How to pass ISC2 CSSLP exam with the help of dumps?
DumpsPool provides you the finest quality resources you’ve been looking for to no avail. So, it's due time you stop stressing and get ready for the exam. Our Online Test Engine provides you with the guidance you need to pass the certification exam. We guarantee top-grade results because we know we’ve covered each topic in a precise and understandable manner. Our expert team prepared the latest ISC2 CSSLP Dumps to satisfy your need for training. Plus, they are in two different formats: Dumps PDF and Online Test Engine.
How Do I Know ISC2 CSSLP Dumps are Worth it?
Did we mention our latest CSSLP Dumps PDF is also available as Online Test Engine? And that’s just the point where things start to take root. Of all the amazing features you are offered here at DumpsPool, the money-back guarantee has to be the best one. Now that you know you don’t have to worry about the payments. Let us explore all other reasons you would want to buy from us. Other than affordable Real Exam Dumps, you are offered three-month free updates.
You can easily scroll through our large catalog of certification exams. And, pick any exam to start your training. That’s right, DumpsPool isn’t limited to just ISC2 Exams. We trust our customers need the support of an authentic and reliable resource. So, we made sure there is never any outdated content in our study resources. Our expert team makes sure everything is up to the mark by keeping an eye on every single update. Our main concern and focus are that you understand the real exam format. So, you can pass the exam in an easier way!
IT Students Are Using our Certified Secure Software Lifecycle Professional Dumps Worldwide!
It is a well-established fact that certification exams can’t be conquered without some help from experts. The point of using Certified Secure Software Lifecycle Professional Practice Question Answers is exactly that. You are constantly surrounded by IT experts who’ve been through you are about to and know better. The 24/7 customer service of DumpsPool ensures you are in touch with these experts whenever needed. Our 100% success rate and validity around the world, make us the most trusted resource candidates use. The updated Dumps PDF helps you pass the exam on the first attempt. And, with the money-back guarantee, you feel safe buying from us. You can claim your return on not passing the exam.
How to Get CSSLP Real Exam Dumps?
Getting access to the real exam dumps is as easy as pressing a button, literally! There are various resources available online, but the majority of them sell scams or copied content. So, if you are going to attempt the CSSLP exam, you need to be sure you are buying the right kind of Dumps. All the Dumps PDF available on DumpsPool are as unique and the latest as they can be. Plus, our Practice Question Answers are tested and approved by professionals. Making it the top authentic resource available on the internet. Our expert has made sure the Online Test Engine is free from outdated & fake content, repeated questions, and false plus indefinite information, etc. We make every penny count, and you leave our platform fully satisfied!
Frequently Asked Questions
ISC2 CSSLP Sample Question Answers
Question # 1
In which type of access control do user ID and password system come under?
A. Physical B. Technical C. Power D. Administrative
Answer: B
Explanation: Technical access controls include IDS systems, encryption, network
segmentation, and antivirus controls. Answer: D is incorrect. The policies and procedures
implemented by an organization come under administrative access controls. Answer: A is
incorrect. Security guards, locks on the gates, and alarms come under physical access
controls. Answer: C is incorrect. There is no such type of access control as power control.
Question # 2
Which of the following phases of NIST SP 800-37 C&A methodology examines the residualrisk for acceptability, and prepares the final security accreditation package?
A. Security Accreditation B. Initiation C. Continuous Monitoring D. Security Certification
Answer: A
Explanation: The various phases of NIST SP 800-37 C&A are as follows: Phase 1:
Initiation- This phase includes preparation, notification and resource identification. It
performs the security plan analysis, update, and acceptance. Phase 2: Security
Certification- The Security certification phase evaluates the controls and documentation.
Phase 3: Security Accreditation- The security accreditation phase examines the residual
risk for acceptability, and prepares the final security accreditation package. Phase 4:
Continuous Monitoring-This phase monitors the configuration management and control,
ongoing security control verification, and status reporting and documentation.
Question # 3
The Systems Development Life Cycle (SDLC) is the process of creating or altering thesystems; and the models and methodologies that people use to develop these systems.Which of the following are the different phases of system development life cycle? Eachcorrect answer represents a complete solution. Choose all that apply.
A. Testing B. Implementation C. Operation/maintenance D. Development/acquisition E. Disposal F. Initiation
Answer: B,C,D,E,F
Explanation: The Systems Development Life Cycle (SDLC), or Software Development Life
Cycle in systems engineering, information systems, and software engineering, is the
process of creating or altering the systems; and the models and methodologies that people
use to develop these systems. The concept generally refers to computers or information
systems. The following are the five phases in a generic System Development Life Cycle:
Which of the following describes the acceptable amount of data loss measured in time?
