CISSP Practice полностью

Avoiding unsafe conditions or ensuring safe conditions is achieved by separating the critical units from noncritical units, by low data coupling between critical units, and by fail-safe recovery from unsafe conditions when they occur, and by testing for unsafe conditions. Data coupling is the sharing or passing of simple data between system modules via parameter lists. A low data coupling is preferred at interfaces as it is less error prone, ensuring a safety product.

96. Developing a superior quality or safe software product requires special attention. Which of the following techniques to achieve superior quality are based on mathematical theory?

a. Multiversion software

b. Proof-of-correctness

c. Software fault tree analysis

d. Software reliability models

96. b. The proof-of-correctness (formal verification) involves the use of theoretical and mathematical models to prove the correctness of a program without executing it. Using this method, the program is represented by a theorem and is proved with first-order predicate calculus.

The other three choices do not use mathematical theory. Multiversion software is incorrect because its goal is to provide high reliability, especially useful in applications dealing with loss of life, property, and damage. The approach is to develop more than one version of the same program to minimize the detrimental effect on reliability of latent defects.

Software fault tree analysis is incorrect because it identifies and analyzes software safety requirements. It is used to determine possible causes of known hazards. This is done by creating a fault tree, whose root is the hazard. The system fault tree is expanded until it contains at its lowest level basic events that cannot be further analyzed.

Software reliability models are incorrect because they can predict the future behavior of a software product, based on its past behavior, usually in terms of failure rates.

97. Predictable failure prevention means protecting an information system from harm by considering which of the following?

a. Mean-time-to-repair (MTTR)

b. Mean-time-to-failure (MTTF)

c. Mean-time between failures (MTBF)

d. Mean-time between outages (MTBO)

97. b. MTTF focuses on the potential failure of specific components of the information system that provide security capability. MTTF is the amount of mean-time to the next failure. MTTR is the amount of time it takes to resume normal operation. MTBF is the average length of time the system is functional. MTBO is the mean time between equipment failures that result in a loss of system continuity or unacceptable degradation.

98. Regarding software installation, “All software is checked against a list approved by the organization” refers to which of the following?

a. Blacklisting

b. Black-box testing

c. White-box testing

d. Whitelisting

98. d. Whitelisting is a method to control the installation of software to ensure that all software is checked against a list approved by the organization. It is a quality control check and is a part of software configuration activity. An example of blacklisting is creating a list of electronic-mail senders who have previously sent spam to a user. Black-box testing is a functional analysis of a system, whereas white-box testing is a structural analysis of a system.

99. Which of the following is not an example of the defect prevention method in software development and maintenance processes?

a. Documented standards

b. CleanRoom processes

c. Formal technical reviews

d. Documentation standards

99. c. Formal technical reviews (for example, inspections and walkthroughs) are used for defect detection, not prevention. If properly conducted, formal technical reviews are the most effective way to uncover and correct errors, especially early in the life cycle, where they are relatively easy and inexpensive to correct.

Documented standards are incorrect because they are just one example of defect prevention methods. Documented standards should be succinct and possibly placed into a checklist format as a ready application reference. A documented standard also permits audits for adherence and compliance with the approved method.