Which of the following are the benefits of SE as stated by MIL-STD-499B? Each correct answer
represents a complete solution. Choose all that apply.
C, B, and A
Explanation:
The benefits of SE as stated by MIL-STD-499B are as follows :
It encompasses the scientific and engineering efforts related to the development, manufacturing,
verification, deployment, operations,
support, and disposal of system products and processes.
It develops needed user training equipment, procedures, and data.
It establishes and maintains configuration management of the system.
It develops work breakdown structures and statements of work.
It provides information for management decision-making.
Answer option D is incorrect. This is the objective of SE as defined by IEEE 1220.
Which of the following types of cryptography defined by FIPS 185 describes a cryptographic
algorithm or a tool accepted as a Federal Information Processing Standard?
B
Explanation:
The types of cryptography defined by FIPS 185 are as follows:
Type I cryptography: It describes a cryptographic algorithm or a tool accepted by the National
Security Agency for protecting classified
information.
Type II cryptography: It describes a cryptographic algorithm or a tool accepted by the National
Security Agency for protecting
sensitive, unclassified information in the systems as stated in Section 2315 of Title 10, United States
Code, or Section 3502(2) of Title
44, United States Code.
Type III cryptography: It describes a cryptographic algorithm or a tool accepted as a Federal
Information Processing Standard.
Type III (E) cryptography: It describes a Type III algorithm or a tool that is accepted for export from
the United States.
Which of the following are the functional analysis and allocation tools? Each correct answer
represents a complete solution. Choose all that apply.
D, A, and C
Explanation:
The various functional analysis and allocation tools are as follows:
Functional hierarchy diagram: It models the hierarchy of functions that the system is in charge for
performing, the sub-functions that
are required by those functions, and any business processes that are used to invoke those sub
functions. The objective of functional
hierarchy diagram is to show all of the function requirements and their groupings in one diagram.
Functional flow block diagram (FFBD): The objective of FFBDs is to construct the system
requirements into functional terms. The FFBD
classifies the major system-level (or top-level) functions that must be performed by the system to
accomplish its mission.
Timeline analysis diagram: It presents a graphical view of whether the functions are to be
accomplished in series or in parallel.
Answer option B is incorrect. The activity diagram is not a part of the functional analysis and
allocation tools.
Which of the following DoD policies establishes policies and assigns responsibilities to achieve DoD
IA through a defense-in-depth approach that integrates the capabilities of personnel, operations, and
technology, and supports the evolution to network-centric warfare?
D
Explanation:
DoD 8500.1 Information Assurance (IA) sets up policies and allots responsibilities to achieve DoD IA
through a defense-in-depth approach that
integrates the capabilities of personnel, operations, and technology, and supports the evolution to
network-centric warfare.
DoD 8500.1 also summarizes the roles and responsibilities for the persons responsible for carrying
out the IA policies.
Answer option A is incorrect. The DoD 8500.2 Information Assurance Implementation pursues
8500.1. It provides assistance on how to
implement policy, assigns responsibilities, and prescribes procedures for applying integrated, layered
protection of the DoD information
systems and networks.
DoD Instruction 8500.2 allots tasks and sets procedures for applying integrated layered protection of
the DOD information systems and
networks in accordance with the DoD 8500.1 policy. It also provides some important guidelines on
how to implement an IA program.
Answer option C is incorrect. DoDI 5200.40 executes the policy, assigns responsibilities, and
recommends procedures under reference for
Certification and Accreditation(C&A) of information technology (IT).
Answer option B is incorrect. DoD 8510.1-M DITSCAP provides standardized activities leading to
accreditation, and establishes a process and
management baseline.
Which of the following laws is the first to implement penalties for the creator of viruses, worms, and
other types of malicious code that causes harm to the computer systems?
A
Explanation:
The Computer Fraud and Abuse Act as amended, provides civil penalties for the creator of viruses,
worms, and other types of malicious code
that causes harm to the computer systems.
