Sample Questions You can find answers to the following questions in Appendix H. 1. What is a data warehouse? a. A remote facility used for storing backup tapes b. A repository of information from heterogeneous databases c. A table in a relational database system d. A hot backup building 2. What does normalizing data in a data warehouse mean? a. Redundant data is removed. b. Numerical data is divided by a common factor. c. Data is converted to a symbolic representation. d. Data is restricted to a range of values. 3. What is a neural network? a. A hardware or software system that emulates the reasoning of a human expert b. A collection of computers that are focused on medical applications c. A series of networked PCs performing artificial intelligence tasks d. A hardware or software system that emulates the functioning of bio- logical neurons 4. A neural network learns by using various algorithms to: a. Adjust the weights applied to the data. b. Fire the rules in the knowledge base. c. Emulate an inference engine. d. Emulate the thinking of an expert. 5. The SEI Software Capability Maturity Model is based on the premise that: a. Good software development is a function of the number of expert programmers in the organization. b. The maturity of an organization’s software processes cannot be mea- sured. c. The quality of a software product is a direct function of the quality of its associated software development and maintenance processes. d. Software development is an art that cannot be measured by conven- tional means. Applications and Systems Development 363 6. In configuration management, a configuration item is: a. The version of the operating system that is operating on the work station that provides information security services. b. A component whose state is to be recorded and against which changes are to be progressed. c. The network architecture used by the organization. d. A series of files that contain sensitive information. 7. In an object-oriented system, polymorphism denotes: a. Objects of many different classes that are related by some common superclass; thus, any object denoted by this name can respond to some common set of operations in a different way. b. Objects of many different classes that are related by some common superclass; thus, all objects denoted by this name can respond to some common set of operations in identical fashion. c. Objects of the same class; thus, any object denoted by this name can respond to some common set of operations in the same way. d. Objects of many different classes that are unrelated but respond to some common set of operations in the same way. 8. The simplistic model of software life cycle development assumes that: a. Iteration will be required among the steps in the process. b. Each step can be completed and finalized without any effect from the later stages that might require rework. c. Each phase is identical to a completed milestone. d. Software development requires reworking and repeating some of the phases. 9. What is a method in an object-oriented system? a. The means of communication among objects b. A guide to the programming of objects c. The code defining the actions that the object performs in response to a message d. The situation where a class inherits the behavioral characteristics of more than one parent class 10. What does the Spiral Model depict? a. A spiral that incorporates various phases of software development b. A spiral that models the behavior of biological neurons c. The operation of expert systems d. Information security checklists 364 The CISSP Prep Guide: Gold Edition 11. In the software life cycle, verification: a. Evaluates the product in development against real-world requirements b. Evaluates the product in development against similar products c. Evaluates the product in development against general baselines d. Evaluates the product in development against the specification 12. In the software life cycle, validation: a. Refers to the work product satisfying the real-world requirements and concepts. b. Refers to the work product satisfying derived specifications. c. Refers to the work product satisfying software maturity levels. d. Refers to the work product satisfying generally accepted principles. 13. In the modified Waterfall Model: a. Unlimited backward iteration is permitted. b. The model was reinterpreted to have phases end at project mile- stones. c. The model was reinterpreted to have phases begin at project mile- stones. d. Product verification and validation are not included. 14. Cyclic redundancy checks, structured walk-throughs, and hash totals are examples of what type of application controls? a. Preventive security controls b. Preventive consistency controls c. Detective accuracy controls d. Corrective consistency controls 15. In a system life cycle, information security controls should be: a. Designed during the product implementation phase b. Implemented prior to validation c. Part of the feasibility phase d. Specified after the coding phase 16. The software maintenance phase controls consist of: a. Request control, change control, and release control b. Request control, configuration control, and change control c. Change control, security control, and access control d. Request control, release control, and access control Applications and Systems Development 365 17. In configuration management, what is a software library? a. A set of versions of the component configuration items b. A controlled area accessible to only approved users who are restricted to the use of an approved procedure c. A repository of backup tapes d. A collection of software build lists 18. What is configuration control? a. Identifying and documenting the functional and physical character- istics of each configuration item b. Controlling changes to the configuration items and issuing versions of configuration items from the software library c. Recording the processing of changes d. Controlling the quality of the configuration management procedures 19. What is searching for data correlations in the data warehouse called? a. Data warehousing b. Data mining c. A data dictionary d. Configuration management 20. The security term that is concerned with the same primary key existing at different classification levels in the same database is: a. Polymorphism b. Normalization c. Inheritance d. Polyinstantiation 21. What is a data dictionary? a. A database for system developers b. A database of security terms c. A library of objects d. A validation