You are the project manager of the GHY project for your organization. You are about to start the
qualitative risk analysis process for the project and you need to determine the roles and
responsibilities for conducting risk management. Where can you find this information?
C
Explanation:
The risk management plan defines the roles and responsibilities for conducting risk management.
A Risk management plan is a document arranged by a project manager to estimate the effectiveness,
predict risks, and build response plans
to mitigate them. It also consists of the risk assessment matrix.
Risks are built in with any project, and project managers evaluate risks repeatedly and build plans to
address them. The risk management
plan consists of analysis of possible risks with both high and low impacts, and the mitigation
strategies to facilitate the project and avoid
being derailed through which the common problems arise. Risk management plans should be timely
reviewed by the project team in order to
avoid having the analysis become stale and not reflective of actual potential project risks. Most
critically, risk management plans include a risk
strategy for project execution.
Answer A is incorrect. The risk register does not define the risk management roles and
responsibilities.
Answer D is incorrect. Enterprise environmental factors may define the roles that risk management
officials or departments play in the
project, but the best answer for all projects is the risk management plan.
Answer B is incorrect. The staffing management plan does not define the risk management roles and
responsibilities.
Who amongst the following makes the final accreditation decision?
C
Explanation:
The DAA, also known as Authorizing Official, makes the final accreditation decision. The Designated
Approving Authority (DAA), in the United
States Department of Defense, is the official with the authority to formally assume responsibility for
operating a system at an acceptable level
of risk. The DAA is responsible for implementing system security. The DAA can grant the accreditation
and can determine that the system's
risks are not at an acceptable level and the system is not ready to be operational.
Answer D is incorrect. An Information System Security Officer (ISSO) plays the role of a supporter. The
responsibilities of an Information
System Security Officer (ISSO) are as follows:
Manages the security of the information system that is slated for Certification & Accreditation (C&A).
Insures the information systems configuration with the agency's information security policy.
Supports the information system owner/information owner for the completion of security-related
responsibilities.
Takes part in the formal configuration management process.
Prepares Certification & Accreditation (C&A) packages.
Answer A is incorrect. An Information System Security Engineer (ISSE) plays the role of an advisor.
The responsibilities of an
Information System Security Engineer are as follows:
Provides view on the continuous monitoring of the information system.
Provides advice on the impacts of system changes.
Takes part in the configuration management process.
Takes part in the development activities that are required to implement system changes.
Follows approved system changes.
Answer B is incorrect. A Chief Risk Officer (CRO) is also known as Chief Risk Management Officer
(CRMO). The Chief Risk Officer or Chief
Risk Management Officer of a corporation is the executive accountable for enabling the efficient and
effective governance of significant risks,
and related opportunities, to a business and its various segments. Risks are commonly categorized as
strategic, reputational, operational,
financial, or compliance-related. CRO's are accountable to the Executive Committee and The Board
for enabling the business to balance risk
and reward. In more complex organizations, they are generally responsible for coordinating the
organization's Enterprise Risk Management
(ERM) approach.
Which of the following statements about a host-based intrusion prevention system (HIPS) are true?
Each correct answer represents a complete solution. Choose two.
C D
Explanation:
A host-based intrusion prevention system (HIPS) is an application usually employed on a single
computer. It complements traditional finger-
print-based and heuristic antivirus detection methods, since it does not need continuous updates to
stay ahead of new malware. When a
malicious code needs to modify the system or other software residing on the machine, a HIPS system
will notice some of the resulting changes
and prevent the action by default or notify the user for permission. It can handle encrypted and
unencrypted traffic equally and cannot detect
events scattered over the network.
Answer B is incorrect. Network address translation (NAT) is a technique that allows multiple
computers to share one or more IP
addresses. NAT is configured at the server between a private network and the Internet. It allows the
computers in a private network to share
a global, ISP assigned address. NAT modifies the headers of packets traversing the server. For packets
outbound to the Internet, it translates
the source addresses from private to public, whereas for packets inbound from the Internet, it
translates the destination addresses from
public to private.
Answer A is incorrect. Network intrusion prevention system (NIPS) is a hardware/software platform
that is designed to analyze, detect,
and report on security related events. NIPS is designed to inspect traffic and based on its
configuration or security policy, it can drop malicious
traffic. NIPS is able to detect events scattered over the network and can react.
In which of the following deployment models of cloud is the cloud infrastructure administered by the
organizations or a third party? Each correct answer represents a complete solution. Choose two.
A D
Explanation:
In private cloud, the cloud infrastructure is operated exclusively for an organization. The private
cloud infrastructure is administered by the
organization or a third party, and exists on premise and off premise.