The Computer Fraud and Abuse Act is a law passed by the United States Congress in 1984 intended
to reduce cracking of computer systems
and to address federal computer-related offenses. The Computer Fraud and Abuse Act (codified as
18 U.S.C. 1030) governs cases with a
compelling federal interest, where computers of the federal government or certain financial
institutions are involved, where the crime itself is
interstate in nature, or computers used in interstate and foreign commerce. It was amended in
1986, 1994, 1996, in 2001 by the USA PATRIOT
Act, and in 2008 by the Identity Theft Enforcement and Restitution Act. Section (b) of the act
punishes anyone who not just commits or
attempts to commit an offense under the Computer Fraud and Abuse Act but also those who
conspire to do so.
Answer option B is incorrect. The Computer Security Act was passed by the United States Congress.
It was passed to improve the security
and privacy of sensitive information in Federal computer systems and to establish a minimum
acceptable security practices for such systems. It
requires the creation of computer security plans, and the appropriate training of system users or
owners where the systems house sensitive
information.
Answer option C is incorrect. The Gramm-Leach-Bliley Act (GLBA) is also known as the Financial
Services Modernization Act of 1999. It is an act
of the 106th United States Congress (1999-2001) signed into law by President Bill Clinton which
repealed part of the Glass-Steagall Act of
1933, opening up the market among banking companies, securities companies and insurance
companies.
The Gramm-Leach-Bliley Act allowed commercial banks, investment banks, securities firms, and
insurance companies to consolidate. This law
also provides regulations regarding the way financial institutions handle private information
belongings to their clients.
Answer option D is incorrect. The Digital Millennium Copyright Act (DMCA) is a United States
copyright law that implements two 1996 treaties of
the World Intellectual Property Organization (WIPO). It criminalizes production and dissemination of
technology, devices, or services intended
to circumvent measures (commonly known as digital rights management or DRM) that control
access to copyrighted works.
It also criminalizes the act of circumventing an access control, whether or not there is actual
infringement of copyright itself. In addition, the
DMCA heightens the penalties for copyright infringement on the Internet.
Which of the following individuals are part of the senior management and are responsible for
authorization of individual systems, approving enterprise solutions, establishing security policies,
providing funds, and maintaining an understanding of risks at all levels? Each correct answer
represents a complete solution. Choose all that apply.
A. Chief Information Officer
B. AO Designated Representative
C. Senior Information Security Officer
D. User Representative
E. Authorizing Official
E, B, A, and
C
Explanation:
Authorizing Official, AO Designated Representative (AODR), Chief Information Officer (CIO), and
Senior Information Security Officer (SISO) are part of the senior management. These individuals are
responsible for the following:
Authorization of individual systems
Approving enterprise solutions
Establishing security policies
Providing funds
Maintaining an understanding of risk at all levels
Answer option D is incorrect. A User Representative is not a part of the senior management in the
Authorization process.
FIPS 199 defines the three levels of potential impact on organizations: low, moderate, and high.
Which of the following are the effects of loss of confidentiality, integrity, or availability in a high level
potential impact?
A. The loss of confidentiality, integrity, or availability might cause severe degradation in or loss of
mission capability to an extent.
B. The loss of confidentiality, integrity, or availability might result in major financial losses.
C. The loss of confidentiality, integrity, or availability might result in a major damage to
organizational assets.
D. The loss of confidentiality, integrity, or availability might result in severe damages like life
threatening injuries or loss of life.
A, C, B, and
D
Explanation:
The following are the effects of loss of confidentiality, integrity, or availability in a high level
potential impact:
It might cause a severe degradation in or loss of mission capability to an extent.
It might result in a major damage to organizational assets.
It might result in a major financial loss.
It might result in severe harms such as serious life threatening injuries or loss of life.
The National Information Assurance Certification and Accreditation Process (NIACAP) is the
minimum standard process for the certification and accreditation of computer and
telecommunications systems that handle U.S. national security information. What are the different
types of NIACAP accreditation?
Each correct answer represents a complete solution. Choose all that apply.
B, A, and C
Explanation:
NIACAP accreditation is of three types depending on what is being certified. They are as follows:
1.Site accreditation: This type of accreditation evaluates the applications and systems at a specific,
self contained location.