reference source 22. Which of the following is an example of mobile code? a. Embedded code in control systems b. Embedded code in PCs c. Java and ActiveX code downloaded into a Web browser from the World Wide Web (WWW) d. Code derived following the spiral model 366 The CISSP Prep Guide: Gold Edition 23. Which of the following is NOT true regarding software unit testing? a. The test data is part of the specifications. b. Correct test output results should be developed and known beforehand. c. Live or actual field data is recommended for use in the testing proce- dures. d. Testing should check for out-of-range values and other bounds con- ditions. Applications and Systems Development 367 Bonus Questions You can find answers to the following questions in Appendix H. 1. Which of the following is NOT a component of configuration manage- ment? a. Configuration control b. Configuration review c. Configuration status accounting d. Configuration audit 2. Which one of the following is NOT one of the maturity levels of the Software Capability Maturity Model (CMM)? a. Fundamental b. Repeatable c. Defined d. Managed 3. The communication to an object to carry out an operation in an object- oriented system is called a: a. Note. b. Method. c. Behavior. d. Message. 4. In an object-oriented system, the situation wherein objects with a com- mon name respond differently to a common set of operations is called: a. Delegation. b. Polyresponse. c. Polymorphism. d. Polyinstantiation. 5. What phase of the object-oriented software development life cycle is described as emphasizing the employment of objects and methods rather than types or transformations as in other software approaches? a. Object-oriented requirements analysis b. Object-oriented programming c. Object-oriented analysis d. Object-oriented design 368 The CISSP Prep Guide: Gold Edition 6. A system that exhibits reasoning similar to that of humans knowledge- able in a particular field to solve a problem in that field is called: a. A “smart” system. b. A data warehouse. c. A neural network. d. An expert system. 7. What type of security controls operate on the input to a computing sys- tem, on the data being processed, and the output of the system? a. Numerical controls b. Data controls c. Application controls d. Normative controls 8. The Common Object Model (COM) that supports the exchange of objects among programs was formerly known as: a. The Distributed Common Object Model (DCOM). b. Object Linking and Embedding (OLE). c. Object Rationalization and Linking (ORL). d. An Object Request Broker (ORB). 9. In a distributed environment, a surrogate program that performs ser- vices in one environment on behalf of a principal in another environ- ment is called: a. A proxy. b. A slave. c. A virtual processor. d. An agent. Applications and Systems Development 369 Advanced Sample Questions You can find answers to the following questions in Appendix I. The following questions are supplemental to and coordinated with Chapter 7 and are at a level commensurate with that of the CISSP Examination. These questions include advanced material relative to software engineer- ing, software development, the software capability maturity model (CMM), object-oriented systems, expert systems, neural networks, genetic algorithms, databases, the data warehouse, data mining, the Common Object Model (COM), client/server architecture and distributed data processing. It is assumed that the reader has a basic knowledge of the material con- tained in this chapter. These questions and answers build upon the questions and answers covered in Chapter 7. 1. The definition “the science and art of specifying, designing, implementing and evolving programs, documentation and operating procedures whereby computers can be made useful to man” is that of: a. Structured analysis/structured design (SA/SD). b. Software engineering. c. An object-oriented system. d. Functional programming. 2. In software engineering, the term verification is defined as: a. To establish the truth of correspondence between a software product and its specification. b. A complete, validated specification of the required functions, inter- faces, and performance for the software product. c. To establish the fitness or worth of a software product for its opera- tional mission. d. A complete, verified specification of the overall hardware-software architecture, control structure, and data structure for the product. 3. The discipline of identifying the components of a continually evolving system for the purposes of controlling changes to those components and maintaining integrity and traceability throughout the life cycle is called: a. Change control. b. Request control. c. Release control. d. Configuration management. 370 The CISSP Prep Guide: Gold Edition 4. The basic version of the Construction Cost Model (COCOMO), which proposes quantitative, life-cycle relationships, performs what function? a. Estimates software development effort based on user function cate- gories b. Estimates software development effort and cost as a function of the size of the software product in source instructions c. Estimates software development effort and cost as a function of the size of the software product in source instructions modified by man- power buildup and productivity factors d. Estimates software development effort and cost as a function of the size of the software product in source instructions modified by hard- ware and input functions 5. A refinement to the basic Waterfall Model that states that software should be developed in increments of functional capability is called: a. Functional refinement. b. Functional development. c. Incremental refinement. d. Incremental development. 6. The Spiral Model of the software development process (B.W. Boehm, “A Spiral Model of Software Development and Enhancement,” IEEE Com- puter, May, 1988) uses the following metric relative to the spiral: a. The radial dimension represents the cost of each phase. b. The radial dimension represents progress made in completing each cycle. c. The angular dimension represents cumulative cost. d. The radial dimension represents cumulative cost. 7. In the Capability Maturity Model (CMM) for software, the definition “describes the range of expected results that can be achieved by follow- ing a software process” is that of: a. Structured analysis/structured design (SA/SD). b. Software process capability. c. Software process performance. d. Software process maturity. 