48. c. Usually, there is no definitive end to an SDLC process because the system can become a legacy system for a long-time or it can eventually be replaced with a new system. Systems evolve or transition to the next generation as follow-on systems with changing requirements and technology. Security plans evolve with the system. Much of management and operational controls in the old, legacy system are still relevant and useful in developing the security plan for the follow-on system.
49. If there is a doubt as to whether sensitive information remains on a system, which of the following should be consulted before disposing of the system?
a. Information system owner
b. Information system security officer
c. Information owner
d. Certification and accreditation officer
49. b. Some systems may contain sensitive information after the storage media is removed. If there is a doubt whether sensitive information remains on a system, the information system security officer should be consulted before disposing of the system because the officer deals with technical aspects of a system. The other parties mentioned do not have a technical focus but instead have a business focus.
50. Which of the following is similar to security certification and accreditation?
a. Quality assurance
b. Quality control
c. Operational control
d. Management control
50. b. Quality control is similar to security certification and accreditation in terms of scope of work and goals. Quality control is a technical control. Quality assurance is included in security planning, which is a management control. Operational control deals with day-to-day procedures.
51. Which of the following are essential components of the security certification and accreditation process?
1. Risk assessment
2. Security requirements
3. Security plans
4. Security controls
a. 1 and 2
b. 1 and 3
c. 2 and 4
d. 3 and 4
51. b. Both risk assessment and security plans are essential components of the security certification and accreditation process. These two components accurately reflect the security requirements and security controls through the system development life cycle (SDLC) methodology. Security requirements and security controls (planned or designed) drive the risk assessment process and security plans.
52. By accrediting an information system, an organization’s management official does which of the following?
a. Avoids the risks
b. Limits the risks
c. Accepts the risks
d. Transfers the risks
52. c. By accrediting an information system, an organization’s management official accepts the risks associated with operating the system and the associated security implications to the organization’s operations, assets, or individuals.
53. Information system assurance is achieved through which of the following?
1. Understanding of the threat environment
2. Evaluation of system requirements sets
3. Knowledge of hardware and software engineering principles
4. Availability of product and system evaluation results
a. 1 and 2
b. 2 and 3
c. 3 and 4
d. 1, 2, 3, and 4
53. d. System assurance is the grounds for confidence that a system meets its security expectations. Good understanding of the threat environment, evaluation of system requirements sets, knowledge of hardware and software engineering principles, and the availability of product and system evaluation results are required for system assurance.
54. What should be in place prior to the security certification and accreditation process?
a. The security plan is analyzed.
b. The security plan is updated.
c. The security plan is accepted.
d. The security plan is developed.
54. d. During the security certification and accreditation process, the system security plan is analyzed, updated, and accepted. For this to happen, the system security plan must have been developed and in place.
55. Which of the following should occur prior to a significant change in the processing of an information system?
a. System recertification
b. System reaccreditation
c. System reauthorization
d. System reassessment
55. c. Reauthorization should occur prior to a significant change in processing of an information system. A periodic review of controls should also contribute to future authorizations.
