WGU C706 - SECURE SOFTWARE DESIGN COMPREHENSIVE
QUESTIONS SND VERIFIED ANSWERS (ALREADY GRADED
A+) 2024 UPDATE
Availability - (correct answer) Availability means authorized subjects are granted
timely and uninterrupted access to
objects.
Concepts, conditions, and aspects of availability
include the following: - (correct answer) Usability
Accessibility
Timeliness
CIA Triad - (correct answer) Confidentiality, Integrity, Availability
Confidentiality - (correct answer) Confidentiality is the concept of the
measures used to ensure the protection of the secrecy of data, objects, or resources.
Concepts, conditions, and aspects of confidentiality include the following: - (correct
answer) Sensitivity
Discretion
Criticality
Concealment
Secrecy
Privacy
Seclusion
Isolation
Integrity - (correct answer) Integrity is the concept of protecting the reliability and
correctness of data.
Concepts, conditions, and
aspects of integrity include the following: - (correct answer) Accuracy
Truthfulness
Validity
Accountability
Responsibility
Completeness
Comprehensiveness
DAD Triad - (correct answer) Disclosure, Alteration, and Destruction. The opposite
of the CIA triad.
Authenticity - (correct answer) Authenticity is the security concept that data is
authentic or genuine and originates from its
,alleged source.
Nonrepudiation - (correct answer) Nonrepudiation ensures that the subject of an
activity or who caused an event cannot
deny that the event occurred.
AAA Services - (correct answer) Refers to five elements:
Identification - Claiming an identity
Authentication - Proving identity
Authorization - Defining allows/denies for an identity
Auditing - Recording log of events
Accounting - Review log files
Defense in Depth - (correct answer) Employing multiple layers of controls to avoid a
single point-of-failure. Also known as layering.
Abstraction - (correct answer) Similar elements are put into groups, classes, or roles
that are assigned security controls, restrictions, or permissions as a collective.
Data Hiding - (correct answer) Preventing data from being discovered or accessed
by a subject by positioning the data in a logical storage compartment that is not
accessible or seen by the subject.
Security Through Obscurity - (correct answer) Relying upon the secrecy or
complexity of an item as its security, instead of practicing solid security practices.
Different from data hiding.
Encryption - (correct answer) A process of encoding messages to keep them secret,
so only "authorized" parties can read it.
Security Boundary - (correct answer) The line of intersection between any two
areas, subnets, or environments that have different security requirements or needs.
Security Governance - (correct answer) The collection of practices related to
supporting, evaluating, defining, and directing the security efforts of an organization.
Third-Party Governance - (correct answer) The system of external entity oversight
that may be mandated by law, regulation, industry standards, contractual obligation, or
licensing requirements.
Documentation Review - (correct answer) Process of reading the exchanged
materials and verifying them against standards and expectations.
Authorization to Operate (ATO) - (correct answer) A formal declaration by a
Designated Approving Authority (DAA) that authorizes operation of a Business Product
and explicitly accepts the risk to agency operations.
,Security Function - (correct answer) The aspect of operating a business that
focuses on the task of evaluating and improving security over time.
Security Policy - (correct answer) A formalized statement that defines how
security will be implemented within a particular organization.
Business Case - (correct answer) To demonstrate a business-specific need to alter
an existing process or choose an approach to a business task.
Top-Down Approach - (correct answer) Upper, or senior, management is
responsible for initiating and defining policies for the organization.
Information Security (Infosec) Team - (correct answer) The team or department
responsible for security within an organization.
Chief Information Security Officer (CISO) - (correct answer) Typically considered the
top information security officer in an organization. The CISO is usually not an executive-
level position, and frequently the person in this role reports to the CIO.
Chief Information Officer (CIO) - (correct answer) The senior manager responsible
for the overall management of information resources in an organization
Chief Executive Officer (CEO) - (correct answer) Corporate officer who has overall
responsibility for managing the business and delegates responsibilities to other
corporate officers.
Chief Technical Officer (CTO) - (correct answer) Focuses on ensuring that
equipment and software work properly to support the business functions.
Strategic Plan - (correct answer) The long-term plan for future activities and
operations, usually involving at least five years.
Tactical Plan - (correct answer) Midterm plan, developed to provide more details on
accomplishing the goals set forth in the strategic plan. Useful for about a year.