8. Which of the following is NOT a Software CMM maturity level? a. Initial b. Repeatable c. Behavioral d. Managed Applications and Systems Development 371 9. The main differences between a software process assessment and a soft- ware capability evaluation are: a. Software process assessments determine the state of an organiza- tion’s current software process and are used to gain support from within the organization for a software process improvement pro- gram; software capability evaluations are used to identify contrac- tors who are qualified to develop software or to monitor the state of the software process in a current software project. b. Software capability evaluations determine the state of an organiza- tion’s current software process and are used to gain support from within the organization for a software process improvement pro- gram; software process assessments are used to identify contractors who are qualified to develop software or to monitor the state of the software process in a current software project. c. Software process assessments are used to develop a risk profile for source selection; software capability evaluations are used to develop an action plan for continuous process improvement. d. Software process assessments and software capability evaluations are, essentially, identical and there are no major differences between the two. 10. Which of the following is NOT a common term in object-oriented sys- tems? a. Behavior b. Message c. Method d. Function 11. In object-oriented programming, when all the methods of one class are passed on to a subclass, this is called: a. Forward-chaining. b. Inheritance. c. Multiple Inheritance. d. Delegation. 12. Which of the following languages is NOT an object-oriented language? a. Smalltalk b. Simula 67 c. Lisp d. C++ 372 The CISSP Prep Guide: Gold Edition [...]... document should include granular details of what will happen during the test, including the following: I I The testing schedule and timing I I The duration of the test 3 95 396 The CISSP Prep Guide: Gold Edition I I The specific test steps I I Who will be the participants in the test I I The task assignments of the test personnel I I The resources and services required (supplies, hardware, software,... Testing prepares and trains the personnel to execute their emergency duties I I Testing verifies the processing capability of the alternate backup site Creating the Test Document To get the maximum benefit and coordination from the test, a document outlining the test scenario must be produced, containing the reasons for the test, the objectives of the test, and the type of test to be conducted (see the. .. restoration.” 377 378 The CISSP Prep Guide: Gold Edition Our Goals The CISSP candidate should know the following: I I The basic difference between BCP and DRP I I The difference between natural and manmade disasters I I The four prime elements of BCP I I The reasons for and steps in conducting a Business Impact Assessment (BIA) I I The steps in creating a disaster recovery plan I I The five types of disaster... identify the most critical business functions by gathering input from management personnel in the various business units Also, it’s very important to obtain senior executive management buy-in and support for the survey, as it requires full disclosure from the business units and a high-level organizational view 3 85 386 The CISSP Prep Guide: Gold Edition THE INFORMATION TECHNOLOGY DEPARTMENT The IT department... risk assessment THE FCPA The Foreign Corrupt Practices Act of 1977 imposes civil and criminal penalties if publicly-held organizations fail to maintain adequate controls over their information systems Organizations must take reasonable steps to ensure not only the integrity of their data, but also the system controls the organization put in place 383 384 The CISSP Prep Guide: Gold Edition and is focused... test The test is not a graded contest on how well the recovery plan or personnel executing the plan performed Mistakes will be made, and this is the time to make them Document the problems encountered during the test and update the plan as needed, then test again The Five Disaster Recovery Plan Test Types There are five types of disaster recovery plan tests The listing here is prioritized, from the. .. maintenance procedure for updating the plan as needed Scope and Plan Initiation The Scope and Plan Initiation phase is the first step to creating a business continuity plan This phase marks the beginning of the BCP process It entails creating the scope for the plan and the other elements needed to define the parameters of the plan This phase embodies an examination of the company’s operations and support... identified at this time, with the most time-sensitive processes receiving the most resource allocation A BIA generally takes the form of these four steps: 1 Gathering the needed assessment materials 2 Performing the vulnerability assessment 3 Analyzing the information compiled 4 Documenting the results and presenting recommendations Gathering Assessment Materials The initial step of the BIA is identifying... event occurs The purpose of the disaster recovery plan is to reduce confusion and enhance the ability of the organization to deal with the crisis Obviously, when a disruptive event occurs, the organization will not have the luxury to create and execute a recovery plan on the spot Therefore, the amount of planning and testing that can be done beforehand will determine the capability of the organization... simplest to the most complete testing type As the organization progresses through the tests, each test is progressively more involved and more accurately depicts the actual responsiveness of the company Some of the testing types, for example, the last two, require major investments of time, resources, and coordination to implement The CISSP candidate should know all of these and what they entail The following . derived following the spiral model 366 The CISSP Prep Guide: Gold Edition 23. Which of the following is NOT true regarding software unit testing? a. The test data is part of the specifications. b A spiral that models the behavior of biological neurons c. The operation of expert systems d. Information security checklists 364 The CISSP Prep Guide: Gold Edition 11. In the software life cycle,. throughout the life cycle is called: a. Change control. b. Request control. c. Release control. d. Configuration management. 370 The CISSP Prep Guide: Gold Edition 4. The basic version of the Construction