question: 1
Which of the following is the first step in the system development life cycle (SDLC) when designing a secure system?
A. Testing and Evaluation
B. Requirements Analysis
C. Design and Architecture
D. Implementation and Deployment

correct answer: B
explanation: The first step in the SDLC is Requirements Analysis, where security requirements are gathered and documented to ensure they are considered throughout the system’s design and development.

---

question: 2
Which of the following is a key objective of security engineering during the system design phase?
A. Identifying system vulnerabilities
B. Ensuring data is encrypted in transit
C. Developing secure coding practices
D. Integrating security requirements into the system architecture

correct answer: D
explanation: During the design phase of security engineering, the primary objective is to integrate security requirements into the system architecture to ensure security is built into the system from the outset.

---

question: 3
Which security control is used to reduce the impact of a successful attack on a system?
A. Preventive Control
B. Detective Control
C. Corrective Control
D. Compensating Control

correct answer: C
explanation: Corrective controls are implemented to reduce the impact of a successful attack by addressing the damage after it has occurred, such as through system restoration or recovery processes.

---

question: 4
In the context of the system life cycle, which of the following is most critical during the operational phase of the system?
A. System testing
B. Continuous monitoring and vulnerability management
C. Software development
D. Design and architecture

correct answer: B
explanation: During the operational phase, continuous monitoring and vulnerability management are critical to maintaining the system’s security posture and ensuring it remains secure against evolving threats.

---

question: 5
Which of the following risk management strategies involves accepting the risk because the cost of mitigating it exceeds the potential loss?
A. Risk Avoidance
B. Risk Transference
C. Risk Acceptance
D. Risk Reduction

correct answer: C
explanation: Risk Acceptance is a strategy where the organization chooses to accept the identified risk, typically because the cost of mitigation is higher than the potential loss from the risk.

---

question: 6
Which of the following NIST standards provides guidelines for securing federal information systems?
A. NIST SP 800-53
B. NIST SP 800-171
C. NIST SP 800-30
D. NIST SP 800-115

correct answer: A
explanation: NIST SP 800-53 provides security controls for federal information systems and organizations, focusing on ensuring compliance with FISMA and other U.S. federal regulations.

---

question: 7
Which security engineering principle ensures that a system will be able to recover to its operational state after a disruption?
A. Availability
B. Confidentiality
C. Integrity
D. Non-repudiation

correct answer: A
explanation: Availability is the security principle that ensures a system can continue to function or quickly recover after a disruption, ensuring access to resources is maintained.

---

question: 8
Which of the following phases of the SDLC is focused on verifying that security requirements have been met and the system is functioning as intended?
A. Design
B. Development
C. Testing
D. Deployment

correct answer: C
explanation: The Testing phase is when the system is verified to ensure that it meets all the security requirements, including functional and non-functional aspects, and that it works as intended.

---

question: 9
Which of the following security practices is considered an example of defense in depth?
A. Using a firewall as the only security control
B. Relying solely on anti-virus software
C. Implementing multiple layers of security such as encryption, firewalls, and access controls
D. Only monitoring the perimeter of the network for threats

correct answer: C
explanation: Defense in depth refers to the strategy of using multiple layers of security controls to protect systems and data. This could include firewalls, encryption, access controls, and intrusion detection systems.

---

question: 10
Which of the following security engineering concepts emphasizes designing a system that assumes attackers will succeed and builds systems that can withstand and recover from attacks?
A. Secure by Design
B. Least Privilege
C. Fail-Safe Design
D. Robustness

correct answer: D
explanation: Robustness in security engineering involves designing systems that can withstand and recover from attacks, assuming that security breaches may occur and planning accordingly to minimize their impact.

---

question: 11
What is the primary purpose of the Security Requirements Analysis (SRA) in the system design phase?
A. To identify and document potential security threats
B. To ensure compliance with regulatory standards
C. To define the security controls necessary for the system
D. To evaluate the system’s security architecture

correct answer: C
explanation: The primary purpose of the Security Requirements Analysis (SRA) is to define the security controls necessary to protect the system, ensuring that security is considered early in the design phase.

