97. The security-planning document created in the development/acquisition phase of a system development life cycle (SDLC) does not contain which of the following?
a. Security awareness and training plan
b. Contracting plans and processes
c. Rules of behavior
d. Risk assessment
97. b. The development and execution of necessary contracting plans and processes are a part of other planning components in the development/acquisition phase of an SDLC. The other three choices are part of the security-planning document.
98. The security accreditation decision does not exclusively depend on which of the following?
a. Verified effectiveness of security controls
b. Completed security plan
c. Security test and evaluation results
d. Plan of actions and milestones
98. c. The authorizing official in charge of the security accreditation process relies primarily on the other three choices, but not exclusively on the security test and evaluation results produced during the security control verification process. The authorizing official pays more attention to the other three choices because of their significance.
99. Which of the following must be done when there is a significant change addressed in the configuration management process?
1. System certification
2. System accreditation
3. System recertification
4. System reaccreditation
a. 1 and 2
b. 2 and 3
c. 3 and 4
d. 1, 2, 3, and 4
99. c. If there were a significant change addressed in the configuration management process, then the system must be recertified and reaccredited. System certification and system accreditation are done when a new system is installed and implemented, prior to any changes.
100. Configuration management change control and auditing takes place in which of the following system development life cycle (SDLC) phases?
a. Initiation
b. Acquisition/development
c. Implementation
d. Operation/maintenance
100. d. Configuration management change control and auditing takes place in the operation/maintenance phase of the SDLC. The phases in the other three choices are too early for this activity to take place.
101. Security impact analyses are performed in which of the following configuration management processes?
a. Baseline configuration
b. Configuration change control
c. Monitoring configuration changes
d. Configuration settings
101. c. An organization monitors changes to the information system and conducts security impact analyses to determine the effects of the changes. The other three choices are incorrect because they occur prior to the monitoring.
102. Application partitioning is achieved through which of the following?
1. User functionality is separated from information storage services.
2. User functionality is separated from information management services.
3. Both physical and logical separation techniques are employed.
4. Different computers and operating systems are used to accomplish separation.
a. 1 and 2
b. 3 only
c. 1, 2, and 3
d. 1, 2, 3, and 4
102. d. The information system physically or logically separates the user functionality (including user interface services) from information storage and management services (for example, database management). Separation may be accomplished through the use of different computers, different CPUs, different instances of the operating system, different network addresses, or a combination of these methods.
103. Reconciliation routines in application systems are a part of which of the following?
a. Authorization controls
b. Integrity or validation controls
c. Access controls
d. Audit trail mechanisms
103. b. Integrity or validation controls, which are a part of technical control, include reconciliation routines in application systems. Authorization and access controls, which are a part of technical control, enable authorized individuals to access system resources. Audit trail mechanisms include transaction monitoring.
