Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
12 Cards in this Set
- Front
- Back
|
IATF document 3.1 lists the following types of attacks |
Passive Active Close-in Insider Distribution |
|
|
Which one of the following is not one of the five system life cycle planning phases as defined in NIST SP 800-14? 1. Initiation phase 2. Requirements phase 3. Implementation phase 4. Disposal phase |
2. requirements phase
IDIOD |
|
|
Acquisition Cycle phases as given in NIST SP 800-64, "Security Considerations in the Information System Development Life Cycle"? |
Mission and business planning, acquisition planning, contract performance, disposal and contract closeout |
|
|
The IATF document 3.1 stresses that information assurance relies on three critical components. Which one of the following answers correctly lists these components? |
People, operations, technology
POT |
|
|
Risk management, as defined in NIST SP 800-30, comprises which three processes? |
Risk assessment, risk mitigation, and evaluation and assessment |
|
|
In the system development life cycle (SDLC), or system life cycle as it is sometimes called, in which one of the of the five phases are the system security features configured, enabled, tested, and verified? 1. Operation/maintenance2. Development/acquisition 3. Implementation 4. Initiation |
Implementation |
|
|
Which one of he following activities is performed in the Development/Acquisition phase of the SDLC? 1. The scope of the IT system is documented. |
Answer: b Answer a refers to the Initiation phase, answer c refers to the Operation/Maintenance phase, and answer d refers to the Disposal phase. |
|
|
In NIST SP 800-30, risk is defined as a function of which set of the following items? 1. Threat likelihood, vulnerabilities, and impact 2. Threat likelihood, mission, and impact 3. Vulnerabilities, mission and impact 4. Threat likelihood, sensitivity, and impact |
Answer: a Answers b, c, and d are distracters. |
|
|
The risk assessment methodology described in NIST SP 800-30 comprises nine primary steps. Which one of the following is not one of these steps? 1. System characterization2. Control analysis 3. Impact analysis 4. Accreditation boundaries |
Answer: d Delineating accreditation boundaries is a subset of system characterization (answer a). |
|
|
Which one of the following items is not one of the activities of the generic systems engineering (SE) process? 1. Discover needs2. Define system requirements 3. Obtain accreditation 4. Assess effectiveness |
Answer: c Obtaining accreditation is not one of the SE process activities. The other SE process activities are to design system architecture, develop detailed design, and implement system. |
|
|
The elements Discover information protection needs, Develop detailed security design, and Assess information protection effectiveness are part of what process? 1. The systems engineering (SE) process |
The information systems security engineering process (ISSE) |
|
|
In the ISSE process, information domains are defined under the Discover Information Protection Needs process. Which one of the following tasks is not associated the information domain? 1. Identify the members of the domain.2. List the information entities that are under control in the domain. 3. Identify the applicable privileges, roles, rules, and responsibilities of the users in the domain. 4. Map security mechanisms to security design elements in the domain. |
Map security mechanisms to security design elements in the domain.
This task is performed under the Develop Detailed Security Design activity. |