---

question: 12
Which compliance framework is most closely aligned with ensuring the security of U.S. government systems?
A. PCI DSS
B. ISO/IEC 27001
C. NIST SP 800-53
D. COBIT

correct answer: C
explanation: NIST SP 800-53 is the framework aligned with securing U.S. government systems, providing guidelines and security controls for federal agencies and contractors working with sensitive information.

---

question: 13
In security engineering, which principle involves ensuring that only authorized users have access to specific resources based on their role?
A. Least Privilege
B. Separation of Duties
C. Need to Know
D. Role-Based Access Control (RBAC)

correct answer: A
explanation: The principle of Least Privilege ensures that users are given the minimum level of access necessary for their job functions, reducing the risk of unauthorized access to resources.

---

question: 14
In risk management, which term refers to the process of analyzing threats and vulnerabilities to identify the potential impact on a system?
A. Risk Assessment
B. Risk Mitigation
C. Risk Transference
D. Risk Acceptance

correct answer: A
explanation: Risk Assessment is the process of identifying and analyzing threats and vulnerabilities to evaluate the potential impact and likelihood of risks to the system.

---

question: 15
Which framework defines the minimum security requirements for information systems used by federal agencies in the U.S.?
A. NIST SP 800-53
B. ISO/IEC 27001
C. COBIT
D. ITIL

correct answer: A
explanation: NIST SP 800-53 defines the minimum security requirements for information systems used by U.S. federal agencies, detailing security controls to protect federal systems and information.

question: 16
What is the primary purpose of security engineering during the system architecture phase?
A. To implement encryption for data in transit
B. To establish the overall security posture and ensure secure design decisions
C. To test the effectiveness of security controls
D. To manage user access and permissions

correct answer: B
explanation: During the system architecture phase, the primary purpose of security engineering is to establish the overall security posture and ensure that secure design decisions are made, such as selecting appropriate security controls and practices.

---

question: 17
Which of the following security practices ensures that only authorized personnel can modify system configurations?
A. User Authentication
B. Access Control
C. Encryption
D. Data Masking

correct answer: B
explanation: Access Control ensures that only authorized personnel can access or modify system configurations, reducing the risk of unauthorized changes.

---

question: 18
Which of the following describes a security engineering practice that is designed to reduce the likelihood of security flaws being introduced during the development phase?
A. Secure Coding Practices
B. Security Testing
C. Risk Management
D. Incident Response

correct answer: A
explanation: Secure Coding Practices are a security engineering practice that minimizes the risk of security flaws by following guidelines and using tools to ensure code is written securely.

---

question: 19
What is the first step in conducting a threat modeling exercise during system development?
A. Identify potential attackers and their motives
B. Define security policies and requirements
C. Perform a risk assessment
D. Develop a list of system assets

correct answer: D
explanation: The first step in threat modeling is to develop a list of system assets, which helps identify what needs protection and forms the foundation for identifying potential threats.

---

question: 20
Which of the following is a common principle of defense in depth that ensures security is applied across multiple layers?
A. Single point of failure
B. Redundancy
C. Segmentation
D. Flat architecture

correct answer: C
explanation: Segmentation is a key principle of defense in depth, dividing the system into multiple segments and applying security controls at each layer to ensure protection across the entire environment.

---

question: 21
Which of the following risk management activities is concerned with the process of identifying potential threats and vulnerabilities, and their potential impact on a system?
A. Risk Assessment
B. Risk Mitigation
C. Risk Acceptance
D. Risk Transference

correct answer: A
explanation: Risk Assessment is the process of identifying and evaluating potential threats and vulnerabilities to determine the overall impact on the system and inform the appropriate risk response.

