35. In the preliminary risk assessment task of the system development life cycle (SDLC) initiation phase, integrity needs from a user’s or owner’s perspective are defined in terms of which of the following?
a. Place of data
b. Timeliness of data
c. Form of data
d. Quality of data
35. d. Integrity can be examined from several perspectives. From a user’s or application owner’s perspective, integrity is the quality of data that is based on attributes such as accuracy and completeness. The other three choices do not reflect the attributes of integrity.
36. An in-depth study of the needs-determination for a new system under development is conducted in which of the following system development life cycle (SDLC) phases?
a. Initiation
b. Development/acquisition
c. Implementation
d. Operation/maintenance
36. b. The requirements analysis task of the SDLC phase of development is an in-depth study of the need for a new system. The requirements analysis draws on and further develops the work performed during the initiation phase. The needs-determination activity is performed at a high-level x of functionality in the initiation phase.
37. Which of the following should be conducted before the approval of system design specifications of a new system under development?
a. Enterprise security architecture
b. Interconnected systems
c. Formal risk assessment
d. System security specifications
37. c. A formal security risk assessment should be conducted before the approval of system design specifications. The other three choices are considered during a formal security risk assessment process.
38. Which of the following is often overlooked when determining the cost of a new system’s acquisition or development?
a. Hardware
b. Software
c. Training
d. Security
38. d. The capital planning process determines how much the acquisition or development of a new system will cost over its life cycle. These costs include hardware, software, personnel, and training. Another critical area often overlooked is security.
39. Which of the following is required when an organization uncovers deficiencies in the security controls employed to protect an information system?
a. Develop preventive security controls.
b. Develop a plan of action and milestones.
c. Develop detective security controls.
d. Modify ineffective security controls.
39. b. Detailed plans of action and milestones (POA&M) schedules are required to document the corrective measures needed to increase the effectiveness of the security controls and to provide the requisite security for the information system prior to security authorization. The other three choices are not corrective steps requiring action plans and milestone schedules.
40. The security-planning document developed in the development/acquisition phase of a system development life cycle (SDLC) does not contain which of the following?
a. Statement of work development
b. Configuration management plan
c. Contingency plan
d. Incident response plan
40. a. The statement of work development is a part of other planning components in the development/acquisition phase of a system development life cycle (SDLC). The other three choices are part of the security-planning document.
41. In establishing a secure network, which of the following reflects the greatest need for restricting access via secure location?
a. Transaction files
b. Configuration files
c. Work files
d. Temporary files
41. b. Configuration files, system files, or files with sensitive information must not be migrated to different storage media and must be retained in a secure location due to their access restrictions. The files listed in the other three choices are not sensitive; they are temporary and don't need to be retained after their use is completed.
