CISSP Practice полностью

CleanRoom processes are incorrect because they are just one example of defect prevention methods. The CleanRoom process consists of (i) defining a set of software increments that combine to form the required system, (ii) using rigorous methods for specification, development, and certification of each increment, (iii) applying strict statistical quality control during the testing process, and (iv) enforcing a strict separation of the specification and design tasks from testing activities.

Documentation standards are incorrect because they are just one example of defect prevention methods. Standard methods can be applied to the development of requirements and design documents.

100. The scope of formal technical reviews conducted for software defect removal would not include:

a. Configuration management specification

b. Requirements specification

c. Design specification

d. Test specification

100. a. The formal technical review is a software quality assurance activity that is performed by software developers. The objectives of these reviews are to (i) uncover errors in function and logic, (ii) verify that software under review meets its requirements, (iii) ensure that software represents the predefined standards. Configuration management specifications are a part of project planning documents, not technical documents. The purpose is to establish the processes that the project uses to manage the configuration items and changes to them. Program development, quality, and configuration management plans are subject to review but are not directly germane to the subject of defect removal.

The other three choices are incorrect because they are part of technical documents. The subject matter for formal technical reviews includes requirements specifications, detailed design, and code and test specifications. The objectives of reviewing the technical documents are to verify that (i) the work reviewed is traceable to the requirements set forth by the predecessor’s tasks, (ii) the work is complete, (iii) the work has been completed to standards, and (iv) the work is correct.

101. Patch management is a part of which of the following?

a. Directive controls

b. Preventive controls

c. Detective controls

d. Corrective controls

101. d. Patch management is a part of corrective controls, as it fixes software problems and errors. Corrective controls are procedures to react to security incidents and to take remedial actions on a timely basis. Corrective controls require proper planning and preparation as they rely more on human judgment.

Directive controls are broad-based controls to handle security incidents, and they include management’s policies, procedures, and directives. Preventive controls deter security incidents from happening in the first place. Detective controls enhance security by monitoring the effectiveness of preventive controls and by detecting security incidents where preventive controls were circumvented.

102. Locking-based attacks result in which of the following?

1. Denial-of-service

2. Degradation-of-service

3. Destruction-of-service

4. Distribution-of-service

a. 1 and 2

b. 1 and 3

c. 2 and 3

d. 3 and 4

102. a. Locking-based attack is used to hold a critical system locked most of the time, releasing it only briefly and occasionally. The result would be a slow running browser without stopping it: degradation-of-service. The degradation-of-service is a mild form of denial-of-service. Destruction of service and distribution of service are not relevant here.

103. Which of the following protects the information confidentiality against a robust keyboard attack?

a. Disposal

b. Clearing

c. Purging

d. Destroying

103. b. A keyboard attack is a data scavenging method using resources available to normal system users with the help of advanced software diagnostic tools. Clearing information is the level of media sanitization that protects the confidentiality of information against a robust keyboard attack. Clearing must be resistant to keystroke recovery attempts executed from standard input devices and from data scavenging tools.

The other three choices are incorrect. Disposal is the act of discarding media by giving up control in a manner short of destruction. Purging is removing obsolete data by erasure, by overwriting of storage, or by resetting registers. Destroying is ensuring that media cannot be reused as originally intended.

104. Which of the following is the correct sequence of activities involved in media sanitization?

1. Assess the risk to confidentiality.

2. Determine the future plans for the media.