b. 3 only
c. 4 only
d. 1, 2, 3, and 4
103. d. Management authorization of a system to process information provides an important quality control. By authorizing processing in a system, the manager accepts its associated risk. Management authorization should be based on an assessment of management, operational, and technical controls.
104. Which of the following should be performed prior to proceeding with the security certification and accreditation process for a system?
a. System security plan be developed
b. System security plan be analyzed
c. System security plan be updated
d. System security plan be accepted
104. a. Procedures should be in place outlining who reviews the security plan, keeps the plan current, and follows up on planned security controls. In addition, procedures should require that system security plans be developed and reviewed prior to proceeding with the security certification and accreditation process for the system.
105. Which of the following individuals establishes the rules for appropriate use and protection of a system’s data and information?
a. Chief information officer
b. Information system security officer
c. Information system owner
d. Information owner
105. d. The information owner is responsible for establishing the rules for appropriate uses and protection of a system’s data and information. He establishes controls in terms of generation, collection, processing, dissemination, and disposal. The chief information officer (CIO) is incorrect because the CIO is responsible for developing and maintaining an organization-wide information security program. The information system security officer is incorrect because he is responsible for ensuring that the appropriate operational security posture is maintained for an information system. The information system owner (also known as program manager or business owner) is incorrect because he is responsible for the overall procurement, development, integration, modification, or operation and maintenance of the information system.
106. Which of the following states that every user should be notified prior to receiving authorization for access to a system and understand the consequences of noncompliance?
a. Rules-of-behavior
b. Rules-of-access
c. Rules-of-use
d. Rules-of-information
106. a. The rules-of-behavior is a security control clearly delineating the responsibilities and expected behavior of all individuals with access to the system. The rules should state the consequences of inconsistent behavior or noncompliance and be made available to every user prior to receiving authorization for access to the system. Electronic signatures are acceptable for use in acknowledging the rules of behavior.
107. The baseline security controls can be tailored using the results from:
1. Assessment of risk
2. Specific threat information
3. Cost-benefit analyses
4. Availability of compensating controls
a. 1 only
b. 1 and 2
c. 1, 2, and 3
d. 1, 2, 3, and 4
107. d. The baseline security controls can be tailored based on an assessment of risk and local conditions including organization-specific security requirements, specific threat information, cost-benefit analyses, the availability of compensating controls, or special circumstances.
108. For system security scoping guidance, which of the following addresses the breadth and depth of security control implementation?
a. Technology-related considerations
b. Physical infrastructure-related considerations
c. Scalability-related considerations
d. Public access–related considerations
108. c. Scoping guidance provides an organization with specific terms and conditions on the applicability and implementation of individual security controls.
Scalability-related consideration addresses the breadth and depth of security control implementation. Technology-related considerations deal with specific technologies such as wireless, cryptography, and public key infrastructure. Physical infrastructure-related considerations include locks and guards, and environmental controls for temperature, humidity, lighting, fire, and power. Public access-related considerations address whether identification and authentication, and personnel security controls, are applicable to public access.
