Which of the following statements about the authentication concept of information security
management is true?

Billy is the project manager of the HAR Project and is in month six of the project. The project is
scheduled to last for 18 months. Management asks Billy how often the project team is participating
in risk reassessment in this project. What should Billy tell management if he’s following the best
practices for risk management?

You work as a security manager for BlueWell Inc. You are going through the NIST SP 800-37 C&A
methodology, which is based on four well defined phases. In which of the following phases of
NIST SP 800-37 C&A methodology does the security categorization occur?

In which of the following DIACAP phases is residual risk analyzed?

Which of the following security controls will you use for the deployment phase of the SDLC to build
secure software? Each correct answer represents a complete solution. Choose all that apply.

Which of the following provides an easy way to programmers for writing lower-risk applications
and retrofitting security into an existing application?

Which of the following is a malicious exploit of a website, whereby unauthorized commands are
transmitted from a user trusted by the website?

An attacker exploits actual code of an application and uses a security hole to carry out an attack
before the application vendor knows about the vulnerability. Which of the following types of attack
is this?

You are the project manager for your organization. You are preparing for the quantitative risk
analysis. Mark, a project team member, wants to know why you need to do quantitative risk
analysis when you just completed qualitative risk analysis. Which one of the following statements
best defines what quantitative risk analysis is?

You work as a security engineer for BlueWell Inc. According to you, which of the following
DITSCAP/NIACAP model phases occurs at the initiation of the project, or at the initial C&A effort
of a legacy system?