Question 1

Which of the following email lists is written for the technical audiences, and provides weekly
summaries of security issues, new vulnerabilities, potential impact, patches and workarounds, as
well as the actions recommended to mitigate risk

Accepted Answer

C

Explanation: The Cyber Security Bulletin, a product of the National Cyber Awareness System (NCAS) from the Cybersecurity and Infrastructure Security Agency (CISA), is specifically designed as a weekly summary. It consolidates information on new vulnerabilities from the preceding week for a technical audience. The content includes potential impacts, available patches, workarounds, and recommended mitigation actions, which directly matches the description provided in the question. This contrasts with Alerts, which are for immediate threats, and Tips, which are for non-technical users.

Question 2

Which of the following DoD policies establishes policies and assigns responsibilities to achieve DoD
IA through a defense-in-depth approach that integrates the capabilities of personnel, operations, and
technology, and supports the evolution to network-centric warfare

Accepted Answer

D

Explanation: DoD Directive (DoDD) 8500.1, "Information Assurance (IA)," is the foundational policy document that establishes the DoD's overarching strategy for IA. The purpose statement within this directive explicitly states that it "Establishes policy and assigns responsibilities...to achieve information assurance (IA) through a defense-in-depth approach that integrates the capabilities of personnel, operations, and technology, and supports the evolution to network centric warfare." This wording directly matches the description provided in the question, identifying it as the correct high-level policy document. While this directive has been superseded, it remains a key historical document within the ISSEP body of knowledge.

Question 3

You work as a security manager for BlueWell Inc. You are going through the NIST SP 800-37 C&A
methodology, which is based on four well defined phases. In which of the following phases of NIST
SP 800-37 C&A methodology does the security categorization occur

Accepted Answer

B

Explanation: The NIST SP 800-37 Certification and Accreditation (C&A) methodology is structured into four phases. The Initiation Phase is the first phase, where the groundwork for the C&A process is established. A fundamental task within this phase is the security categorization of the information system. This is performed in accordance with FIPS 199, which involves determining the potential impact (low, moderate, or high) on organizational operations and assets should the confidentiality, integrity, or availability of the information be compromised. This categorization is a critical first step as it directly influences the selection of the appropriate security control baseline for the system in subsequent phases.

Question 4

Which of the following federal laws are related to hacking activities Each correct answer represents a complete solution. Choose three.

Accepted Answer

A, B, C

Explanation: These three U.S. federal laws form a foundational legal framework for prosecuting hacking and related cybercrimes. 18 U.S.C. § 1030, the Computer Fraud and Abuse Act (CFAA), is the primary U.S. anti-hacking statute, directly criminalizing unauthorized access to computer systems. 18 U.S.C. § 1029 targets fraud involving "access devices," which include passwords, account numbers, and other credentials frequently stolen or used during hacking activities to gain illicit access. 18 U.S.C. § 2510 provides the definitions for the Wiretap Act, which makes it illegal to intercept electronic communications without authorization. This directly relates to hacking techniques like network sniffing and man-in-the-middle attacks.

Question 5

Which of the following principles are defined by the IATF model Each correct answer represents a complete solution. Choose all that apply.

Accepted Answer

B, C, D

Explanation: The Information Assurance Technical Framework (IATF) is a model developed by the U.S. National Security Agency (NSA) that applies systems engineering principles to information assurance. Three core principles of this model are the distinct definitions and separation of the "problem space" and the "solution space." The problem space is explicitly defined by the customer's mission or business requirements. The solution space, which is driven by and must address the problem space, is where engineers define the technical system. A foundational tenet of the IATF methodology is to maintain a strict separation between these two spaces to prevent developing solutions that do not align with actual mission needs.

Question 6

Which of the following is a standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system

Accepted Answer

B

Explanation: The Trusted Computer System Evaluation Criteria (TCSEC), often called the "Orange Book," is a U.S. Department of Defense (DoD) standard published in 1983. Its primary purpose was to provide a framework for evaluating the effectiveness of security controls built into computer systems. It established a series of hierarchical security classifications (e.g., D, C1, C2, B1, B2, B3, A1) based on the system's ability to enforce a security policy, provide assurance, and implement specific security features. TCSEC was the foundational standard for assessing and rating the trust and security level of computer operating systems.

Question 7

Which of the following cooperative programs carried out by NIST encourages performance excellence among U.S. manufacturers, service companies, educational institutions, and healthcare providers

Accepted Answer

B

Explanation: The Baldrige National Quality Program, managed by the National Institute of Standards and Technology (NIST), is a public-private partnership dedicated to improving the performance and competitiveness of U.S. organizations. It establishes the Baldrige Performance Excellence Framework, a set of criteria used to evaluate organizational performance across six categories: manufacturing, service, small business, education, health care, and nonprofit. The program's primary goal is to recognize and promote performance excellence, making it the correct answer that aligns with all aspects of the question.

