d. Security impact analyses
80. d. Security impact analyses are conducted in the continuous monitoring phase whenever there are changes to the information system. The other three choices are part of the security accreditation phase, which comes before the continuous monitoring phase.
81. Which of the following is not a usual common error or vulnerability in information systems?
a. Encryption failures
b. Buffer overflows
c. Format string errors
d. Failing to check input for validity
81. a. Usually, encryption algorithms do not fail due to their extensive testing, and the encryption key is getting longer making it more difficult to break into. Many errors reoccur, including buffer overflows, race conditions, format string errors, failing to check input for validity, and computer programs being given excessive access privileges.
82. Which of the following is not the responsibility of the configuration manager?
a. Documenting the configuration management plan
b. Approving, denying, or deferring changes
c. Evaluating configuration management metric information
d. Ensuring that an audit trail of changes is documented
82. c. Evaluating configuration management metric information is the responsibility of the configuration control review board, whereas the other three choices are responsibilities of the configuration manager.
83. Which of the following tasks are performed during continuous monitoring step of the configuration management (CM) process?
1. Configuration verification tests
2. System audits
3. Patch management
4. Risk management
a. 1 and 2
b. 2 and 3
c. 1, 2, and 3
d. 1, 2, 3, and 4
83. d. The configuration management (CM) process calls for continuous system monitoring to ensure that it is operating as intended and that implemented changes do not adversely impact either the performance or security posture of the system. Configuration verification tests, system audits, patch management, and risk management activities are performed to achieve the CM goal.
84. Which of the following levels of the software capability maturity model (CMM) is the most basic in establishing discipline and control in the software development process?
a. Initial level
b. Defined level
c. Repeatable level
d. Managed level
84. c. The Software Engineering Institute (SEI) is a nationally recognized, federally funded research and development center established in the United States to address software development issues. It developed a process maturity framework that would help organizations improve their software development process. In general, the CMM serves as an indicator of the likely range of cost, schedule, and quality results to be achieved by system development projects within an organization. In the repeatable level, basic project management processes are established to track cost, schedule, and functionality. The necessary process discipline is in place to repeat earlier successes on projects with similar applications. The other three choices are not applicable because the correct answer is based on the definition of CMM levels.
85. An unauthorized user has successfully accessed a computer-based application system. Which of the preventive controls has failed to work?
a. Compatibility tests
b. Validity checks
c. Security label checks
d. Confidentiality tests
85. a. As a part of preventive controls, compatibility tests are used to determine whether an acceptable user is allowed to proceed in the system. This test focuses on passwords, access rules, and system privileges.
A validity check is incorrect because it tests for the accuracy of codes such as state, tax rates, and vendor number. A security label check is incorrect because it tests for the specific designation assigned to a system resource such as a file, which cannot be changed except in emergency situations. A confidentiality test is incorrect because it ensures that data is disclosed only to authorized individuals.
86. In a distributed computing environment, replicated servers could have negative impact on which of the following?
a. Fault-tolerant mechanisms
b. Availability
c. Scalability
d. Recoverability