A. Recovery Point Objective (RPO) B. Recovery Time Objective (RTO) C. Recovery Consistency Objective (RCO) D. Recovery Time Actual (RTA)
Answer: A
Explanation: The Recovery Point Objective (RPO) describes the acceptable amount of
data loss measured in time. It is the point in time to which data must be recovered as
defined by the organization. The RPO is generally a definition of what an organization
determines is an "acceptable loss" in a disaster situation. If the RPO of a company is 2
hours and the time it takes to get the data back into production is 5 hours, the RPO is still 2
hours. Based on this RPO the data must be restored to within 2 hours of the disaster.
Answer: B is incorrect. The Recovery Time Objective (RTO) is the duration of time and a
service level within which a business process must be restored after a disaster or
disruption in order to avoid unacceptable consequences associated with a break in
business continuity. It includes the time for trying to fix the problem without a recovery, the
recovery itself, tests and the communication to the users. Decision time for user
representative is not included. The business continuity timeline usually runs parallel with an
incident management timeline and may start at the same, or different, points. In accepted
business continuity planning methodology, the RTO is established during the Business
Impact Analysis (BIA) by the owner of a process (usually in conjunction with the Business
Continuity planner). The RTOs are then presented to senior management for acceptance.
The RTO attaches to the business process and not the resources required to support the
process. Answer: D is incorrect. The Recovery Time Actual (RTA) is established during an
exercise, actual event, or predetermined based on recovery methodology the technology
support team develops. This is the time frame the technology support takes to deliver the
recovered infrastructure to the business. Answer: C is incorrect. The Recovery Consistency
Objective (RCO) is used in Business Continuity Planning in addition to Recovery Point
Objective (RPO) and Recovery Time Objective (RTO). It applies data consistency
objectives to Continuous Data Protection services.
Question # 5
Rob is the project manager of the IDLK Project for his company. This project has a budgetof $5,600,000 and is expected to last 18 months. Rob has learned that a new law mayaffect how the project is allowed to proceed - even though the organization has alreadyinvested over $750,000 in the project. What risk response is the most appropriate for thisinstance?
A. Transference B. Enhance C. Mitigation D. Acceptance
Answer: D
Explanation: At this point all that Rob can likely do is accepting the risk event. Because
this is an external risk, there is little that Rob can do other than document the risk and
share the new with management and the project stakeholders. If the law is passed then
Rob can choose the most appropriate way for the project to continue. Acceptance
response is a part of Risk Response planning process. Acceptance response delineates
that the project plan will not be changed to deal with the risk. Management may develop a
contingency plan if the risk does occur. Acceptance response to a risk event is a strategy
that can be used for risks that pose either threats or opportunities. Acceptance response
can be of two types: Passive acceptance: It is a strategy in which no plans are made to try
or avoid or mitigate the risk. Active acceptance: Such responses include developing
contingency reserves to deal with risks, in case they occur. Acceptance is the only
response for both threats and opportunities. Answer: B is incorrect. Mitigation aims to lower
the probability and/or impact of the risk event. Answer: C is incorrect. Transference
transfers the ownership of the risk event to a third party, usually through a contractual
agreement. Answer: D is incorrect. Enhance is a risk response that tries to increase the
probability and/or impact of the positive risk event.
Question # 6
Which of the following terms refers to a mechanism which proves that the sender reallysent a particular message?
A. Confidentiality B. Non-repudiation C. Authentication D. Integrity
Answer: B
Explanation: Non-repudiation is a mechanism which proves that the sender really sent a
message. It provides an evidence of the identity of the senderand message integrity. It also
prevents a person from denying the submission or delivery of the message and the integrity
of its contents. Answer: C is incorrect. Authentication is a process of verifying the identity of
a person or network host. Answer: A is incorrect. Confidentiality ensures that no one can
read a message except the intended receiver. Answer: D is incorrect. Integrity assures the
receiver that the received message has not been altered in any way from the original.
Question # 7
Which of the following are the important areas addressed by a software system's securitypolicy? Each correct answer represents a complete solution. Choose all that apply.
A. Identification and authentication B. Punctuality C. Data protection D. Accountability E. Scalability F. Access control
Answer: A,C,D,F
Explanation: The security policy of a software system addresses the following important
areas: Access control Data protection Confidentiality Integrity Identification and
authentication Communication security Accountability Answer: E and B are incorrect.
Scalability and punctuality are not addressed by a software system's security policy.