---

question: 22
Which of the following is NOT typically considered a part of the system security life cycle?
A. Design and Architecture
B. Procurement and Deployment
C. Ongoing Operations and Maintenance
D. Termination and Decommissioning

correct answer: B
explanation: Procurement and Deployment is not considered part of the system security life cycle, which typically includes design, operations and maintenance, and decommissioning.

---

question: 23
Which of the following practices is part of the incident response process to ensure a rapid recovery from a security incident?
A. Vulnerability scanning
B. Continuous monitoring
C. Data backup and restoration
D. Security patch management

correct answer: C
explanation: Data backup and restoration is a critical part of the incident response process to ensure that system integrity can be quickly restored following a security incident or breach.

---

question: 24
In the context of security engineering, which of the following activities is involved in the implementation phase of a secure system?
A. Conducting penetration testing
B. Installing security controls and applying patches
C. Designing the system architecture
D. Developing the system’s security requirements

correct answer: B
explanation: The implementation phase involves installing security controls (such as firewalls, access controls) and applying patches to secure the system and reduce vulnerabilities.

---

question: 25
Which of the following standards outlines the minimum security controls for information systems in the U.S. federal government?
A. NIST SP 800-53
B. ISO 27001
C. PCI DSS
D. SOC 2

correct answer: A
explanation: NIST SP 800-53 provides the minimum security controls required for federal information systems in the U.S., serving as a guideline for securing government systems and their data.

---

question: 26
Which type of testing involves evaluating a system’s security without knowledge of its internal workings or architecture?
A. White-box Testing
B. Black-box Testing
C. Gray-box Testing
D. Penetration Testing

correct answer: B
explanation: Black-box testing is a method where the tester evaluates the system’s security without any prior knowledge of the system’s internal workings, focusing solely on input/output and functional behaviors.

---

question: 27
Which of the following security practices ensures the confidentiality of sensitive data during the transmission over a network?
A. Data Encryption
B. Multi-factor Authentication
C. Access Control
D. Logging and Monitoring

correct answer: A
explanation: Data Encryption ensures the confidentiality of sensitive data during transmission, preventing unauthorized access during communication over insecure channels.

---

question: 28
What is the primary objective of a Security Requirements Traceability Matrix (SRTM) in a secure system’s development?
A. To identify vulnerabilities in the system
B. To map security requirements to system design elements
C. To monitor security threats in real-time
D. To evaluate system performance under attack

correct answer: B
explanation: The Security Requirements Traceability Matrix (SRTM) is used to map security requirements to system design elements, ensuring that all security objectives are addressed during development.

---

question: 29
Which of the following is the main benefit of implementing role-based access control (RBAC) in a secure system?
A. Reducing system complexity
B. Ensuring users have the necessary access based on their role
C. Preventing unauthorized software installations
D. Improving system performance

correct answer: B
explanation: Role-based access control (RBAC) ensures that users have the necessary access based on their job roles, preventing unauthorized access to sensitive data or system resources.

---

question: 30
Which of the following security measures is the most effective for protecting data stored on a mobile device?
A. Remote wipe functionality
B. Full disk encryption
C. Password complexity requirements
D. Virtual Private Network (VPN)

correct answer: B
explanation: Full disk encryption is the most effective measure for protecting data on a mobile device, as it ensures that all stored data is encrypted, making it inaccessible without the correct decryption key.

question: 31
Which of the following is an essential practice to ensure that a system remains secure after it has been deployed?
A. Encryption of all sensitive data
B. Regular vulnerability assessments and patch management
C. Reducing system complexity
D. Limiting user access

correct answer: B
explanation: After deployment, it is critical to perform regular vulnerability assessments and patch management to ensure that security flaws are identified and mitigated promptly to maintain a secure system.

---

question: 32
Which of the following is the primary goal of security testing during the system development life cycle (SDLC)?
A. To confirm the system meets all functional requirements
B. To evaluate whether security controls are effective and operational
C. To develop user documentation
D. To verify the system’s performance

correct answer: B
explanation: Security testing aims to evaluate whether the implemented security controls are effective in mitigating risks and whether the system is secure against potential threats.

