Your organization is planning for penetration testing to assess the security and privacy controls in organizational information systems. From the perspective of the NIST SP 800-53A, which of the following is least likely to be one of the primary purposes for conducting penetration testing nowadays?
A. Verify the security or privacy features of an information system.
B. Enhance the organization’s understanding of the system.
C. Uncover weaknesses or deficiencies in the system.
D. Indicate the level of effort required on the part of adversaries to breach the system safeguards.

The software testing team is evaluating the assessment methods (basic, focused, or comprehensive) for misuse case testing in terms of depth and coverage. It finally decides to conduct comprehensive testing. According to the NIST SP 800-53A R4, which of the following is least likely to happen?
A. Review the user interface designs before testing
B. Select a sufficiently large sample of misuse cases
C. Ask developers for presenting the database schema
D. Use black-box to test as many abuse cases as possible

Almost all modern computer systems implement protection mechanisms to enforce security policies. Which of the following best describes the key component, which is compliant with the set of design requirements on a reference validation mechanism and enforces the access control policy over all subjects and objects?
A. Security kernel
B. Reference monitor
C. Trusted computing base
D. Trusted Platform Module

The information system shall implement a reference monitor for organization-defined access control policies. Which of the following is not a mandatory property of reference monitor?
A. Tamperproof
B. Small enough
C. High cohesion
D. Always invoked

Your company sells toys on a web site. A hacker hijacked a victim customer’s session by replaying the HTTP cookie as the access token. The system administrator disabled the compromised user account immediately, but the hacker’s toy orders keep coming in. Which of the following is the best solution to suppress this attack?
A. Resolve the race condition between HTTP requests
B. Ensure the time of use (TOU) is ahead of the time of check (TOC)
C. Conduct complete mediation
D. Validate user inputs

Your company is a well-known online music service provider. Consumers install the proprietary player to download and play songs offline. Each piece downloaded is embedded with the consumer’s artificial identifiers or pseudonym and expiration time. Which of the following is the best approach to protecting the copyrighted works while maintaining high sound quality?
A. Metadata
B. Steganography
C. Digital watermark
D. Pseudonymization

As the enterprise resource planning (ERP) system owner, you chair a meeting and collaborate with data owners and other stakeholders to determine the scope of security controls. The HR head proposes that an extra token-based authentication factor should be added to protect personal data. After discussion for a while, you ask for a vote on a consensus basis to decide if the multifactor authentication (MFA) should be implemented. Which of the following is the primary reason not requiring a change request to introduce the new control to enhance security?
A. Configuration management is not implemented.
B. The change control board (CCB) is not chartered.
C. The cost/benefit of the proposal has been justified.
D. The selected security controls have not been signed off.