Question # 8
Which of the following is a patch management utility that scans one or more computers on a network and alerts a user if any important Microsoft security patches are missing andalso provides links that enable those missing patches to be downloaded and installed?
A. MABS B. ASNB C. MBSA D. IDMS
Answer: C
Explanation: Microsoft Baseline Security Analyzer (MBSA) is a tool that includes a
graphical and command line interface that can perform local or remote scans of Windows
systems. It runs on computers running Windows 2000, Windows XP, or Windows Server
2003 operating system. MBSA scans for common security misconfigurations in Windows
NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Internet Information Server
(IIS) 4.0 and above, SQL Server 7.0 and 2000, and Office 2000 and 2002. It also scans for
missing hot fixes in several Microsoft products, such as Windows 2000, Windows XP, SQL
Server etc. Answer: B, D, and A are incorrect. These are invalid options.
Question # 9
John works as a professional Ethical Hacker. He has been assigned the project of testingthe security of www.we-are-secure.com. He finds that the We-are-secure server isvulnerable to attacks. As a countermeasure, he suggests that the Network Administratorshould remove the IPP printing capability from the server. He is suggesting this as acountermeasure against __________.
A. SNMP enumeration B. IIS buffer overflow C. NetBIOS NULL session D. DNS zone transfer
Answer: B
Explanation: Removing the IPP printing capability from a server is a good countermeasure
against an IIS buffer overflow attack. A Network Administrator should take the following
steps to prevent a Web server from IIS buffer overflow attacks: Conduct frequent scans for
server vulnerabilities. Install the upgrades of Microsoft service packs.
Implement effective firewalls. Apply URLScan and IISLockdown utilities. Remove the IPP
printing capability. Answer: D is incorrect. The following are the DNS zone transfer
countermeasures: Do not allow DNS zone transfer using the DNS property sheet: a.Open
DNS. b.Right-click a DNS zone and click Properties. c.On the Zone Transfer tab, clear the
Allow zone transfers check box. Configure the master DNS server to allow zone transfers
only from secondary DNS servers: a.Open DNS. b.Right-click a DNS zone and click
Properties. c.On the zone transfer tab, select the Allow zone transfers check box, and then
do one of the following: To allow zone transfers only to the DNS servers listed on the name
servers tab, click on the Only to the servers listed on the Name Server tab. To allow zone
transfers only to specific DNS servers, click Only to the following servers, and add the IP
address of one or more servers. Deny all unauthorized inbound connections to TCP port
53. Implement DNS keys and encrypted DNS payloads. Answer: A is incorrect. The
following are the countermeasures against SNMP enumeration: 1.Removing the SNMP
agent or disabling the SNMP service 2.Changing the default PUBLIC community name
when 'shutting off SNMP' is not an option 3.Implementing the Group Policy security option
called Additional restrictions for anonymous connections 4.Restricting access to NULL
session pipes and NULL session shares 5.Upgrading SNMP Version 1 with the latest
version 6.Implementing Access control list filtering to allow only access to the read-write
community from approved stations or subnets Answer: C is incorrect. NetBIOS NULL
session vulnerabilities are hard to prevent, especially if NetBIOS is needed as part of the
infrastructure. One or more of the following steps can be taken to limit NetBIOS NULL
session vulnerabilities: 1.Null sessions require access to the TCP 139 or TCP 445 port,
which can be disabled by a Network Administrator. 2.A Network Administrator can also
disable SMB services entirely on individual hosts by unbinding WINS Client TCP/IP from
the interface. 3.A Network Administrator can also restrict the anonymous user by editing
the registry values: a.Open regedit32, and go to HKLM\SYSTEM\CurrentControlSet\LSA.
b.Choose edit > add value. Value name: RestrictAnonymous Data Type: REG_WORD
Value: 2
Question # 10
"Enhancing the Development Life Cycle to Produce Secure Software" summarizes thetools and practices that are helpful in producing secure software. What are these tools andpractices? Each correct answer represents a complete solution. Choose three.
A. Leverage attack patterns B. Compiler security checking and enforcement C. Tools to detect memory violations D. Safe software libraries E. Code for reuse and maintainability
Answer: B,C,D
Explanation: The tools and practices that are helpful in producing secure software are
summarized in the report "Enhancing the Development Life Cycle to Produce Secure
Software". The tools and practices are as follows: Compiler security checking and
to detect memory violations Code obfuscation Answer: A and E are incorrect. These are
secure coding principles and practices of defensive coding.
