13. b. To determine what security controls to select for ongoing review, organizations should first prioritize testing on “action plan and milestones” items that become closed. These newly implemented controls should be validated first.
The other three documents are part of the continuous monitoring phase and come into play when there are major changes or modifications to the operational system.
14. What is the major purpose of configuration management?
a. To reduce risks from system insertions
b. To reduce risks from system installations
c. To reduce risks from modifications
d. To minimize the effects of negative changes
14. d. The purpose of configuration management is to minimize the effects of negative changes or differences in configurations on an information system or network. The other three choices are examples of minor purposes, all leading to the major purpose. Note that modifications could be proper or improper where the latter leads to a negative effect and the former leads to a positive effect.
15. The primary implementation of the configuration management process is performed in which of the following system development life cycle (SDLC) phases?
a. Initiation
b. Acquisition/development
c. Implementation
d. Operation/maintenance
15. d. The primary implementation of the configuration management process is performed during the operation/maintenance phase of the SDLC, the operation/maintenance phase. The other phases are too early for this process to take place.
16. Which of the following phases of the security certification and accreditation process primarily deals with configuration management?
a. Initiation
b. Security certification
c. Security accreditation
d. Continuous monitoring
16. d. The fourth phase of the security certification and accreditation process, continuous-monitoring, primarily deals with configuration management. Documenting information system changes and assessing the potential impact those changes may have on the security of the system is an essential part of continuous monitoring and maintaining the security accreditation.
17. Constant monitoring of an information system is performed with which of the following?
1. Risk management
2. Security certification
3. Security accreditation
4. Configuration management processes
a. 1 and 2
b. 2 and 3
c. 1, 2, and 3
d. 1, 2, 3, and 4
17. d. Constant monitoring of a system is performed to identify possible risks to the system so that these can be addressed through the risk management, security certification and accreditation, and configuration management processes.
18. Which of the following are not the responsibilities of the configuration control review board?
1. Discussing change requests
2. Conducting impact analysis of changes
3. Requesting funding to implement changes
4. Notifying users of system changes
a. 1 and 2
b. 1 and 3
c. 2 and 4
d. 3 and 4
18. c. Conducting impact analysis of changes and notifying users of system changes are the responsibilities of the configuration manager, whereas discussing change requests and requesting funding to implement changes are the responsibilities of the configuration control review board.
19. An impact analysis of changes is conducted in which of the following configuration management process steps?
a. Identify changes.
b. Evaluate change request.
c. Implement decisions.
d. Implement approved change requests.
19. b. After initiating a change request, the effects that the change may have on a specific system or other interrelated systems must be evaluated. An impact analysis of the change is conducted in the “evaluate change request” step. Evaluation is the end result of identifying changes, deciding what changes to approve and how to implement them, and actually implementing the approved changes.
20. Additional testing or analysis may be needed in which of the following operational decision choices of the configuration management process?
a. Approve
b. Implement
c. Deny
d. Defer
20. d. In the “defer” choice, immediate decision is postponed until further notice. In this situation, additional testing or analysis may be needed before a final decision can be made later.
