Let's see how well you did on this test ...
1. Which of the following statements pertaining to software testing approaches is correct?
Answer: The test plan and results should be retained as part of the system's permanent documentation.
Sorry - you had a wrong answer, please review details below.
The test plan and results should always be retained as part of the system's permanent documentation. A bottom-up approach to testing begins testing of atomic units, such as programs or modules, and works upwards until a complete system testing has taken place. It allows errors in critical modules to be found early. A top-down approach allows for early detection of interface errors and raises confidence in the system, as programmers and users actually see a working system. White box testing is predicated on a close examination of procedural detail. Black box testing examines some aspect of the system with little regard for the internal logical structure of the software.
Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 300).
Thanks to Christian Vezina for providing this question.
2. In an on-line transaction processing system, which of the following actions should be taken when erroneous or invalid transactions are detected?
Answer: The transactions should be written to a report and reviewed.
Sorry - you had a wrong answer, please review details below.
The monitor mechanism within an OLTP system normally detects errors and rolls back any transaction that was taking place to ensure that no data is corrupted or that only part of a transaction happens. Any erroneous or invalid transactions that are detected should be written to a transaction log and to a report log to be reviewed at a later time.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 11: Application and System Development (page 728).
Thanks to Rick Cahoon for providing a reference to this question.
3. Which of the following can be defined as a unique identifier in the table that unambiguously points to an individual tuple or record in the table?
Answer: primary key
Sorry - you had a wrong answer, please review details below.
A primary key is a unique identifier in the table that unambiguously points to an individual tuple or record in the table.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 45.
Thanks to Rakesh Sud for providing this question and to Christian Vezina for improving it.
4. Risk reduction in a system development life-cycle should be applied:
Answer: Equally to all phases.
Sorry - you had a wrong answer, please review details below.
Risk is defined as the combination of the probability that a particular threat source will exploit, or trigger, a particular information system vulnerability and the resulting mission impact should this occur. Previously, risk avoidance was a common IT security goal. That changed as the nature of the risk became better understood. Today, it is recognized that elimination of all risk is not cost-effective. A cost-benefit analysis should be conducted for each proposed control. In some cases, the benefits of a more secure system may not justify the direct and indirect costs. Benefits include more than just prevention of monetary loss; for example, controls may be essential for maintaining public trust and confidence. Direct costs include the cost of purchasing and installing a given technology; indirect costs include decreased system performance and additional training. The goal is to enhance mission/business capabilities by managing mission/business risk to an acceptable level.
Source: STONEBURNER, Gary & al, National Institute of Standards and Technology (NIST), NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2001 (page 8).
Thanks to Christian Vezina for providing this question.
5. A persistent collection of interrelated data items can be defined as which of the following?
Answer: database
Sorry - you had a wrong answer, please review details below.
A database can be defined as a persistent collection of interrelated data items.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 44.
Thanks to Rakesh Sud for providing this question.
6. The IS security analyst's participation in which of the following system development life cycle phases provides maximum benefit to the organization?
Answer: systems requirements definition
Sorry - you had a wrong answer, please review details below.
Details and reference for this question are not yet available. This question is a new question that was submitted by one of the member of the site and I have to find a reference for it. If you do have a reference to this question, please send it to Christian at with the question above. Thanks. Clement.
7. Which expert system operating mode allows determining if a given hypothesis is valid?
Answer: Backward chaining
Sorry - you had a wrong answer, please review details below.
In a backward chaining mode, the expert system backtracks to determine if a given hypothesis is valid. In a forward chaining mode, the system acquires information and comes to a conclusion based on that information. Other options are distracters.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 7: Applications and Systems Development (page 259).
Thanks to Christian Vezina for providing this question.
8. Which of the following test makes sure the modified or new system includes appropriate access controls and does not introduce any security holes that might compromise other systems?
Answer: Security testing
Sorry - you had a wrong answer, please review details below.
Security testing makes sure the modified or new system includes appropriate access controls and does not introduce any security holes that might compromise other systems. Recovery testing check's the system's ability to recover after a software or hardware failure. Stress/volume testing involves testing an application with large quantities of data in order to evaluate performance during peak hours. Interface testing evaluates the connection of two or more components that pass information from one area to another.
Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 300).
Thanks to Christian Vezina for providing this question.
9. The description of the database is called a schema, and the schema is defined by which of the following?
Answer: Data Definition Language (DDL).
Sorry - you had a wrong answer, please review details below.
The description of the database is called a schema, and the schema is defined by a Data Definition Language (DDL).
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 44.
Thanks to Rakesh Sud for providing this question and to Tom Llanso for reviewing it.
10. In regards to relational database operations, which of the following is used to create a plan and fix or resolve the plan?
