ISC2 Information Systems Security Engineering Professional CISSP-ISSEP Exam Practice Test

Answer : A, B, C

Continuous Monitoring is the fourth phase of the security certification and accreditation process.

The Continuous Monitoring process consists of the following three main activities:

Configuration management and control Security control monitoring and impact analyses of changes

to the information system Status reporting and documentation The objective of these tasks is to

observe and evaluate the information system security controls during the system life cycle. These

tasks determine whether the changes that have occurred will negatively impact the system security.

Answer options E and D are incorrect. Security accreditation decision and security accreditation

documentation are the two tasks of the security accreditation phase.

Answer : D

The various CNSS issuances are as follows:

Policies: It assigns responsibilities and establishes criteria (NSTISSP) or (CNSSP).

Directives: It establishes or describes policy and programs, provides authority,or assigns

responsibilities (NSTISSD).

Instructions: It describes howto implement the policy or prescribes the manner of a policy (NSTISSI).

Advisory memoranda: It providesguidance on policy and may cover avariety of topics involvinginformation assurance,

telecommunications security, and network security (NSTISSAM).

Answer : A, B, C

The various security controls in the SDLC deployment phase are as follows:

Secure Installation: While performing any software installation, it should kept in mind that the

security configuration of the

environment should never be reduced. If it is reduced then security issues and overall risks can affect

the environment.

Vulnerability Assessment and Penetration Testing: Vulnerability assessments (VA) and penetration

testing (PT) is used to determine

the risk and attest to the strength of the software after it has been deployed.

Security Certification and Accreditation (C&A): Security certification is the process used to ensure

controls which are effectively

implemented through established verification techniques and procedures, giving organization

officials confidence that the appropriate

safeguards and countermeasures are in place as means of protection. Accreditation is the

provisioning of the necessary security

authorization by a senior organization official to process, store, or transmit information.

Risk Adjustments: Contingency plans and exceptions should be generated so that the residual risk be

above the acceptable threshold.

Answer : A, B, C, E

Authorizing Official, AO Designated Representative (AODR), Chief Information Officer (CIO), and

Senior Information Security Officer (SISO) are part of the senior management. These individuals are

responsible for the following:

Authorization of individual systems

Approving enterprise solutions

Establishing security policies

Providing funds

Maintaining an understanding of risk at all levels

Answer option D is incorrect. A User Representative is not a part of the senior management in the

Authorization process.

Answer : B

The Federal Information Security Management Act of 2002 is a United States federal law enacted in

2002 as Title III of the E-Government Act

of 2002. The act recognized the importance of information security to the economic and national

security interests of the United States. The

act requires each federal agency to develop, document, and implement an agency-wide program to

provide information security for the

information and information systems that support the operations and assets of the agency, including

those provided or managed by another

agency, contractor, or other source.

FISMA has brought attention within the federal government to cybersecurity and explicitly

emphasized a 'risk-based policy for cost-effective

security'. FISMA requires agency program officials, chief information officers, and Inspectors

Generals (IGs) to conduct annual reviews of the

agency's information security program and report the results to Office of Management and Budget

(OMB). OMB uses this data to assist in its

oversight responsibilities and to prepare this annual report to Congress on agency compliance with

the act.

Answer option A is incorrect. The Lanham Act is a piece of legislation that contains the federal

statutes of trademark law in the United States.

The Act prohibits a number of activities, including trademark infringement, trademark dilution, and

false advertising. It is also called Lanham

Trademark Act.

Answer option D is incorrect. The Computer Misuse Act 1990 is an act of the UK Parliament which

states the following statement:

Unauthorized access to the computer material is punishable by 6 months imprisonment or a fine

'not exceeding level 5 on the standard

scale' (currently 5000).

Unauthorized access with the intent to commit or facilitate commission of further offences is

punishable by 6 months/maximum fine on

summary conviction or 5 years/fine on indictment.

Unauthorized modification of computer material is subject to the same sentences as section 2

offences.

Answer option C is incorrect. The Computer Fraud and Abuse Act is a law passed by the United

States Congress in 1984 intended to reduce

cracking of computer systems and to address federal computer-related offenses. The Computer

Fraud and Abuse Act (codified as 18 U.S.C.

1030) governs cases with a compelling federal interest, where computers of the federal government

or certain financial institutions are

involved, where the crime itself is interstate in nature, or computers used in interstate and foreign

commerce. It was amended in 1986, 1994,

1996, in 2001 by the USA PATRIOT Act, and in 2008 by the Identity Theft Enforcement and

Restitution Act. Section (b) of the act punishes

anyone who not just commits or attempts to commit an offense under the Computer Fraud and

Abuse Act but also those who conspire to do so.

Answer : B

The National Security Agency/Central Security Service (NSA/CSS) is a crypto-logic intelligence agency

of the United States government. It is

administered as part of the United States Department of Defense. NSA is responsible for the

collection and analysis of foreign communications

and foreign signals intelligence, which involves cryptanalysis.

NSA is also responsible for protecting U.S. government communications and information systems

from similar agencies elsewhere, which

involves cryptography. NSA is a key component of the U.S. Intelligence Community, which is headed

by the Director of National Intelligence.

The Central Security Service is a co-located agency created to coordinate intelligence activities and

co-operation between NSA and U.S.

military cryptanalysis agencies. NSA's work is limited to communications intelligence. It does not

perform field or human intelligence activities.

Answer option A is incorrect. The National Institute of Standards and Technology (NIST), known

between 1901 and 1988 as the National

Bureau of Standards (NBS), is a measurement standards laboratory which is a non-regulatory agency

of the United States Department of

Commerce. The institute's official mission is to promote U.S. innovation and industrial

competitiveness by advancing measurement science,

standards, and technology in ways that enhance economic security and improve quality of life.

Answer option C is incorrect. The Committee on National Security Systems (CNSS) is a United States

intergovernmental organization that sets

policy for the security of the US security systems. The CNSS holds discussions of policy issues, sets

national policy, directions, operational

procedures, and guidance for the information systems operated by the U.S. Government, its

contractors, or agents that contain classified

information, involve intelligence activities, involve cryptographic activities related to national

security, etc.

Answer option D is incorrect. The United States Congress is the bicameral legislature of the federal

government of the United States of

America. It consists of the Senate and the House of Representatives. The Congress meets in the

United States Capitol in Washington, D.C.

Both senators and representatives are chosen through direct election.

Each of the 435 members of the House of Representatives represents a district and serves a two-

year term. House seats are apportioned

among the states by population. The 100 Senators serve staggered six-year terms. Each state has

two senators, regardless of population.

Every two years, approximately one-third of the Senate is elected at a time. The United States

Congress main function is to make laws. The

Office of the Law Revision Counsel organizes and publishes the United States Code (USC). It is a

consolidation and codification by subject

matter of the general and permanent laws of the United States.

Answer : A, B, C

In 2003, NIST developed a new Certification & Accreditation (C&A) guideline known as FIPS 199. FIPS

199 is a standard for security categorization of Federal Information and Information Systems. It

defines three levels of potential impact:

Low: It causes a limited adverse effect.

Medium: It causes a serious adverse effect.

High: It causes a severe adverse effect.