CISSP Practice полностью

208. a. It is during the system requirements definition phase that the project team identifies the required controls needed for the system. The identified controls are then incorporated into the system during the design phase. When there is a choice between the system requirements definition phase and the design phase, the auditor would benefit most by participating in the former phase. The analyst does not need to participate in the program development or testing phase.

209. What is a malicious unauthorized act that is triggered upon initiation of a predefined event or condition and resides within a computer program known as?

a. Logic bomb

b. Computer virus

c. Worm

d. NAK attack

209. a. A time bomb is a part of a logic bomb. A time bomb is a Trojan horse set to trigger at a particular time, whereas the logic bomb is set to trigger at a particular condition, event, or command. The logic bomb could be a computer program or a code fragment.

Computer virus is incorrect because it “reproduces” by making copies of it and inserting them into other programs. Worm is incorrect because it searches the network for idle computing resources and uses them to execute the program in small segments. NAK (negative acknowledgment character) attack is incorrect because it is a penetration technique capitalizing on a potential weakness in an operating system that does not handle asynchronous interrupts properly, thus leaving the system in an unprotected state during such interrupts. NAK uses binary synchronous communications where a transmission control character is sent as a negative response to data received. Here, negative response means data was not received correctly or that a command was incorrect or unacceptable.

210. What is the name of the malicious act of a computer program looking normal but containing harmful code?

a. Trapdoor

b. Trojan horse

c. Worm

d. Time bomb

210. b. A Trojan horse fits the description. It is a program that performs a useful function and an unexpected action as well as a form of virus.

Trapdoor is incorrect because it is an entry point built into a program created by programmers for debugging purposes. Worm is incorrect because it searches the network for idle computing resources and uses them to execute a program in small segments. Time bomb is incorrect because it is a part of a logic bomb, where a damaging act triggers at some period of time after the bomb is set.

211. In the software capability maturity model, continuous process improvement takes place in which of the following levels?

a. Managed level

b. Optimizing level

c. Defined level

d. Repeatable level

211. b. Continuous process improvements are expected in the optimizing level of the software capability maturity model. It is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies.

212. Which of the following tests identify vulnerabilities in application systems?

a. Functional test

b. Performance test

c. Stress test

d. Security test

212. d. The purpose of security testing is to assess the robustness of the system’s security capabilities (for example, physical facilities, procedures, hardware, software, and communications) and to identify security vulnerabilities. All the tests listed in the question are part of system acceptance tests where the purpose is to verify that the complete system satisfies specified requirements and is acceptable to end users.

Functional test is incorrect because the purpose of functional or black-box testing is to verify that the system correctly performs specified functions. Performance test is incorrect because the purpose of performance testing is to assess how well a system meets specified performance requirements. Examples include specified system response times under normal workloads (for example, defined transaction volumes) and specified levels of system availability and mean-times-to-repair. Stress test is incorrect because the purpose of stress testing is to analyze system behavior under increasingly heavy workloads (for example, higher transaction rates), severe operating conditions (for example, higher error rates, lower component availability rates), and, in particular, to identify points of system failure.

213. When does a major risk in application software prototyping occur?

a. The prototype becomes the finished system.

b. User’s expectations are inflated.