Question # 11
Information Security management is a process of defining the security controls in order toprotect information assets. The first action of a management program to implementinformation security is to have a security program in place. What are the objectives of asecurity program? Each correct answer represents a complete solution. Choose all thatapply.
A. Security education B. Security organization C. System classification D. Information classification
Answer: A,B,D
Explanation: The first action of a management program to implement information security
is to have a security program in place. The objectives of a security program are as follows:
Protect the company and its assets Manage risks by identifying assets, discovering threats,
and estimating the risk Provide direction for security activities by framing of information
security policies, procedures, standards, guidelines and baselines Information classification
Security organization Security education Answer: C is incorrect. System classification is not
one of the objectives of a security program.
Question # 12
Which of the following are the types of intellectual property? Each correct answerrepresents a complete solution. Choose all that apply.
A. Patent B. Copyright C. Standard D. Trademark
Answer: A,B,D
Explanation: Common types of intellectual property include copyrights, trademarks,
patents, industrial design rights, and trade secrets. A copyright is a form of intellectual
property, which secures to its holder the exclusive right to produce copies of his or her
works of original expression, such as a literary work, movie, musical work or sound
recording, painting, photograph, computer program, or industrial design, for a defined, yet
extendable, period of time. It does not cover ideas or facts. Copyright laws protect
intellectual property from misuse by other individuals. A trademark is a distinctive sign used
by an individual, business organization, or other legal entity to identify that the products or
services to consumers with which the trademark appears originate from a unique source,
and to distinguish its products or services from those of other entities. A trademark is
designated by the following symbols: : It is for an unregistered trade mark and it is used to
promote or brand goods. : It is for an unregistered service mark and it is used to promote or
brand services. : It is for a registered trademark. A patent is a set of exclusive rights
granted by a state to an inventor or their assignee for a limited period of time in exchange
for a public disclosure of an invention. Answer: C is incorrect. It is not a type of intellectual
property
Question # 13
Which of the following approaches can be used to build a security program? Each correctanswer represents a complete solution. Choose all that apply.
A. Right-Up Approach B. Left-Up Approach C. Top-Down Approach D. Bottom-Up Approach
Answer: C,D
Explanation: Top-Down Approach is an approach to build a security program. The
initiation, support, and direction come from the top management and work their way
through middle management and then to staff members. It is treated as the best approach.
This approach ensures that the senior management, who is ultimately responsible for
protecting the company assets, is driving the program. Bottom-Up Approach is an
approach to build a security program. The lower-end team comes up with a security control
or a program without proper management support and direction. It is less effective and
doomed to fail. Answer: A and B are incorrect. No such types of approaches exist
Question # 14
Fill in the blank with an appropriate phrase The is a formal state transition system ofcomputer security policy that describes a set of access control rules designed to ensuredata integrity.
A. Biba model
Answer: A
Explanation: The Biba model is a formal state transition system of computer security
policy that describes a set of access control rules designed to ensure data integrity. Data
and subjects are grouped into ordered levels of integrity. The model is designed so that
subjects may not corrupt data in a level ranked higher than the subject, or be corrupted by
data from a lower level than the subject.
Question # 15
A security policy is an overall general statement produced by senior management thatdictates what role security plays within the organization. What are the different types ofpolicies? Each correct answer represents a complete solution. Choose all that apply.
A. Advisory B. Systematic C. Informative D. Regulatory
Answer: A,C,D
Explanation: Following are the different types of policies: Regulatory: This type of policy
ensures that the organization is following standards set by specific industry regulations.
This policy type is very detailed and specific to a type of industry. This is used in financial
institutions, health care facilities, public utilities, and other government-regulated industries,
e.g., TRAI. Advisory: This type of policy strongly advises employees regarding which types
of behaviors and activities should and should not take place within the organization. It also
outlines possible ramifications if employees do not comply with the established behaviors
and activities. This policy type can be used, for example, to describe how to handle medical
information, handle financial transactions, or process confidential information. Informative:
This type of policy informs employees of certain topics. It is not an enforceable policy, but
rather one to teach individuals about specific issues relevant to the company. It could
explain how the company interacts with partners, the company's goals and mission, and a
general reporting structure in different situations. Answer: B is incorrect. No such type of
policy exists.
Question # 16
Single Loss Expectancy (SLE) represents an organization's loss from a single threat.Which of the following formulas best describes the Single Loss Expectancy (SLE)?
