142 Chapter 6 ■ Security Assessment and Testing (Domain 6)
- Jim is helping his organization decide on audit standards for use throughout their interna-
tional organization. Which of the following is not an IT standard that Jim’s organization
is likely to use as part of its audits?
A. COBIT
B. SSA E -18
C. ITIL
D. ISO 27002 - Which of the following best describes a typical process for building and implementing an
Information Security Continuous Monitoring program as described by NIST Special Pub-
lication 800-137?
A. Define, establish, implement, analyze and report, respond, review, and update
B. Design, build, operate, analyze, respond, review, revise
C. Prepare, detect and analyze, contain, respond, recover, report
D. Define, design, build, monitor, analyze, react, revise - Lauren’s team conducts regression testing on each patch that they release. What key per-
formance measure should they maintain to measure the effectiveness of their testing?
A. Time to remediate vulnerabilities
B. A measure of the rate of defect recurrence
C. A weighted risk trend
D. A measure of the specific coverage of their testing - Which of the following types of code review is not typically performed by a human?
A. Software inspections
B. Code review
C. Static program analysis
D. Software walkthroughs
For questions 63–65, please refer to the following scenario:
Susan is the lead of a Quality Assurance team at her company. The team has been tasked
with the testing for a major release of their company’s core software product.
- Susan’s team of software testers are required to test every code path, including those that
will only be used when an error condition occurs. What type of testing environment does
her team need to ensure complete code coverage?
A. White box
B. Gray box
C. Black box
D. Dynamic