2.Type accreditation: This type of accreditation evaluates an application or system that is distributed
to a number of different locations.
3.System accreditation: This accreditation evaluates a major application or general support system.
Answer option D is incorrect. No such type of NIACAP accreditation exists.
You work as an ISSE for BlueWell Inc. You want to break down user roles, processes, and information
until ambiguity is reduced to a satisfactory degree. Which of the following tools will help you to
perform the above task?
D
Explanation:
The Information Management Model (IMM) acts as a tool, which is used to break down user roles,
processes, and information until ambiguity is
reduced to a satisfactory degree. It is a source document that helps to describe the customer's
needs based on identifying users, processes,
and information. It is used for the following activities:
To identify processes
To identify the information being processed
To identify the users of the information and the processes
Answer option C is incorrect. The Functional Flow Block Diagram (FFBD) is used to structure the
system requirements into functional terms.
Answer option A is incorrect. The PERT chart is used for managing technical programs.
Answer option D is incorrect. A Gantt chart is a type of bar chart that illustrates a project schedule.
Gantt charts illustrate the start and finish
dates of the terminal elements and summary elements of a project. Terminal elements and
summary elements comprise the work breakdown
structure of the project. Some Gantt charts also show the dependency (i.e, precedence network)
relationships between activities. Gantt
charts have become a common technique for representing the phases and activities of a project
work breakdown structure (WBS), so they can
be understood by a wide audience.
Which of the following is an Information Assurance (IA) model that protects and defends information
and information systems by ensuring their availability, integrity, authentication, confidentiality, and
non-repudiation?
B
Explanation:
The Five Pillars model is used in the practice of Information Assurance (IA) to define assurance
requirements. It was promulgated by the U.S.
Department of Defense (DoD) in a variety of publications, beginning with the National Information
Assurance Glossary, Committee on National
Security Systems Instruction CNSSI-4009. Here is the definition from that publication: "Measures
that protect and defend information and
information systems by ensuring their availability, integrity, authentication, confidentiality, and non-
repudiation. These measures include
providing for restoration of information systems by incorporating protection, detection, and reaction
capabilities." The Five Pillars model is
sometimes criticized because authentication and non-repudiation are not attributes of information
or systems; rather, they are procedures or
methods useful to assure the integrity and authenticity of information, and to protect the
confidentiality of the same.
Answer option D is incorrect. The classic information security model is used in the practice of
Information Assurance (IA) to define assurance
requirements. The classic information security model, also called the CIA Triad, addresses three
attributes of information and information
systems, confidentiality, integrity, and availability. This C-I-A model is extremely useful for teaching
introductory and basic concepts of
information security and assurance; the initials are an easy mnemonic to remember, and when
properly understood, can prompt systems
designers and users to address the most pressing aspects of assurance.
Answer option A is incorrect. Parkerian Hexad is the third Information Assurance (IA) model. It is less
widely known but considered by many IA
practitioners and professionals to be the most complete and accurate of the three. It was first
introduced by Donn B. Parker in 1998. Like the
Five Pillars, Parkerian Hexad begins with the C-I-A model but builds it out by adding three more
attributes of authenticity, utility, and
possession (or control). It is significant to point out that the concept or attribute of authenticity, as
described by Parker, is not identical to the
pillar of authentication as described by the U.S. DoD.
Answer option C is incorrect. The Capability Maturity Model (CMM) is a service mark owned by
Carnegie Mellon University (CMU) and refers to a
development model elicited from actual data. The data was collected from organizations that
contracted with the U.S. Department of Defense,
who funded the research, and they became the foundation from which CMU created the Software
Engineering Institute (SEI). Like any model,
it is an abstraction of an existing system. Unlike many that are derived in academia, this model is
based on observation rather than on theory.
When it is applied to an existing organization's software development processes, it allows an
effective approach toward improving them.
Eventually it became clear that the model could be applied to other processes. This gave rise to a
more general concept that is applied to
business processes and to developing people.
Which of the following terms describes the measures that protect and support information and
information systems by ensuring their availability, integrity, authentication, confidentiality, and non-
repudiation?