A. SLE = Asset Value (AV) * Exposure Factor (EF) B. SLE = Annualized Loss Expectancy (ALE) * Annualized Rate of Occurrence (ARO) C. SLE = Annualized Loss Expectancy (ALE) * Exposure Factor (EF) D. SLE = Asset Value (AV) * Annualized Rate of Occurrence (ARO)
Answer: A
Explanation: Single Loss Expectancy is a term related to Risk Management and Risk
Assessment. It can be defined as the monetary value expected from the occurrence of a
risk on an asset. It is mathematically expressed as follows: Single Loss Expectancy (SLE)
= Asset Value (AV) * Exposure Factor (EF) where the Exposure Factor is represented in
the impact of the risk over the asset, or percentage of asset lost. As an example, if the
Asset Value is reduced two thirds, the exposure factor value is .66. If the asset is
completely lost, the Exposure Factor is 1.0. The result is a monetary value in the same unit
as the Single Loss Expectancy is expressed. Answer: C, D, and B are incorrect. These are
not valid formulas of SLE.
Question # 17
Security is a state of well-being of information and infrastructures in which the possibilitiesof successful yet undetected theft, tampering, and/or disruption of information and servicesare kept low or tolerable. Which of the following are the elements of security? Each correctanswer represents a complete solution. Choose all that apply.
A. Integrity B. Authenticity C. Confidentiality D. Availability
Answer: A,B,C,D
Explanation: The elements of security are as follows: 1.Confidentiality: It is the
concealment of information or resources. 2.Authenticity: It is the identification and
assurance of the origin of information. 3.Integrity: It refers to the trustworthiness of data or
resources in terms of preventing improper and unauthorized changes. 4.Availability: It
refers to the ability to use the information or resources as desired.
Question # 18
Which of the following steps of the LeGrand Vulnerability-Oriented Risk Managementmethod determines the necessary compliance offered by risk management practices andassessment of risk levels?
A. Assessment, monitoring, and assurance B. Vulnerability management C. Risk assessment D. Adherence to security standards and policies for development and deployment
Answer: A
Explanation: Assessment, monitoring, and assurance determines the necessary
compliance that are offered by risk management practices and assessment of risk levels.
Question # 19
Which of the following steps of the LeGrand Vulnerability-Oriented Risk Managementmethod determines the necessary compliance offered by risk management practices andassessment of risk levels?
A. Assessment, monitoring, and assurance B. Vulnerability management C. Risk assessment D. Adherence to security standards and policies for development and deployment
Answer: A
Explanation: Assessment, monitoring, and assurance determines the necessary
compliance that are offered by risk management practices and assessment of risk levels.
Question # 20
Security controls are safeguards or countermeasures to avoid, counteract, or minimizesecurity risks. Which of the following are types of security controls? Each correct answerrepresents a complete solution. Choose all that apply.
A. Common controls B. Hybrid controls C. Storage controls D. System-specific controls
Answer: A,B,D
Explanation: Security controls are safeguards or countermeasures to avoid, counteract, or
minimize security risks. The following are the types of security controls for information
systems, that can be employed by an organization: 1.System-specific controls: These types
of security controls provide security capability for a particular information system only.
2.Common controls: These types of security controls provide security capability for multiple
information systems. 3.Hybrid controls: These types of security controls have features of
both system-specific and common controls. Answer: C is incorrect. It is an invalid control.
Question # 21
In which of the following levels of exception safety are operations succeeded with fullguarantee and fulfill all needs in the presence of exceptional situations?
A. Commit or rollback semantics B. Minimal exception safety C. Failure transparency D. Basic exception safety
Answer: C
Explanation: Failure transparency is the best level of exception safety. In this level,
operations are succeeded with full guarantee and fulfill all needs in the presence of
exceptional situations. Failure transparency does not throw the exception further up even
when an exception occurs. This level is also known as no throw guarantee.
Question # 22
Which of the following security related areas are used to protect the confidentiality,integrity, and availability of federal information systems and information processed by thosesystems?
A. Personnel security B. Access control C. Configuration management D. Media protection E. Risk assessment
Answer: A,B,C,D,E
Explanation: The minimum security requirements cover seventeen security related areas
to protect the confidentiality, integrity, and availability of federal information systems and
information processed by those systems. They are as follows: Access control Awareness
and training Audit and accountability Certification, accreditation, and security assessment
Configuration management Contingency planning Identification and authentication Inciden
response Maintenance Media protection Physical and environmental protection Planning
Personnel security Risk assessment Systems and services acquisition System and
communications protection System and information integrity
Question # 23
What are the various benefits of a software interface according to the "Enhancing theDevelopment Life Cycle to Produce Secure Software" document? Each correct answerrepresents a complete solution. Choose three.
