59. Which of the following is the best way to ensure an acceptable level of trustworthiness of an information system?
a. Component-by-component
b. Subsystem-by-subsystem
c. Function-by-function
d. System-by-system
59. d. Typically, components, subsystems, and functions are highly interrelated, making separation by trustworthiness problematic with unpredictable results. Hence, system-by-system trustworthiness is best because it is wholesome and inclusive of system components, subsystems, and functions.
60. Which of the following is an example of detective (detection) personnel security controls?
a. Separation of duties
b. Least privilege
c. User computer access registration
d. Rotation of duties
60. d. Rotation of duties is an example of detective (detection) personnel security controls, which are part of management security controls. The other three choices are examples of preventive personnel security controls.
61. Which of the following is not an example of preventive management security controls?
a. Conducting periodic review of security controls
b. Assigning security responsibilities
c. Developing system security plans
d. Conducting security awareness and training
61. a. Conducting periodic review of security controls to ensure that the controls are effective is an example of detection management security controls. The other three choices are examples of preventive management security controls.
62. Which of the following characterizes information domains?
1. Partitioning information
2. Access control needs
3. Levels of protection required
4. Classifying information
a. 1 and 2
b. 2 and 3
c. 3 and 4
d. 1, 2, 3, and 4
62. d. The partitioning of information according to access control needs and levels of protection required yields categories of information. These categories are often called information domains. Classifying information as secret, top-secret, and sensitive is also called information domains where information is compartmentalized.
63. A failure of common security controls can increase which of the following?
a. System-specific risks
b. Site-specific risks
c. Subsystem-specific risks
d. Organization-wide risks
63. d. Common security controls are identified during a collaborative organization-wide process involving many parties. Because of the potential dependence on common security controls by many of an organization’s information systems, a failure of such common controls may result in a significant increase in organization-wide risks (i.e., risk that arises from operating the system that depends on these security controls).
64. Which of the following is the first step in the risk management process?
a. Selecting security controls
b. Accomplishing security categorization
c. Satisfying minimum security requirements
d. Defining security control baselines
64. b. Security categorization of data/information and information systems is the first step in the risk assessment process. Subsequent to the security categorization process, an organization must select an appropriate set of security controls for their information systems that satisfy the minimum-security requirements. The selected set of security controls (i.e., limited, serious, or catastrophic) must be one of three security control baselines (i.e., low, moderate, or high) that are associated with the designated impact levels of the information systems.
65. A periodic assessment of the system security plan requires a review of changes occurring in which of the following areas?
1. System functionality
2. System design
3. Information system owner
4. System authorizing official
a. 1 and 2
b. 3 and 4
c. 1, 2, and 3
d. 1, 2, 3, and 4
65. d. After the information system security plan is accredited, it is important to periodically assess the plan; review any change in system functionality, system design, information system owner, and system authorizing official.
66. Disciplinary actions are part of which of the following components of an information security program policy?
a. Purpose
b. Scope
c. Compliance
d. Responsibilities