In community cloud, the cloud infrastructure is shared by a number of organizations and supports a
particular community. The community cloud
infrastructure is administered by the organizations or a third party and exists on premise or off
premise.
Answer B is incorrect. In public cloud, the cloud infrastructure is administered by an organization that
sells cloud services.
Answer C is incorrect. In hybrid cloud, the cloud infrastructure is administered by both, i.e., an
organization and a third party.
DRAG DROP
Drag and drop the various SSE-CMM levels at the appropriate places.
Explanation: The various SSE-CMM levels are described in the table below:
Which of the following disaster recovery tests includes the operations that shut down at the primary
site, and are shifted to the recovery site according to the disaster recovery plan?
B
Explanation:
A full-interruption test includes the operations that shut down at the primary site and are shifted to
the recovery site according to the disaster
recovery plan. It operates just like a parallel test. The full-interruption test is very expensive and
difficult to arrange. Sometimes, it causes a
major disruption of operations if the test fails.
Answer A is incorrect. The structured walk-through test is also known as the table-top exercise. In
structured walk-through test, the
team members walkthrough the plan to identify and correct weaknesses and how they will respond
to the emergency scenarios by stepping
in the course of the plan. It is the most effective and competent way to identify the areas of overlap
in the plan before conducting more
challenging training exercises.
Answer C is incorrect. A parallel test includes the next level in the testing procedure, and relocates
the employees to an alternate
recovery site and implements site activation procedures. These employees present with their
disaster recovery responsibilities as they would
for an actual disaster. The disaster recovery sites have full responsibilities to conduct the day-to-day
organization's business.
Answer D is incorrect. A simulation test is a method used to test the disaster recovery plans. It
operates just like a structured walk-
through test. In the simulation test, the members of a disaster recovery team present with a disaster
scenario and then, discuss on
appropriate responses. These suggested responses are measured and some of them are taken by the
team. The range of the simulation test
should be defined carefully for avoiding excessive disruption of normal business activities.
The NIST ITL Cloud Research Team defines some primary and secondary technologies as the
fundamental elements of cloud computing in its "Effectively and Securely Using the Cloud Computing
Paradigm" presentation. Which of the following technologies are included in the primary
technologies?
Each correct answer represents a complete solution. Choose all that apply.
A. Web application framework
B. Free and open source software
C. SOA
D. Virtualization
D, C, B
Explanation:
The primary technologies defined by the NIST ITL Cloud Research Team in its "Effectively and
Securely Using the Cloud Computing Paradigm"
presentation are as follows:
Virtualization
Grid technology
SOA (Service Oriented Architecture)
Distributed computing
Broadband network
Browser as a platform
Free and open source software
Answer A is incorrect. It is defined as the secondary technology.
Which of the following components of configuration management involves periodic checks to
determine the consistency and completeness of accounting information and to verify that all
configuration management policies are being followed?
A. Configuration Identification
B. Configuration Auditing
C. Configuration Control
D. Configuration Status Accounting
B
Explanation:
Configuration auditing is a component of configuration management, which involves periodic checks
to establish the consistency and
completeness of accounting information and to confirm that all configuration management policies
are being followed. Configuration audits are
broken into functional and physical configuration audits. They occur either at delivery or at the
moment of effecting the change. A functional
configuration audit ensures that functional and performance attributes of a configuration item are
achieved, while a physical configuration
audit ensures that a configuration item is installed in accordance with the requirements of its
detailed design documentation.
Answer D is incorrect. The configuration status accounting procedure is the ability to record and
report on the configuration baselines
associated with each configuration item at any moment of time. It supports the functional and
physical attributes of software at various points
in time, and performs systematic control of accounting to the identified attributes for the purpose of
maintaining software integrity and
traceability throughout the software development life cycle.
Answer C is incorrect. Configuration control is a procedure of the Configuration management.
Configuration control is a set of
processes and approval stages required to change a configuration item's attributes and to re-baseline
them. It supports the change of the
functional and physical attributes of software at various points in time, and performs systematic
control of changes to the identified attributes.
Answer A is incorrect. Configuration identification is the process of identifying the attributes that
define every aspect of a configuration
item. A configuration item is a product (hardware and/or software) that has an end-user purpose.
These attributes are recorded in
configuration documentation and baselined. Baselining an attribute forces formal configuration
change control processes to be effected in the
event that these attributes are changed.
A service provider guarantees for end-to-end network traffic performance to a customer. Which of
the following types of agreement is this?
A
Explanation:
This is a type of service-level agreement.
