CISSP Practice полностью

The objectives of the software quality assurance process are to ensure that the software development and software assurance processes comply with software assurance plans and standards, and to recommend process improvement. This process uses the system requirements and information about the purpose and criticality of the software to evaluate the outputs of the software development and software assurance processes.

The objective of the software verification and validation (SV&V) process is to comprehensively analyze and test the software concurrently with processes of software development and software maintenance. The process determines that the software performs its intended functions correctly, ensures that it performs no unintended functions, and measures its quality and reliability. SV&V is a detailed engineering assessment for evaluating how well the software is meeting its technical requirements, in particular its safety, security, and reliability objectives, and for ensuring that software requirements are not in conflict with any standards or requirements applicable to other system components.

76. The Reference Monitor concept is which of the following?

a. It is dependent on mandatory access control policy.

b. It is independent of any access control policy.

c. It is independent of role-based access control policy.

d. It is dependent on discretionary access control policy.

76. b. The Reference Monitor concept is independent of any particular access control policy because it mediates all types of access to objects by subjects. Mandatory access control policy is a means of restricting access to objects based on the sensitivity of the information contained in the objects and the formal authorization of subjects to access information of such sensitivity. With role-based access control policy, access decisions are based on the roles (for example, teller, analyst, and manager) that individual users have as part of an organization. Discretionary access control policy is a means of restricting access to objects based on the identity of subjects.

77. Which of the following are essential activities of a comprehensive information security program for an organization on an ongoing basis?

1. Information preservation

2. Security test and evaluation

3. Security control monitoring

4. Security status reporting

a. 1 and 2

b. 2 and 3

c. 1 and 4

d. 3 and 4

77. d. Security-control monitoring and reporting the status of the information system to appropriate management authorities are essential activities of a comprehensive information security program. Information preservation is a part of the disposal phase, whereas security test and evaluation is a part of the implementation phase of a system development life cycle (SDLC). Security-control monitoring and security status reporting are a part of the operation and maintenance phase of an SDLC, which facilitate ongoing work.

78. Security certification is made in support of which of the following?

a. Security accreditation

b. Management controls

c. Operational controls

d. Technical controls

78. a. Security certification is a comprehensive assessment of the management, operational, and technical controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcomes.

79. Which of the following is not one of the primary goals of certification and accreditation of information systems?

a. To enable consistent assessment of security controls

b. To promote a better understanding of organization-wide risks

c. To deliver reliable information to management

d. To conduct reaccreditation reviews periodically

79. d. Conducting reaccreditation reviews periodically is a mechanical step (a byproduct of the goal) and a secondary goal. The primary goals of certification and accreditation of information systems are to (i) enable more consistent, comparable, and repeatable assessments of security controls in information systems, (ii) promote a better understanding of organization-related risks resulting from the operation of information systems, and (iii) create more complete, reliable, and trustworthy information for authorizing officials (management) to facilitate more informed security accreditation decisions.

80. The security accreditation phase does not contain which of the following?

a. System security plan

b. System security assessment report

c. Plan of actions and milestones