D
Explanation:
Information Assurance (IA) describes the measures that protect and support information and
information systems by ensuring their
availability, integrity, authentication, confidentiality, and non-repudiation. These measures include
providing for restoration of information
systems by incorporating protection, detection, and reaction capabilities.
Answer option C is incorrect. The Information systems security (InfoSec) is described as the security
of an information system against
unauthorized access to or modification of information, whether in storage, processing, or transit,
and against the denial of service to the
authorized users or the provision of service to the unauthorized users, together with those measures
necessary to detect, document and
counter such threats.
Answer option A is incorrect. The Information Systems Security Engineering (ISSE) process is a
combination of information assurance with SE.
It provides incorporated processes and solutions throughout all phases of a system's life cycle in
order to gather the requirements of system's
information assurance. The main emphasis of ISSE is to identify the information protection needs
first and then to use a process-oriented
approach to identify the security risks and subsequently to minimize or contain those risks.
Answer option B is incorrect. The Information Protection Policy (IPP) is defined as a source
document, which is most useful for the ISSE when
classifying the needed security functionality. The IPP document consists of the threats to the
information management and the security
services and controls needed to respond to those threats.
Under which of the following CNSS policies, NIACAP is mandatory for all the systems that process
USG classified information?
D
Explanation:
Under NSTISSP No. 6 policy, NIACAP is mandatory for all the systems that process USG classified
information.
The various CNSS policies are as follows:
NSTISSP No. 6: It describes the national policy on certification and accreditation of national security
telecommunications and
information systems.
NSTISSP No. 7: It describes the national policy on secure electronic messaging service.
NSTISSP No. 11: It describes the national policy governing the acquisition of information assurance
(IA) and IA-enabled Information
Technology (IT) products.
NSTISSP No. 101: It describes the national policy on securing voice communications.
NSTISSP No. 200: It describes the national policy on controlled access protection.
CNSSP No. 14: It describes the national policy governing the release of information assurance
products and services to authorized U.S.
persons or activities that are not a part of the federal government.
NCSC No. 5: It describes the national policy on use of cryptomaterial by activities operating in high
risk environments.
Which of the following acts is used to recognize the importance of information security to the
economic and national security interests of the United States?
B
Explanation:
The Federal Information Security Management Act of 2002 is a United States federal law enacted in
2002 as Title III of the E-Government Act
of 2002. The act recognized the importance of information security to the economic and national
security interests of the United States. The
act requires each federal agency to develop, document, and implement an agency-wide program to
provide information security for the
information and information systems that support the operations and assets of the agency, including
those provided or managed by another
agency, contractor, or other source.
FISMA has brought attention within the federal government to cybersecurity and explicitly
emphasized a 'risk-based policy for cost-effective
security'. FISMA requires agency program officials, chief information officers, and Inspectors
Generals (IGs) to conduct annual reviews of the
agency's information security program and report the results to Office of Management and Budget
(OMB). OMB uses this data to assist in its
oversight responsibilities and to prepare this annual report to Congress on agency compliance with
the act.
Answer option A is incorrect. The Lanham Act is a piece of legislation that contains the federal
statutes of trademark law in the United States.
The Act prohibits a number of activities, including trademark infringement, trademark dilution, and
false advertising. It is also called Lanham
Trademark Act.
Answer option D is incorrect. The Computer Misuse Act 1990 is an act of the UK Parliament which
states the following statement:
Unauthorized access to the computer material is punishable by 6 months imprisonment or a fine
"not exceeding level 5 on the standard
scale" (currently 5000).
Unauthorized access with the intent to commit or facilitate commission of further offences is
punishable by 6 months/maximum fine on
summary conviction or 5 years/fine on indictment.
Unauthorized modification of computer material is subject to the same sentences as section 2
offences.
Answer option C is incorrect. The Computer Fraud and Abuse Act is a law passed by the United
States Congress in 1984 intended to reduce
cracking of computer systems and to address federal computer-related offenses. The Computer
Fraud and Abuse Act (codified as 18 U.S.C.