A service-level agreement (SLA) is a negotiated agreement between two parties where one is the
customer and the other is the service
provider. It records a common understanding about services, priorities, responsibilities, guarantees,
and warranties. Each area of service
scope should have the 'level of service' defined. The SLA may specify the levels of availability,
serviceability, performance, operation, or other
attributes of the service, such as billing.
Answer C is incorrect. Non-disclosure agreements (NDAs) are often used to protect the
confidentiality of an invention as it is being
evaluated by potential licensees.
Answer D is incorrect. License agreements (LA) describe the rights and responsibilities of a party
related to the use and exploitation of
intellectual property.
Answer B is incorrect. There is no such type of agreement as VPN.
Which of the following is a formula, practice, process, design, instrument, pattern, or compilation of
information which is not generally known, but by which a business can obtain an economic
advantage over its competitors?
C
Explanation:
A trade secret is a formula, practice, process, design, instrument, pattern, or compilation of
information which is not generally known. It helps
a business to obtain an economic advantage over its competitors or customers. In some jurisdictions,
such secrets are referred to as
confidential information or classified information.
Answer A is incorrect. A copyright is a form of intellectual property, which secures to its holder the
exclusive right to produce copies of
his or her works of original expression, such as a literary work, movie, musical work or sound
recording, painting, photograph, computer
program, or industrial design, for a defined, yet extendable, period of time. It does not cover ideas or
facts. Copyright laws protect intellectual
property from misuse by other individuals.
Answer B is incorrect. A utility model is an intellectual property right to protect inventions.
Answer D is incorrect. A cookie is a small bit of text that accompanies requests and pages as they
move between Web servers and
browsers. It contains information that is read by a Web application, whenever a user visits a site.
Cookies are stored in the memory or hard
disk of client computers. A Web site stores information, such as user preferences and settings in a
cookie. This information helps in providing
customized services to users. There is absolutely no way a Web server can access any private
information about a user or his computer
through cookies, unless a user provides the information. A Web server cannot access cookies created
by other Web servers.
According to the NIST SAMATE, dynamic analysis tools operate by generating runtime vulnerability
scenario using some functions. Which of the following are functions that are used by the dynamic
analysis tools and are summarized in the NIST SAMATE? Each correct answer represents a complete
solution. Choose all that apply.
C, D, A
Explanation:
According to the NIST SAMATE, dynamic analysis tools operate by generating runtime vulnerability
scenario using the following functions:
Resource fault injection
Network fault injection
System fault injection
User interface fault injection
Design attack
Implementation attack
File corruption
Answer B is incorrect. This function is summarized for static analysis tools.
Which of the following are examples of passive attacks?
Each correct answer represents a complete solution. Choose all that apply.
C, A, D
Explanation:
In eavesdropping, dumpster diving, and shoulder surfing, the attacker violates the confidentiality of
a system without affecting its state.
Hence, they are considered passive attacks.
Which of the following is an attack with IP fragments that cannot be reassembled?
A. Password guessing attack
B. Teardrop attack
C. Dictionary attack
D. Smurf attack
B
Explanation:
Teardrop is an attack with IP fragments that cannot be reassembled. In this attack, corrupt packets
are sent to the victim's computer by using
IP's packet fragmentation algorithm. As a result of this attack, the victim's computer might hang.
Answer D is incorrect. Smurf is an ICMP attack that involves spoofing and flooding.
Answer C is incorrect. Dictionary attack is a type of password guessing attack. This type of attack uses
a dictionary of common words to
find out the password of a user. It can also use common words in either upper or lower case to find a
password. There are many programs
available on the Internet to automate and execute dictionary attacks.
Answer A is incorrect. A password guessing attack occurs when an unauthorized user tries to log on
repeatedly to a computer or
network by guessing usernames and passwords. Many password guessing programs that attempt to
break passwords are available on the
Internet. Following are the types of password guessing attacks:
Brute force attack
Dictionary attack
In which type of access control do user ID and password system come under?
B
Explanation:
Technical access controls include IDS systems, encryption, network segmentation, and antivirus
controls.
Answer D is incorrect. The policies and procedures implemented by an organization come under
administrative access controls.
Answer A is incorrect. Security guards, locks on the gates, and alarms come under physical access
controls.
Answer C is incorrect. There is no such type of access control as power control.
Which of the following can be used to accomplish authentication?
Each correct answer represents a complete solution. Choose all that apply.
D, B, C
Explanation:
The following can be used to accomplish authentication:
1.Password
2.Biometrics
3.Token
A password is a secret word or string of characters that is used for authentication, to prove identity,
or gain access to a resource.