A. It modifies the implementation of a component without affecting the specifications of theinterface. B. It controls the accessing of a component. C. It displays the implementation details of a component. D. It provides a programmatic way of communication between the components that areworking with different programming languages.
Answer: A,B,D
Explanation: The benefits of a software interface are as follows: It provides a
programmatic way of communication between the components that are working with
different programming languages. It prevents direct communication between components.
It modifies the implementation of a component without affecting the specifications of the
interface. It hides the implementation details of a component. It controls the accessing of a
component. Answer: C is incorrect. A software interface hides the implementation details of
the component
Question # 24
Fill in the blank with an appropriate security type. applies the internal security policies of thesoftware applications when they are deployed.
A. Programmatic security
Answer: A
Explanation: Programmatic security applies the internal security policies of the software
applications when they are deployed. In this type of security, the code of the software
application controls the security behavior, and authentication decisions are made based on
the business logic, such as the user role or the task performed by the user in a specific
security context.
Question # 25
Fill in the blank with an appropriate security type. applies the internal security policies of thesoftware applications when they are deployed.
A. Programmatic security
Answer: A
Explanation: Programmatic security applies the internal security policies of the software
applications when they are deployed. In this type of security, the code of the software
application controls the security behavior, and authentication decisions are made based on
the business logic, such as the user role or the task performed by the user in a specific
security context.
Question # 26
Audit trail or audit log is a chronological sequence of audit records, each of which containsevidence directly pertaining to and resulting from the execution of a business process orsystem function. Under which of the following controls does audit control come?
A. Reactive controls B. Detective controls C. Protective controls D. Preventive controls
Answer: B
Explanation: Audit trail or audit log comes under detective controls. Detective controls are
the audit controls that are not needed to be restricted. Any control that performs a
monitoring activity can likely be defined as a Detective Control. For example, it is possible
that mistakes, either intentional or unintentional, can be made. Therefore, an additional
Protective control is that these companies must have their financial results audited by an
independent Certified Public Accountant. The role of this accountant is to act as an auditor.
In fact, any auditor acts as a Detective control. If the organization in question has not
properly followed the rules, a diligent auditor should be able to detect the deficiency which
indicates that some control somewhere has failed. Answer: A is incorrect. Reactive or
corrective controls typically work in response to a detective control, responding in such a
way as to alert or otherwise correct an unacceptable condition. Using the example of
account rules, either the internal Audit Committee or the SEC itself, based on the report
generated by the external auditor, will take some corrective action. In this way, they are
acting as a Corrective or Reactive control. Answer: C and D are incorrect. Protective or
preventative controls serve to proactively define and possibly enforce acceptable
behaviors. As an example, a set of common accounting rules are defined and must be
followed by any publicly traded company. Each quarter, any particular company must
publicly state its current financial standing and accounting as reflected by an application of
these rules. These accounting rules and the SEC requirements serve as protective or
preventative controls.
Question # 27
Which of the following concepts represent the three fundamental principles of informationsecurity? Each correct answer represents a complete solution. Choose three.
A. Privacy B. Availability C. Integrity D. Confidentiality
Answer: B,C,D
Explanation: The following concepts represent the three fundamental principles of
information security: 1.Confidentiality 2.Integrity 3.Availability Answer: B is incorrect.
Privacy, authentication, accountability, authorization and identification are also concepts
related to information security, but they do not represent the fundamental principles of
information security.
Question # 28
Which of the following DoD policies establishes policies and assigns responsibilities toachieve DoD IA through a defense-in-depth approach that integrates the capabilities ofpersonnel, operations, and technology, and supports the evolution to network-centricwarfare?
A. DoDI 5200.40 B. DoD 8500.1 Information Assurance (IA) C. DoD 8510.1-M DITSCAP D. DoD 8500.2 Information Assurance Implementation
Answer: B
Explanation: DoD 8500.1 Information Assurance (IA) sets up policies and allots
responsibilities to achieve DoD IA through a defense-in-depth approach that integrates the
capabilities of personnel, operations, and technology, and supports the evolution to
network-centric warfare. DoD 8500.1 also summarizes the roles and responsibilities for the
persons responsible for carrying out the IA policies. Answer: D is incorrect. The DoD
8500.2 Information Assurance Implementation pursues 8500.1. It provides assistance on
how to implement policy, assigns responsibilities, and prescribes procedures for applying
integrated, layered protection of the DoD information systems and networks. DoD
Instruction 8500.2 allots tasks and sets procedures for applying integrated layered
protection of the DOD information systems and networks in accordance with the DoD
8500.1 policy. It also provides some important guidelines on how to implement an IA
program. Answer: A is incorrect. DoDI 5200.40 executes the policy, assigns
responsibilities, and recommends procedures under reference for Certification and
Accreditation(C&A) of information technology (IT). Answer: C is incorrect. DoD 8510.1-M
DITSCAP provides standardized activities leading to accreditation, and establishes a process and management baseline.