Operational Plan - (correct answer) Short-term, highly detailed plan based on the
strategic and tactical plans. Valid only for a short time. must be updated often.
On-Site Assessment - (correct answer) Visit the site of the organization to interview
personnel and observe their operating habits.
Document Exchange and Review - (correct answer) Investigate the means by which
datasets and documentation are exchanged as well as the formal processes by which
they perform assessments and reviews.
, Process/Policy Review - (correct answer) Request copies of their security policies,
processes/procedures, and documentation of incidents and responses for review.
Third-Party Audit - (correct answer) Having an independent third-party auditor, as
defined by the American Institute of Certified Public Accountants (AICPA), can provide
an unbiased review of an entity's security infrastructure, based on Service Organization
Control (SOC) (SOC) reports.
Service-Level Agreement (SLA) - (correct answer) Formal contract between
customers and their service providers that defines the specific responsibilities of the
service provider and the level of service expected by the customer
Service-Level Requirement (SLR) - (correct answer) A customer requirement for an
aspect of an IT service. Service level requirements are based on business objectives
and used to negotiate agreed service level targets.
Security Role - (correct answer) The part an individual plays in the overall scheme
of security implementation and administration within an organization.
Senior Manager - (correct answer) Organizational owner, who is ultimately
responsible for the security maintained by an organization and who should be most
concerned about the protection of its assets. Must approve all policies before they are
carried out.
Security Professional - (correct answer) Trained and experienced network, systems,
and security engineer who is responsible for following the directives mandated by senior
management.
Asset Owner - (correct answer) Responsible for classifying information for
placement and protection within the security solution.
Custodian - (correct answer) Responsible for the tasks of implementing the
prescribed protection defined by the security policy and senior management.
User (End User) - (correct answer) Any person that has access to the secured
system.
Auditor - (correct answer) Responsible for reviewing and verifying that the security
policy is properly implemented and the derived security solutions are adequate.
Security Control Framework - (correct answer) Structure of the security solution
desired by the organization.
Control Objectives for Information and Related Technology (COBIT) - (correct answer)
Documented set of best IT security practices crafted by the Information Systems Audit
QUESTIONS SND VERIFIED ANSWERS (ALREADY GRADED
A+) 2024 UPDATE
Availability - (correct answer) Availability means authorized subjects are granted
timely and uninterrupted access to
objects.
Concepts, conditions, and aspects of availability
include the following: - (correct answer) Usability
Accessibility
Timeliness
CIA Triad - (correct answer) Confidentiality, Integrity, Availability
Confidentiality - (correct answer) Confidentiality is the concept of the
measures used to ensure the protection of the secrecy of data, objects, or resources.
Concepts, conditions, and aspects of confidentiality include the following: - (correct
answer) Sensitivity
Discretion
Criticality
Concealment
Secrecy
Privacy
Seclusion
Isolation
Integrity - (correct answer) Integrity is the concept of protecting the reliability and
correctness of data.
Concepts, conditions, and
aspects of integrity include the following: - (correct answer) Accuracy
Truthfulness
Validity
Accountability
Responsibility
Completeness
Comprehensiveness
DAD Triad - (correct answer) Disclosure, Alteration, and Destruction. The opposite
of the CIA triad.
Authenticity - (correct answer) Authenticity is the security concept that data is
authentic or genuine and originates from its
,alleged source.
Nonrepudiation - (correct answer) Nonrepudiation ensures that the subject of an
activity or who caused an event cannot
deny that the event occurred.
AAA Services - (correct answer) Refers to five elements:
Identification - Claiming an identity
Authentication - Proving identity
Authorization - Defining allows/denies for an identity
Auditing - Recording log of events
Accounting - Review log files
Defense in Depth - (correct answer) Employing multiple layers of controls to avoid a
single point-of-failure. Also known as layering.
Abstraction - (correct answer) Similar elements are put into groups, classes, or roles
that are assigned security controls, restrictions, or permissions as a collective.
Data Hiding - (correct answer) Preventing data from being discovered or accessed
by a subject by positioning the data in a logical storage compartment that is not
accessible or seen by the subject.
Security Through Obscurity - (correct answer) Relying upon the secrecy or
complexity of an item as its security, instead of practicing solid security practices.
