39. d. System security controls selected are grouped into one of the three categories of management, operational, or technical controls. Each one of these controls can be preventive in nature.
40. Risk management activities are performed for periodic system re-authorization in which of the following system development life cycle (SDLC) phases?
a. Initiation
b. Development/acquisition
c. Implementation
d. Operation/maintenance
40. d. In the operation/maintenance phase of the SDLC, risk management activities are performed for periodic system re-authorization or re-accreditation.
41. Which of the following are the fundamental reasons why organizations implement a risk management process for their IT systems?
1. Need for minimizing negative impact on an organization
2. Need for sound basis in decision making
3. Need for inventing a new risk management methodology for each SDLC phase
4. Need for noniterative process used in risk management
a. 1 and 2
b. 1 and 3
c. 2 and 4
d. 3 and 4
41. a. Minimizing a negative impact on an organization and need a for sound basis in decision making are the fundamental reasons why organizations implement a risk management process for their IT systems. The risk management methodology is the same regardless of the system development life cycle (SDLC) phase and it is an iterative process that can be performed during each major phase of the SDLC.
42. From a risk management viewpoint, system migration is conducted in which of the following system development life cycle (SDLC) phases?
a. Development/acquisition
b. Implementation
c. Operation/maintenance
d. Disposal
42. d. In the disposal phase of the SDLC process, system migration is conducted in a secure and systematic manner.
43. For gathering information in the risk assessment process, proactive technical methods include which of the following?
a. Questionnaires
b. Onsite interviews
c. Document review
d. Network mapping tool
43. d. A network mapping tool, which is an automated information scanning tool, can identify the services that run on a large group of hosts and provide a quick way of building individual profiles of the target IT system(s). The other three choices are not examples of technical methods, whether proactive.
44. Which of the following is not a recommended approach for identifying system vulnerabilities?
a. Using vulnerability sources
b. Using threat sources
c. Conducting system security testing
d. Using security requirements checklist
44. b. Vulnerabilities (flaws and weaknesses) are exploited by the potential threat sources such as employees, hackers, computer criminals, and terrorists. Threat source is a method targeted at the intentional exploitation of a vulnerability or a situation that may accidentally exploit a vulnerability.
Recommended approaches for identifying system vulnerabilities include the use of vulnerability sources, the performance of system security testing, and the development of a security-requirements checklist.
45. From a risk mitigation viewpoint, which of the following is not an example of system protection controls that are part of supporting technical security controls?
a. Modularity
b. Layering
c. Need-to-know
d. Access controls
45. d. From a risk mitigation viewpoint, technical security controls are divided into two categories: supporting controls and other controls (i.e., prevention, detection, and recovery controls). Supporting controls must be in place in order to implement other controls. Access controls are a part of preventive technical security controls, whereas system protections are an example of supporting technical security controls.
Some examples of system protections include modularity, layering, need-to-know, and trust minimization (i.e., minimization of what needs to be trusted).
46. Which of the following controls is typically and primarily applied at the point of transmission or reception of information?
a. Nonrepudiation services
b. Access controls
c. Authorization controls
d. Authentication controls