Question # 29
Shoulder surfing is a type of in-person attack in which the attacker gathers informationabout the premises of an organization. This attack is often performed by lookingsurreptitiously at the keyboard of an employee's computer while he is typing in hispassword at any access point such as a terminal/Web site. Which of the following isviolated in a shoulder surfing attack?
A. Integrity B. Availability C. Confidentiality D. Authenticity
Answer: C
Explanation: Confidentiality is violated in a shoulder surfing attack. The CIA triad provides
the following three tenets for which security practices are measured: Confidentiality: It is
the property of preventing disclosure of information to unauthorized individuals or systems.
Breaches of confidentiality take many forms. Permitting someone to look over your
shoulder at your computer screen while you have confidential data displayed on it could be
a breach of confidentiality. If a laptop computer containing sensitive information about a
company's employees is stolen or sold, it could result in a breach of confidentiality.
Integrity: It means that data cannot be modified without authorization. Integrity is violated
when an employee accidentally or with malicious intent deletes important data files, when a
computer virus infects a computer, when an employee is able to modify his own salary in a
payroll database, when an unauthorized user vandalizes a web site, when someone is able
to cast a very large number of votes in an online poll, and so on. Availability: It means that
data must be available at every time when it is needed. Answer: D is incorrect. Authenticity
is not a tenet of the CIA triad.
Question # 30
You work as a Security Manager for Tech Perfect Inc. You want to save all the data fromthe SQL injection attack, which can read sensitive data from the database and modifydatabase data using some commands, such as Insert, Update, and Delete. Which of thefollowing tasks will you perform? Each correct answer represents a complete solution.Choose three.
A. Apply maximum number of database permissions. B. Use an encapsulated library for accessing databases. C. Create parameterized stored procedures. D. Create parameterized queries by using bound and typed parameters.
Answer: B,C,D
Explanation: The methods of mitigating SQL injection attacks are as follows: 1.Create
parameterized queries by using bound and typed parameters. 2.Create parameterized
stored procedures. 3.Use a encapsulated library in order to access databases. 4.Minimize
database permissions. Answer: A is incorrect. In order to save all the data from the SQL
injection attack, you should minimize database permissions.
Question # 31
A part of a project deals with the hardware work. As a project manager, you have decidedto hire a company to deal with all hardware work on the project. Which type of riskresponse is this?
A. Exploit B. Mitigation C. Transference D. Avoidance
Answer: C
Explanation: When you are hiring a third party to own risk, it is known as transference risk
response. Transference is a strategy to mitigate negative risks or threats. In this strategy,
consequences and the ownership of a risk is transferred to a third party. This strategy does
not eliminate the risk but transfers responsibility of managing the risk to another party.
Insurance is an example of transference. Answer: B is incorrect. The act of spending
money to reduce a risk probability and impact is known as mitigation. Answer: A is
incorrect. Exploit is a strategy that may be selected for risks with positive impacts where
the organization wishes to ensure that the opportunity is realized. Answer: D is incorrect.
When extra activities are introduced into the project to avoid the risk, this is an example of
avoidance.
Question # 32
Which of the following statements about the integrity concept of information securitymanagement are true? Each correct answer represents a complete solution. Choose three.
A. It ensures that unauthorized modifications are not made to data by authorized personnelor processes. B. It determines the actions and behaviors of a single individual within a system C. It ensures that internal information is consistent among all subentities and alsoconsistent with the real-world, external situation. D. It ensures that modifications are not made to data by unauthorized personnel orprocesses.
Answer: A,C,D
Explanation: The following statements about the integrity concept of information security
management are true: It ensures that modifications are not made to data by unauthorized
personnel or processes. It ensures that unauthorized modifications are not made to data by
authorized personnel or processes. It ensures that internal information is consistent among
all subentities and also consistent with the real-world, external situation. Answer: B is
incorrect. Accountability determines the actions and behaviors of an individual within a
system, and identifies that particular individual. Audit trails and logs support accountability.
Question # 33
You work as a security manager for BlueWell Inc. You are performing the externalvulnerability testing, or penetration testing to get a better snapshot of your organization'ssecurity posture. Which of the following penetration testing techniques will you use forsearching paper disposal areas for unshredded or otherwise improperly disposed-ofreports?