Question 8

Which of the following processes provides a standard set of activities, general tasks, and a
management structure to certify and accredit systems, which maintain the information assurance
and the security posture of a system or site

Accepted Answer

C

Explanation: The National Information Assurance Certification and Accreditation Process (NIACAP) was established to provide a minimum standard framework for certifying and accrediting the security of national security systems across the U.S. government. It defined a standard set of activities, general tasks, and a management structure to ensure systems maintained a consistent information assurance (IA) posture. NIACAP's purpose was to create a common foundation for the C&A process, promoting reciprocity and a uniform approach to managing risk for systems that store, process, or communicate sensitive information.

Question 9

What NIACAP certification levels are recommended by the certifier Each correct answer represents a complete solution. Choose all that apply.

Accepted Answer

B, D, E, F

Explanation: The National Information Assurance Certification and Accreditation Process (NIACAP) defined four distinct levels of effort for the certification analysis phase. These levels allowed the certifier to recommend a degree of rigor appropriate to the system's mission criticality and operational environment. The levels, in increasing order of intensity, are: Minimum Analysis, Basic Security Review, Detailed Analysis, and Comprehensive Analysis. Each level builds upon the previous one, requiring progressively more in-depth examination of the system's security posture, documentation, and implementation. These options represent the complete and official set of NIACAP certification analysis levels.

Question 10

In which of the following DIACAP phases is residual risk analyzed

Accepted Answer

E

Explanation: Phase 4 of the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP), "Maintain Authorization to Operate and Conduct Reviews," is where residual risk is analyzed on an ongoing basis. This phase encompasses continuous monitoring of the information system's security controls and posture throughout its lifecycle. Activities include performing annual reviews, assessing the impact of system changes, and responding to new threats or vulnerabilities. Each of these activities requires a re-analysis of the residual risk to ensure it remains at an acceptable level as determined by the Authorizing Official (AO), thereby maintaining the system's security authorization.

Question 11

Which of the following security controls is standardized by the Internet Engineering Task Force (IETF) as the primary network layer protection mechanism

Accepted Answer

C

Explanation: Internet Protocol Security (IPSec) is a suite of protocols standardized by the Internet Engineering Task Force (IETF) to provide security services at the network layer (Layer 3) of the OSI model. It secures IP communications by authenticating and encrypting each IP packet, offering confidentiality, integrity, and authenticity. Its operation at the network layer allows it to protect all traffic between two endpoints transparently to the applications running on them, making it the primary IETF-standardized mechanism for this purpose.

Question 12

What are the responsibilities of a system owner Each correct answer represents a complete solution. Choose all that apply.

Accepted Answer

A, C, D

Explanation: A system owner is a senior-level manager responsible for the information system throughout its lifecycle. This includes integrating security requirements into procurement and development projects (A). They are ultimately accountable for ensuring that the controls implemented provide adequate security, which involves overseeing configurations, access controls, and other protective measures (C). The owner is also responsible for the system's ongoing security posture, which includes ensuring vulnerability assessments are conducted and that findings are appropriately reported to relevant teams (D). These responsibilities reflect the owner's role in governance, risk management, and operational oversight for the system.

Question 13

The principle of the SEMP is not to repeat the information, but rather to ensure that there are
processes in place to conduct those functions. Which of the following sections of the SEMP template
describes the work authorization procedures as well as change management approval processes

Accepted Answer

B

Explanation: In the standard Systems Engineering Management Plan (SEMP) outline, subsection 3.1.9 is titled “Work Authorization and Change Control.” This paragraph defines how engineering work packages are formally released, tracked, and how any changes to baselines are proposed, assessed, approved, and implemented (e.g., via change-control boards and engineering-change proposals). Other SEMP subsections may reference schedules, configuration-item lists, or risk records, but only 3.1.9 explicitly establishes the work-authorization mechanism together with the accompanying change-management/approval procedures. Therefore, 3.1.9 is the section that satisfies the requirement stated in the question.

Question 14

FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls are tested and reviewed?

Accepted Answer

A

Explanation: FITSAF defines five maturity levels. • Level 1 – policy drafted; • Level 2 – policy and procedures documented; • Level 3 – security controls implemented and functioning; • Level 4 – procedures and controls are tested, reviewed, and corrective actions tracked; • Level 5 – security management is integrated with enterprise-wide processes and subject to continuous improvement. Because Level 4 is explicitly characterized as “tested and reviewed,” it is the only level that satisfies the question’s requirement.

Question 15

DoD 8500.2 establishes IA controls for information systems according to the Mission Assurance
Categories (MAC) and confidentiality levels. Which of the following MAC levels requires basic
integrity and availability

Accepted Answer

D

Explanation: DoD Instruction 8500.2 defines three Mission Assurance Categories (MAC) to classify systems based on their importance to the DoD mission. MAC III is designated for systems handling information necessary for day-to-day administrative or business operations but not for direct support of deployed or contingency forces. Consequently, these systems require only a basic level of assurance for integrity and availability, as their temporary failure can be tolerated without causing mission degradation.

Free ISC2 CISSP-ISSEP Actual Exam Questions