Different from data hiding.
Encryption - (correct answer) A process of encoding messages to keep them secret,
so only "authorized" parties can read it.
Security Boundary - (correct answer) The line of intersection between any two
areas, subnets, or environments that have different security requirements or needs.
Security Governance - (correct answer) The collection of practices related to
supporting, evaluating, defining, and directing the security efforts of an organization.
Third-Party Governance - (correct answer) The system of external entity oversight
that may be mandated by law, regulation, industry standards, contractual obligation, or
licensing requirements.
Documentation Review - (correct answer) Process of reading the exchanged
materials and verifying them against standards and expectations.
Authorization to Operate (ATO) - (correct answer) A formal declaration by a
Designated Approving Authority (DAA) that authorizes operation of a Business Product
and explicitly accepts the risk to agency operations.
,Security Function - (correct answer) The aspect of operating a business that
focuses on the task of evaluating and improving security over time.
Security Policy - (correct answer) A formalized statement that defines how
security will be implemented within a particular organization.
Business Case - (correct answer) To demonstrate a business-specific need to alter
an existing process or choose an approach to a business task.
Top-Down Approach - (correct answer) Upper, or senior, management is
responsible for initiating and defining policies for the organization.
Information Security (Infosec) Team - (correct answer) The team or department
responsible for security within an organization.
Chief Information Security Officer (CISO) - (correct answer) Typically considered the
top information security officer in an organization. The CISO is usually not an executive-
level position, and frequently the person in this role reports to the CIO.
Chief Information Officer (CIO) - (correct answer) The senior manager responsible
for the overall management of information resources in an organization
Chief Executive Officer (CEO) - (correct answer) Corporate officer who has overall
responsibility for managing the business and delegates responsibilities to other
corporate officers.
Chief Technical Officer (CTO) - (correct answer) Focuses on ensuring that
equipment and software work properly to support the business functions.
Strategic Plan - (correct answer) The long-term plan for future activities and
operations, usually involving at least five years.
Tactical Plan - (correct answer) Midterm plan, developed to provide more details on
accomplishing the goals set forth in the strategic plan. Useful for about a year.
Operational Plan - (correct answer) Short-term, highly detailed plan based on the
strategic and tactical plans. Valid only for a short time. must be updated often.
On-Site Assessment - (correct answer) Visit the site of the organization to interview
personnel and observe their operating habits.
Document Exchange and Review - (correct answer) Investigate the means by which
datasets and documentation are exchanged as well as the formal processes by which
they perform assessments and reviews.
, Process/Policy Review - (correct answer) Request copies of their security policies,
processes/procedures, and documentation of incidents and responses for review.
Third-Party Audit - (correct answer) Having an independent third-party auditor, as
defined by the American Institute of Certified Public Accountants (AICPA), can provide
an unbiased review of an entity's security infrastructure, based on Service Organization
Control (SOC) (SOC) reports.
Service-Level Agreement (SLA) - (correct answer) Formal contract between
customers and their service providers that defines the specific responsibilities of the
service provider and the level of service expected by the customer
Service-Level Requirement (SLR) - (correct answer) A customer requirement for an
aspect of an IT service. Service level requirements are based on business objectives
and used to negotiate agreed service level targets.
Security Role - (correct answer) The part an individual plays in the overall scheme
of security implementation and administration within an organization.
Senior Manager - (correct answer) Organizational owner, who is ultimately
responsible for the security maintained by an organization and who should be most
concerned about the protection of its assets. Must approve all policies before they are
carried out.
Security Professional - (correct answer) Trained and experienced network, systems,
and security engineer who is responsible for following the directives mandated by senior
management.
Asset Owner - (correct answer) Responsible for classifying information for
placement and protection within the security solution.
Custodian - (correct answer) Responsible for the tasks of implementing the
prescribed protection defined by the security policy and senior management.
User (End User) - (correct answer) Any person that has access to the secured
system.
Auditor - (correct answer) Responsible for reviewing and verifying that the security
policy is properly implemented and the derived security solutions are adequate.
Security Control Framework - (correct answer) Structure of the security solution
desired by the organization.
Control Objectives for Information and Related Technology (COBIT) - (correct answer)
Documented set of best IT security practices crafted by the Information Systems Audit
