation attack or bandwidth consumption attack. Attackers perform DoS attacks by
sending a large number of protocol packets to a network.
Which of the following types of attacks occurs when an attacker successfully inserts an intermediary software or program between two communicating hosts?
Answer : C
When an attacker successfully inserts an intermediary software or program between two communicating hosts, it is known as man-in-the-
middle attack.