---

question: 33
In the context of security engineering, which principle involves ensuring that system components cannot be bypassed or circumvented by attackers?
A. Fail-Safe Design
B. Least Privilege
C. Separation of Duties
D. Defense in Depth

correct answer: A
explanation: Fail-Safe Design ensures that if a failure occurs, the system will default to a secure state. It prevents attackers from bypassing or circumventing security mechanisms.

---

question: 34
Which of the following is the primary goal of security engineering in the context of a system’s architecture?
A. To design systems that are resilient to attacks and minimize security risks
B. To ensure compliance with regulatory standards
C. To enhance system performance and scalability
D. To monitor and analyze system traffic for security breaches

correct answer: A
explanation: The primary goal of security engineering in system architecture is to design systems that are resilient to attacks, ensuring that security risks are minimized and that security controls are built into the design.

---

question: 35
Which of the following is an example of a preventive control used to reduce the likelihood of a security incident?
A. Intrusion Detection System (IDS)
B. Security Information and Event Management (SIEM)
C. Multi-factor Authentication (MFA)
D. Incident Response Plan

correct answer: C
explanation: Multi-factor Authentication (MFA) is a preventive control that reduces the likelihood of unauthorized access by requiring multiple forms of authentication before granting access.

---

question: 36
Which of the following NIST standards specifically provides guidelines for risk management and assessing the risk to information systems?
A. NIST SP 800-53
B. NIST SP 800-30
C. NIST SP 800-171
D. NIST SP 800-115

correct answer: B
explanation: NIST SP 800-30 provides guidelines for performing risk assessments and managing risks to information systems, helping organizations identify vulnerabilities and threats to their assets.

---

question: 37
Which of the following is a key benefit of implementing security metrics during the system design phase?
A. Identifying performance bottlenecks
B. Monitoring system efficiency
C. Measuring the effectiveness of security controls and policies
D. Improving user experience

correct answer: C
explanation: Security metrics help to measure the effectiveness of security controls, policies, and the overall security posture of the system. These metrics provide insight into whether security objectives are being achieved.

---

question: 38
Which of the following is the most appropriate method to verify the effectiveness of the implemented security controls in a system?
A. Regular penetration testing
B. Installing firewalls
C. Limiting user privileges
D. Encrypting sensitive data

correct answer: A
explanation: Regular penetration testing is the most appropriate method to verify the effectiveness of security controls by simulating real-world attacks to identify vulnerabilities that may not be mitigated by existing controls.

---

question: 39
Which security principle involves ensuring that only those who need access to specific data or resources are authorized to access it?
A. Separation of Duties
B. Least Privilege
C. Need to Know
D. Data Minimization

correct answer: C
explanation: The Need to Know principle restricts access to sensitive data based on the user’s role or necessity, ensuring that only those who require access for specific tasks are authorized to access the information.

---

question: 40
What is the primary purpose of implementing security baselines for a system during the development phase?
A. To reduce system complexity
B. To ensure compliance with regulatory standards
C. To provide a reference for implementing consistent security controls across the system
D. To improve system performance

correct answer: C
explanation: Security baselines are established to provide a consistent reference point for implementing security controls throughout the system, ensuring a consistent level of security across the entire system.

---

question: 41
Which of the following security strategies involves distributing system components across multiple servers or networks to prevent a single point of failure?
A. Redundancy
B. Segmentation
C. Virtualization
D. Authentication

correct answer: A
explanation: Redundancy involves distributing system components across multiple servers or networks to ensure continuity of operations even in the event of a failure.