Answer: Bind
Sorry - you had a wrong answer, please review details below.
A bind is used to create the plan and fixes or resolves the plan.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 47
Thanks to Rakesh Sud for providing this question.
11. Which of the following is used in database information security to hide information?
Answer: Polyinstantiation
Sorry - you had a wrong answer, please review details below.
Polyinstantiation enables a relation to contain multiple tuples with the same primary keys with each instance distinguished by a security level. When this information is inserted into a database, lower-level subjects need to be restricted from this information. Instead of just restricting access, another set of data is created to fool the lower-level subjects into thinking that the information actually means something else.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 11: Application and System Development (page 727).
Thanks to Christian Vezina for providing this question.
12. Which of the following database implementations would be best defined as interconnected platforms running independent copies of software with independent copies of data?
Answer: Interoperable or cooperative
Sorry - you had a wrong answer, please review details below.
An interoperable, or cooperative, database is defined as interconnected platforms running independent copies of software with independent copies of data. Not to be confused with a decentralized database, involving connected or unconnected but related platforms running independent copies of software with independent copies of data. A dispersed database involves interconnected and related platforms running the same software and using the same data, one of which is centralized (software or data).
Source: ROTHKE, Ben, CISSP CBK Review presentation on domain 4, August 1999. Available at http://www.cccure.org.
Thanks to Christian Vezina for providing this question.
13. Sensitivity labels are an example of:
Answer: Preventive controls
Sorry - you had a wrong answer, please review details below.
Sensitivity labels are an example of preventive security application controls, as are firewalls, data encryption, one-time passwords, etc.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 7: Applications and Systems Development (page 264).
Thanks to Christian Vezina for providing this question.
14. When considering an IT System Development Life-cycle, security should be:
Answer: Treated as an integral part of the overall system design.
Sorry - you had a wrong answer, please review details below.
Security must be considered in information system design. Experience has shown it is very difficult to implement security measures properly and successfully after a system has been developed, so it should be integrated fully into the system life-cycle process. This includes establishing security policies, understanding the resulting security requirements, participating in the evaluation of security products, and finally in the engineering, design, implementation, and disposal of the system.
Source: STONEBURNER, Gary & al, National Institute of Standards and Technology (NIST), NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2001 (page 7).
Thanks to Christian Vezina for providing this question.
15. Which of the following security modes of operation involves the highest risk?
Answer: Multilevel Security Mode
Sorry - you had a wrong answer, please review details below.
In multilevel mode, two or more classification levels of data exist, some people are not cleared for all the data on the system. Risk is high because sensitive data could be made available to someone not validated as being capable of maintaining secrecy of that data (i.e., not cleared for it). In other security modes, all users have the necessary clearance for all data on the system.
Source: LaROSA, Jeanette (domain leader), Application and System Development Security CISSP Open Study Guide, version 3.0, January 2002. Available at http://www.cccure.org.
Thanks to Christian Vezina for providing this question.
16. Which of the following is a not a control preventing an unauthorized change in a production environment?
Answer: Run a source comparison program between control and current source periodically.
Sorry - you had a wrong answer, please review details below.
Running the source comparison program between control and current source periodically allows detection, not prevention, of unauthorized changes in the production environment. Other options are preventive controls.
Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 309).
Thanks to Christian Vezina for providing this question.
17. Which of the following computer aided software engineering (CASE) products is used for developing detailed designs, such as screen and report layouts?
Answer: Middle CASE
Sorry - you had a wrong answer, please review details below.
Middle CASE products are used for developing detail designs, such as screen and report layouts. Upper CASE is used to describe and document business and application requirements and lower CASE deals with the generation of program code and database definitions. I-CASE stands for Integrated CASE and covers the complete life-cycle process of a product.
Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 319) and HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 11: Application and System Development (page 768).
Thanks to Christian Vezina for providing this question.
18. Which of the following is the marriage of object-oriented and relational technologies combining the attributes of both?
Answer: object-relational database
Sorry - you had a wrong answer, please review details below.
The object-relational database is the marriage of object-oriented and relational technologies and combines the attributes of both.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 48.
Thanks to Rakesh Sud for providing this question.
19. Which of the following is best defined as a circumstance in which a collection of information items is required to be classified at a higher security level than any of the individual items that comprise it?
Answer: Aggregation
Sorry - you had a wrong answer, please review details below.
The Internet Security Glossary (RFC2828) defines aggregation as a circumstance in which a collection of information items is required to be classified at a higher security level than any of the individual items that comprise it.
Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.
Thanks to Christian Vezina for providing this question.
20. Development staff should:
Answer: Perform unit testing.
Sorry - you had a wrong answer, please review details below.