1030) governs cases with a compelling federal interest, where computers of the federal government
or certain financial institutions are
involved, where the crime itself is interstate in nature, or computers used in interstate and foreign
commerce. It was amended in 1986, 1994,
1996, in 2001 by the USA PATRIOT Act, and in 2008 by the Identity Theft Enforcement and
Restitution Act. Section (b) of the act punishes
anyone who not just commits or attempts to commit an offense under the Computer Fraud and
Abuse Act but also those who conspire to do so.
A security policy is an overall general statement produced by senior management that dictates what
role security plays within the organization. What are the different types of policies?
Each correct answer represents a complete solution. Choose all that apply.
A, B, and D
Explanation:
Following are the different types of policies:
Regulatory: This type of policy ensures that the organization is following standards set by specific
industry regulations. This policy type
is very detailed and specific to a type of industry. This is used in financial institutions, health care
facilities, public utilities, and other
government-regulated industries, e.g., TRAI.
Advisory: This type of policy strongly advises employees regarding which types of behaviors and
activities should and should not take
place within the organization. It also outlines possible ramifications if employees do not comply with
the established behaviors and
activities. This policy type can be used, for example, to describe how to handle medical information,
handle financial transactions, or
process confidential information.
Informative: This type of policy informs employees of certain topics. It is not an enforceable policy,
but rather one to teach individuals
about specific issues relevant to the company. It could explain how the company interacts with
partners, the company's goals and
mission, and a general reporting structure in different situations.
Answer option C is incorrect. No such type of policy exists.
Which of the following agencies provides command and control capabilities and enterprise
infrastructure to continuously operate and assure a global net-centric enterprise in direct support to
joint warfighters, National level leaders, and other mission and coalition partners across the full
spectrum of operations?
C
Explanation:
The Defense Information Systems Agency is a United States Department of Defense combat support
agency with the goal of providing real-
time information technology (IT) and communications support to the President, Vice President,
Secretary of Defense, the military Services, and
the Combatant Commands.
DISA, a Combat Support Agency, engineers and provides command and control capabilities and
enterprise infrastructure to continuously
operate and assure a global net-centric enterprise in direct support to joint warfighters, National
level leaders, and other mission and coalition
partners across the full spectrum of operations.
Answer option D is incorrect. The Defense-wide Information Assurance Program (DIAP) protects and
supports DoD information, information systems, and information networks, which is important to
the Department and the armed forces throughout the day-to-day operations, and in the time of
crisis.
The DIAP uses the OSD method to plan, observe, organize, and incorporate IA activities. The role of
DIAP is to act as a facilitator for program
execution by the combatant commanders, Military Services, and Defense Agencies. The DIAP staff
combines functional and programmatic skills
for a comprehensive Defense-wide approach to IA.
The DIAP's main objective is to ensure that the DoD's vital information resources are secured and
protected by incorporating IA activities to
get a secure net-centric GIG operation enablement and information supremacy by applying a
Defense-in-Depth methodology that integrates
the capabilities of people, operations, and technology to establish a multi-layer, multidimensional
protection.
Answer option B is incorrect. The Defense Technical Information Center (DTIC) is a repository of
scientific and technical documents for the
United States Department of Defense. DTIC serves the DoD community as the largest central
resource for DoD and government-funded
scientific, technical, engineering, and business related information available today. DTIC's
documents are available to DoD personnel and
defense contractors, with unclassified documents also available to the public.
DTIC's aim is to serve a vital link in the transfer of information among DoD personnel, DoD
contractors, and potential contractors and other
U.S. Government agency personnel and their contractors.
Answer option A is incorrect. The Defense Advanced Research Projects Agency (DARPA) is an agency
of the United States Department of Defense responsible for the development of new technology for
use by the military. DARPA has been responsible for funding the development
of many technologies which have had a major effect on the world, including computer networking,
as well as NLS, which was both the first hypertext system, and an important precursor to the
contemporary ubiquitous graphical user interface.
DARPA supplies technological options for the entire Department, and is designed to be the
"technological engine" for transforming DoD.