---

question: 42
Which of the following is a key activity in the decommissioning phase of the system lifecycle?
A. Implementing new security controls
B. Securely erasing data from all system storage
C. Conducting penetration testing
D. Updating user access permissions

correct answer: B
explanation: During the decommissioning phase, it is crucial to securely erase data from all system storage to prevent unauthorized recovery or access to sensitive information after the system is no longer in use.

---

question: 43
What is the main objective of security auditing within the context of a system’s operations?
A. To detect and mitigate system vulnerabilities
B. To ensure the system meets business requirements
C. To verify the compliance of system operations with security policies
D. To optimize system performance

correct answer: C
explanation: Security auditing is performed to verify that the system’s operations are in compliance with established security policies and procedures, ensuring the ongoing integrity and security of the system.

---

question: 44
Which of the following security requirements is typically part of system design to protect data at rest?
A. Firewalls
B. Intrusion Detection Systems (IDS)
C. Full Disk Encryption
D. Multi-factor Authentication (MFA)

correct answer: C
explanation: Full Disk Encryption is a key security requirement designed to protect data at rest, ensuring that the data is inaccessible without the proper decryption key.

---

question: 45
Which of the following security standards is specifically designed to provide guidance for securing cloud environments?
A. ISO 27001
B. NIST SP 800-53
C. CSA Cloud Controls Matrix (CCM)
D. PCI DSS

correct answer: C
explanation: The CSA Cloud Controls Matrix (CCM) provides guidance for securing cloud environments by offering a comprehensive set of controls designed for the unique challenges of cloud security.

question: 46
Which risk response strategy involves transferring the impact of a risk to a third party?
A. Risk Avoidance
B. Risk Mitigation
C. Risk Acceptance
D. Risk Transference

correct answer: D
explanation: Risk transference means shifting the impact of a risk to a third party, such as through insurance or outsourcing.

---

question: 47
What is the primary goal of the system security plan (SSP)?
A. Define business goals
B. Outline user access policies
C. Document security controls and how they are implemented
D. Establish a network diagram

correct answer: C
explanation: The SSP details the system’s security controls, how they’re implemented, and the roles and responsibilities related to those controls.

---

question: 48
Which of the following is an example of a technical control?
A. Security awareness training
B. Role-based access control
C. Background checks
D. Separation of duties

correct answer: B
explanation: Technical controls use technology to enforce security, and role-based access control is a prime example.

---

question: 49
Which concept ensures that no single person has complete control over a critical process?
A. Need to Know
B. Defense in Depth
C. Separation of Duties
D. Least Privilege

correct answer: C
explanation: Separation of Duties (SoD) ensures that tasks are divided among individuals to reduce the risk of fraud or error.

---

question: 50
What is the purpose of Security Engineering Risk Analysis (SERA) in the ISSEP framework?
A. To ensure compliance with NIST SP 800-171
B. To define encryption algorithms for the system
C. To assess and prioritize security risks during system development
D. To implement baseline configurations

correct answer: C
explanation: SERA is used to identify, assess, and prioritize security risks early in the development life cycle.

---

question: 51
Which activity is typically conducted before the development of system architecture begins?
A. Security control assessment
B. Certification and accreditation
C. Requirements analysis
D. Configuration management

correct answer: C
explanation: Requirements analysis is foundational and must occur early to guide secure system architecture and design.

---

question: 52
In the context of the ISSEP, what does Tailoring mean when applying a security control framework?
A. Replacing federal standards with private ones
B. Eliminating all low-impact controls
C. Customizing the control set to meet the specific needs of the system
D. Using only mandatory controls

correct answer: C
explanation: Tailoring allows organizations to customize security controls to fit the unique context and risk level of the system.

---

question: 53
What is the role of configuration management in system security?
A. To eliminate legacy systems
B. To document system requirements
C. To ensure changes do not introduce new vulnerabilities
D. To enable encryption protocols

correct answer: C
explanation: Configuration management ensures that all changes are tracked and tested, preventing the introduction of new vulnerabilities.

