a. Reverse-engineer computer software with intent to launch commercially with similar design.
b. Reverse-engineer the design of computer chips for duplication.
c. Reverse-engineer a computer program to see how it works and what it does.
d. Reverse-engineer the basic input/output system of a personal computer for duplication.
100. c. Reverse engineering is the process of analyzing a subject system to identify the system’s components and their interrelationships and create representations of the system in another form or at a higher level of abstraction. Some shrink-wrap agreements contain an express prohibition on reverse engineering, decompilation, or disassembly. The correct answer does not hurt the software copyright owner, and it is legal. The other three choices are based on bad intentions on the part of the user and hence can be illegal.
101. When the requirements of the ISO’s Information Security Management Systems (ISO/IEC 27001) framework are applied to any computing environment, “measure and improve controls” belong to which of the following PDCA cycle steps?
a. Plan
b. Do
c. Check
d. Act
101. c. According to the International Organization or Standardization (ISO), the Plan-Do-Check-Act (PDCA) cycle is the operating principle of ISO’s management system standards. The step “check” measures the results. Specifically, it measures and monitors how far the actual achievements meet the planned objectives.
The step “plan” establishes objectives and develops plans. Specifically, it analyzes an organization’s situation, establishes the overall objectives, sets interim targets, and develops plans to achieve them. The step “do” implements the plans. The step “act” corrects and improves the plans by putting them into practice. Specifically, it makes one learn from mistakes in order to improve and achieve better results next time.
102. Regarding Common Criteria (CC), which of the following alone is not sufficient for use in common evaluation methodology?
1. Repeatability
2. Objectivity
3. Judgment
4. Knowledge
a. 1 only
b. 2 only
c. 1 and 2
d. 3 and 4
102. c. Use of a common evaluation methodology contributes to the repeatability and objectivity of the results but it is not by itself sufficient. Many of the evaluation criteria require the application of expert judgment and background knowledge for which consistency is more difficult to achieve.
103. Regarding Common Criteria (CC), precise and universal rating for IT security products is infeasible due to which of the following?
1. Reducing risks
2. Protecting assets
3. Objective elements
4. Subjective elements
a. 1 only
b. 2 only
c. 1 and 2
d. 3 and 4
103. d. Evaluation should lead to objective and repeatable results that can be cited as evidence, even if there is no totally objective scale for representing the results of a security evaluation. As the application of criteria contains objective and subjective elements, precise and universal ratings for IT security are infeasible. Reducing risks and protecting assets are the outcomes of a target of evaluation (TOE).
104. Regarding Common Criteria (CC), how should a Security Target (ST) be used?
1. Before evaluation
2. After evaluation
3. Detailed specification
4. Complete specification
a. 1 only
b. 2 only
c. 1 and 2
d. 3 and 4
104. c. A typical security target (ST) fulfills two roles such as before and during the evaluation and after the evaluation. Two roles that an ST should not fulfill include a detailed specification and a complete specification.
105. For Common Criteria (CC), how should a Protection Profile (PP) be used?
1. Specification of a single product
2. Complete specification
3. Requirements specification
4. Baseline
a. 1 only
b. 2 only
c. 1 and 2
d. 3 and 4
105. d. A protection profile (PP) is typically used as part of a requirement specification, part of a regulation from a specific regulatory entity, or a baseline defined by a group of IT developers. Three roles that a PP should not fulfill include a detailed specification, a complete specification and a specification of a single product.
106. Regarding Common Criteria (CC), the outcome of a target of evaluation (TOE) leads to which of the following?
1. Objective results
