ISC2 Information Systems Security Engineering Professional Exam

The following are the effects of loss of confidentiality, integrity, or availability in a high level

potential impact:

It might cause a severe degradation in or loss of mission capability to an extent.

It might result in a major damage to organizational assets.

It might result in a major financial loss.

It might result in severe harms such as serious life threatening injuries or loss of life.

Data security requirement defines the type of data processed by the system.

Answer option C is incorrect. Applicable instruction or directive defines the security instructions or

directives applicable to the system.

Answer option D is incorrect. Security concept of operation defines the following elements:

Security CONOPS

System input

System processing

Final outputs

Security controls and interactions

Connections with external systems

Answer option B is incorrect. Network connection rule is used to find the additional requirements

incurred if the system is to be connected to

any other network or system.

Answer option A is incorrect. The Defense Technical Information Center (DTIC) is a repository of

scientific and technical documents for the United States Department of Defense. DTIC serves the

DoD community as the largest central resource for DoD and government-funded scientific, technical,

engineering, and business related information available today. DTIC's documents are available to

DoD personnel and defense contractors, with unclassified documents also available to the public.

DTIC's aim is to serve a vital link in the transfer of information among DoD personnel, DoD

contractors, and potential contractors and other U.S. Government agency personnel and their

contractors. Answer option D is incorrect. The Defense Advanced Research Projects Agency (DARPA)

is an agency of the United States Department of Defense responsible for the development of new

technology for use by the military. DARPA has been responsible for funding the development of

many technologies which have had a major effect on the world, including computer networking, as

well as NLS, which was both the first hypertext system, and an important precursor to the

contemporary ubiquitous graphical user interface. DARPA supplies technological options for the

entire Department, and is designed to be the 'technological engine' for transforming DoD. Answer

option C is incorrect. The Defense-wide Information Assurance Program (DIAP) protects and

supports DoD information, information systems, and information networks, which is important to

the Department and the armed forces throughout the day-to-day operations, and in the time of

crisis.The DIAP uses the OSD method to plan, observe, organize, and incorporate IA activities. The

role of DIAP is to act as a facilitator for program execution by the combatant commanders, Military

Services, and Defense Agencies. The DIAP staff combines functional and programmatic skills for a

comprehensive Defense-wide approach to IA. The DIAP's main objective is to ensure that the DoD's

vital information resources are secured and protected by incorporating IA activities to get a secure

net-centric GIG operation enablement and information supremacy by applying a Defense-in-Depth

methodology that integrates the capabilities of people, operations, and technology to establish a

multi-layer, multidimensional protection.

Information assurance (IA) is the process of organizing and monitoring information-related risks. It

ensures that only the approved users have

access to the approved information at the approved time. IA practitioners seek to protect and

defend information and information systems by

ensuring confidentiality, integrity, authentication, availability, and non-repudiation. These objectives

are applicable whether the information is

in storage, processing, or transit, and whether threatened by an attack.

Answer option D is incorrect. ISSE is a set of processes and solutions used during all phases of a

system's life cycle to meet the system's

information protection needs.

Answer option C is incorrect. Risk analysis is the science of risks and their probability and evaluation

in a business or a process. It is an

important factor in security enhancement and prevention in a system. Risk analysis should be

performed as part of the risk management

process for each project. The outcome of the risk analysis would be the creation or review of the risk

register to identify and quantify risk

elements to the project and their potential impact.

Answer option B is incorrect. Risk management is a set of processes that ensures a risk-based

approach is used to determine adequate, cost-

effective security for a system.

The types ofcryptography defined by FIPS 185 are as follows:

Type I cryptography: It describes a cryptographic algorithm or a tool accepted bythe NationalSecurity Agency for protecting classifiedinformation.

Type II cryptography: It describes a cryptographic algorithm or a tool accepted by theNationalSecurity Agency for protectingsensitive, unclassifiedinformation in the systems as stated in Section 2315 ofTitle 10, United StatesCode, or Section3502(2) ofTitle44, United States Code.

Type III cryptography: It describes a cryptographic algorithm or a tool accepted as a FederalInformation Processing Standard.

Type III (E) cryptography: It describes a Type III algorithm or a tool that is accepted for export fromthe United States.