---

question: 54
Which documentation would most likely define how to protect classified data on an information system?
A. Security Training Plan
B. Disaster Recovery Plan
C. System Security Plan (SSP)
D. Security Concept of Operations (SECONOPS)

correct answer: C
explanation: The SSP outlines how classified or sensitive data is protected through implemented controls.

---

question: 55
Which of the following best describes a residual risk?
A. A risk ignored by management
B. A risk with no known mitigation
C. The remaining risk after controls have been applied
D. A newly discovered risk

correct answer: C
explanation: Residual risk is what’s left after mitigation controls have been applied to reduce risk.

question: 56
Which NIST publication provides guidelines on applying the Risk Management Framework (RMF) to federal information systems?
A. NIST SP 800-30
B. NIST SP 800-171
C. NIST SP 800-37
D. NIST SP 800-53A

correct answer: C
explanation: NIST SP 800-37 provides guidance on applying the Risk Management Framework (RMF) to federal information systems, including steps like categorization, selection, implementation, and assessment of controls.

---

question: 57
What is the purpose of the Security Concept of Operations (SECONOPS) document?
A. To outline disaster recovery strategies
B. To describe how the system will be used securely in its operational environment
C. To define encryption and cryptographic policies
D. To document user training and awareness

correct answer: B
explanation: The SECONOPS describes how the system will operate securely within its environment, detailing secure procedures, roles, and interactions.

---

question: 58
Which role is responsible for accepting the residual risk of an information system in the RMF process?
A. Security Control Assessor
B. System Owner
C. Authorizing Official
D. System Developer

correct answer: C
explanation: The Authorizing Official (AO) is responsible for accepting the residual risk and formally authorizing the system to operate.

---

question: 59
Which of the following best describes the assurance concept in security engineering?
A. That a control meets the baseline requirements
B. That stakeholders agree on system requirements
C. That the system meets operational goals
D. That the controls are implemented correctly and function as intended

correct answer: D
explanation: Assurance means there is confidence that the system’s security controls are correctly implemented and will operate as expected.

---

question: 60
Which activity is performed during the Select step of the RMF process?
A. Choose and document security controls
B. Test the effectiveness of controls
C. Monitor ongoing system operations
D. Approve the system for deployment

correct answer: A
explanation: During the Select step, the organization chooses, tailors, and documents security controls based on system categorization and risk.

---

question: 61
Which of the following would best support continuous monitoring in a secure system lifecycle?
A. Penetration testing
B. Intrusion prevention systems
C. Automated vulnerability scanning tools
D. Firewalls

correct answer: C
explanation: Automated vulnerability scanning tools help perform continuous monitoring by identifying changes and emerging threats regularly.

---

question: 62
What is a key consideration when integrating security into the SDLC?
A. Security testing should occur after deployment
B. Security is only needed for classified systems
C. Security should be considered in every phase
D. Security controls should be the same for all systems

correct answer: C
explanation: Security must be embedded into each phase of the Software Development Life Cycle (SDLC) for a secure final product.

---

question: 63
During which RMF step is a Security Assessment Report (SAR) developed?
A. Select
B. Authorize
C. Assess
D. Implement

correct answer: C
explanation: The Assess step involves evaluating the implementation of security controls and producing a Security Assessment Report (SAR).

---

question: 64
Which of the following controls would be considered compensating?
A. A firewall that restricts all outbound traffic
B. A manual approval process that replaces automated validation
C. A requirement for two-factor authentication
D. An antivirus system on endpoints

correct answer: B
explanation: Compensating controls are alternative measures put in place when primary controls cannot be implemented. A manual approval process can serve this purpose.

---

question: 65
What is the primary focus of the Monitor step in the RMF?
A. Tailoring controls to meet system needs
B. Documenting security policies
C. Continuously tracking and assessing security controls
D. Establishing system boundaries

correct answer: C
explanation: The Monitor step is focused on ongoing assessment, tracking, and evaluation of security controls to ensure continuous protection of the system.