CISSP-ISSEP Practice Test

When should the System Design Review (SDR) take place?

At the end of the architecture phase
At the end of the design phase
At the end of the certification phase
At the end of the testing phase

Who provides and independent assessment of the security plan?

Security Officer
Security Manager
Program Manager
Certification Agent

Which of the following describes the Discover Information Protection needs phase?

Define the system in terms of what security is needed.
Define the security functions needed to meet the specific security requirements.
Design the security functions and features of the system.
Document the security functions and features of the system.

Which is not a class of attack according to the IATF?

Passive
Insider
Disribution
Social

_____ defines the hardware, software, and interfaces used to develop a system.

Technical requirements
Functional diagram
System baseline
System architecture

Which of the following identifies the different function a system will need to perform in order to meet the documented business need?

Functional requirements
Testing requirements
Test scenerio
Functional scenerio

Which IATF system engineering follows "Discover Needs"?

Define System Requirements
Design System Architecture
Develop Detailed Design
Implement System

A collection of information objects that share the same security policy for access is

Information domain
User domain
Information profile
User profile

What is the correct order of the six IATF systems engineering activities?

1) Discover Needs 2) Define System Requirements 3) Design System Architecture 4) Develop Detailed Design 5) Assess Effectiveness 6) Implement System
1) Discover Needs 2) Define System Requirements 3) Develop Detailed Design 4) Design System Architecture 5) Implement System 6) Assess Effectiveness
1) Define System Requirements 2) Discover Needs 3) Design System Architecture 4) Develop Detailed Design 5) Implement System 6) Assess Effectiveness
1) Discover Needs 2) Define System Requirements 3) Design System Architecture 4) Develop Detailed Design 5) Implement System 6) Assess Effectiveness

Information Systems Security Engineering (ISSE) is best defined as:

A set of processes that ensures a risk-based approach is used to determine adequate, cost-effective security for the system
A set of processes used during all phases of a system's life cycle to meet the systems information protection needs.
A set of processes to ensure the system configuration provides adequate protection profiles
A set of processes that provide system engineers with quality information security controls.

Risk assessment begins in which IATF phase?

Assess Effectiveness
Define System Security Requirements
Design System Security Architecture
Discover Information Protection Needs

What aspects are taken into account when defining a Mission Assurance Category (MAC)

availability and integrity
confidentiality and integrity
confidentiality and availabiltiy
sensitivity and importance

What ISSE phase defines the security needed for a system?

Discover Information Protection Needs
Define System Security Requirements
Design System Security Architecture
Develop Detailed Security Design

Which philosophy is established by NSTISSI 7003 Protected Distribution Systems (PDS)?

Prevent penetration
Detect penetration
Penetration response
Penetration mitigation

DOD Information Systems should only be interconnected under the following circumstances

Demonstrable operational requirements
Compelling operational requirements
Approved authorization of interconnected systems
Approved certification of interconnected systems

What is the level of impact if the information label is Moderate

No adverse impact on the organization
Limited adverse impact on the organization
Serious adverse impact on the organization
Severe adverse impact on the organization

How does FIPS 199 define LOW impact items?

Low
Minor
Limited
Moderate

What IATF phase includes creating the Information Management Model (IMM)?

Implement System Security
Discover Information Protection Needs
Discover Information Needs
Implement System requirements

Which is not an element in the IATF Defense in Depth Strategy?

People
Technology
Operations
Policies

Which statement is not correct?

Always keep the problem and solution spaces seperate
The problem space is defined by the customer's mission or business needs
The SE and ISSE assist with developing the solution space
The SE and ISSE assist with developing the problem space

Who is responsible for defining the solution space?

Customer
Program Manager
System Engineer
Security Engineer

What is the level of impact if the information label is LOW

No adverse impact on the organization
Limited adverse impact on the organization
Serious adverse impact on the organization
Severe adverse impact on the organization

Who SUPPORTS the C&A process during development?

SE
AO
ISSE
CA

What is the level of impact if the information label is High

No adverse impact on the organization
Limited adverse impact on the organization
Serious adverse impact on the organization
Severe adverse impact on the organization

Which statement most accurately defines residual risk?

The risk remaining after the implementation of new or enhanced controls
The risk remaining after baseline controls are implemented
The risk remaining after the risk assessment process
The risk remaining after common controls are implemented

NIST SP 800-37 does not address

Initiation
Validation
Certification
Accreditation

Which of the following is not a requirement of OMB A-130?

FISMA reporting
Planning for security
Review security controls
Ensure officials are assigned security responsibilities

Who is the best source of knowledge of potential threats?

Customer
ISSE
SE
CA

What phase of the ISSE defines the information management model and protections?

Discover Information Protection Needs
Define System Security Requirements
Define System Security Architecture
Develop Detailed Security Design

Which is not a primary task included in the Information Management Plan (IMP)?

Define the mission need
Define the Information Management Model (IMM)
Define the Information Protection Policy (IPP)
Assess effectiveness of system

Which step is not addressed during the NIST SP 800-60 analysis?

Loss of Availability
Loss of Confidentiality
Loss of Integrity
Loss of Non-Reputation

FIPS Pub 199 uses what term when referring to a HIGH impact

Severe
Grave
Critical
Serious

The Waterfall design methodology is best described as:

Most closely matches the IATF
Flexibility and rapid development
Better interaction with customers
Rigid and clearly defined structure

After Design System Architecture Phase is completed, what occurs next?

Develop Detailed Security Design
Develop Detailed Design
Implement System Security
Plan the Technical Effort

What is necessary in order to determine the appropriate security category?

Potential impact
Cost and benefit of control
Threat vulnerability pair
Acceptable loss

FISMA was created by what organization?

White House
DISA
Department of Defense
Congress

A Target of Evaluation could be described as:

The protection profile
the security target
the product under evaluation
the product evaluation method

What document is key to the design and development processes?

System requirements
Testing requirements
System specifications
Information management plan

The IATF has three primary elements for defense in depth. Which of the below is not one of these elements?

People
Technology
Operations
Policy

Which requirement does NIST SP 800-59 tell us is required in order to be defined as a National Security System?

Critical to the direct fulfillment of military or intelligence missions
Critical to national security operations
Critical to the support functions of military operations
Critical to the support of the strategic goals of the United States

The Information Management Plan (IMP) helps determine

Information Management Model
Information Protection Needs
System Security Requirements
Roles and Responsabilities

Comments

VickM says:

April 30, 2011 at 4:17 pm

These are really difficult, I hope the actual test isn’t this bad.

s0ndra says:

July 26, 2011 at 8:47 pm

where are the ans?

LT says:

December 29, 2011 at 3:07 pm

I have noticed a few incorrect answers in this practice exam. One question asks about the SE processes but the answer relates to ISSE processes. You can tell because the word “Security” is not in the question but appears in the answer. Be careful on the the exam as I have heard that this is a “gotcha” type of question.

LT says:

February 9, 2012 at 4:19 pm

The answer to this question is incorrect.

Who is responsible for defining the solution space?

The answer given states it is the customer, but the customer defines the “problem” space and the SE and ISSE define the “solution” space.

CISSP-ISSEP Practice Test

Comments

Trackbacks

Speak Your Mind Cancel reply

Free updates

Follow us

Pages

Recent comments

Archives