“Guide for Developing Performance Metrics for Information Security (NIST SP800-80 Draft),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, May 2006.
“Information Security Handbook: A Guide for Managers (NIST SP 800-100 Draft),” Chapter 2, Information Security Governance, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, June 2006.
“Information Security Handbook: A Guide for Managers (NIST SP 800-100 Draft),” Chapter 4, Awareness and Training, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, June 2006.
“An Introduction to Computer Security: The NIST Handbook (NIST SP 800-12),” Chapter 5, Computer Security Policy, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, October 1995.
“An Introduction to Computer Security: The NIST Handbook (NIST SP 800-12),” Chapter 6, Computer Security Program Management, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, October 1995.
“IT Examination Handbook, Outsourcing Technology Services,” Federal Financial Institutions Examination Council (FFIEC), Washington, DC, June 2004 (www.ffiec.gov).
“Managing Information Security Risk (NIST SP800-39),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, March 2011.
“Minimum Security Requirements for Federal Information and Information Systems (NIST FIPS PUB 200),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, March 2006.
“Piloting Supply Chain Risk Management Practices for Federal Information Systems (NISTIR 7622 Draft),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, June 2010.
“Recommended Security Controls for Federal Information Systems and Organizations (NIST SP800-53 R3),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, August 2009.
“Risk Management Guide for Information Technology Systems (NIST SP 800-30 Revision A Draft),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, January 2004.
“Underlying Technical Models for Information Technology Security (NIST SP 800-33),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, December 2001.
Traditional Questions, Answers, and Explanations
1. Which of the following is the correct sequence of steps to be followed in an application-software change control process?
1. Test the changes.
2. Plan for changes.
3. Initiate change request.
4. Release software changes.
a. 1, 2, 3, and 4
b. 2, 1, 3, and 4
c. 3, 2, 1, and 4
d. 4, 3, 1, and 2
2. To overcome resistance to a change, which of the following approaches provides the best solution?
a. The change is well planned.
b. The change is fully communicated.
c. The change is implemented in a timely way.
d. The change is fully institutionalized.
3. During the system design of data input control procedures, the least consideration should be given to which of the following items?
a. Authorization
b. Validation
c. Configuration
d. Error notification