A. Sniffing B. Scanning and probing C. Dumpster diving D. Demon dialing
Answer: C
Explanation: Dumpster diving technique is used for searching paper disposal areas for
unshredded or otherwise improperly disposed-of reports. Answer: B is incorrect. In
scanning and probing technique, various scanners, like a port scanner, can reveal
information about a network's infrastructure and enable an intruder to access the network's
unsecured ports. Answer: D is incorrect. Demon dialing technique automatically tests every
phone line in an exchange to try to locate modems that are attached to the network.
Answer: A is incorrect. In sniffing technique, protocol analyzer can be used to capture data
packets that are later decoded to collect information such as passwords or infrastructure
configurations.
Question # 34
Which of the following models manages the software development process if thedevelopers are limited to go back only one stage to rework?
A. Waterfall model B. Spiral model C. RAD model D. Prototyping model
Answer: A
Explanation: In the waterfall model, software development can be managed if the
developers are limited to go back only one stage to rework. If this limitation is not imposed
mainly on a large project with several team members, then any developer can be working
on any phase at any time, and the required rework might be accomplished several times.
Answer: B is incorrect. The spiral model is a software development process combining
elements of both design and prototyping-in- stages, in an effort to combine advantages of
top-down and bottom-up concepts. The basic principles of the spiral model are as follows:
The focus is on risk assessment and minimizing project risks by breaking a project into
smaller segments and providing more ease-of- change during the development process, as
well as providing the opportunity to evaluate risks and weigh consideration of project
continuation throughout the life cycle. Each cycle involves a progression through the same
sequence of steps, for each portion of the product and for each of its levels of elaboration,
from an overall concept-of-operation document down to the coding of each individual
program. Each trip around the spiral traverses the following four basic quadrants:
Determine objectives, alternatives, and constraints of the iteration. Evaluate alternatives,
and identify and resolve risks. Develop and verify deliverables from the iteration. Plan the
next iteration.
Begin each cycle with an identification of stakeholders and their win conditions, and end
each cycle with review and commitment. Answer: D is incorrect. The Prototyping model is a
systems development method (SDM). In this model, a prototype is created, tested, and
then reworked as necessary until an adequate prototype is finally achieved from which the
complete system or product can now be developed. Answer: C is incorrect. Rapid
Application Development (RAD) refers to a type of software development methodology that
uses minimal planning in favor of rapid prototyping.
Question # 35
Which of the following is NOT a responsibility of a data owner?
A. Approving access requests B. Ensuring that the necessary security controls are in place C. Delegating responsibility of the day-to-day maintenance of the data protectionmechanisms to the data custodian D. Maintaining and protecting data
Answer: D
Explanation: It is not a responsibility of a data owner. The data custodian (information
custodian) is responsible for maintaining and protecting the data.
Answer: B, A, and C are incorrect. All of these are responsibilities of a data owner. The
roles and responsibilities of a data owner are as follows: The data owner (information
owner) is usually a member of management, in charge of a specific business unit, and is
ultimately responsible for the protection and use of a specific subset of information. The
data owner decides upon the classification of the data that he is responsible for and alters
that classification if the business needs arise. This person is also responsible for ensuring
that the necessary security controls are in place, ensuring that proper access rights are
being used, defining security requirements per classification and backup requirements,
approving any disclosure activities, and defining user access criteria. The data owner
approves access requests or may choose to delegate this function to business unit
managers. And it is the data owner who will deal with security violations pertaining to the
data he is responsible for protecting. The data owner, who obviously has enough on his
plate, delegates responsibility of the day-to-day maintenance of the data protection
mechanisms to the data custodian.
Question # 36
Mark works as a Network Administrator for NetTech Inc. He wants users to access onlythose resources that are required for them. Which of the following access control modelswill he use?
A. Discretionary Access Control B. Mandatory Access Control C. Policy Access Control D. Role-Based Access Control
Answer: D
Explanation: Role-based access control (RBAC) is an access control model. In this model,
a user can access resources according to his role in the organization. For example, a
backup administrator is responsible for taking backups of important data. Therefore, he is
only authorized to access this data for backing it up. However, sometimes users with
different roles need to access the same resources. This situation can also be handled
using the RBAC model. Answer: B is incorrect. Mandatory Access Control (MAC) is a
model that uses a predefined set of access privileges for an object of the system. Access to
an object is restricted on the basis of the sensitivity of the object and granted through
authorization. Sensitivity of an object is defined by the label assigned to it. For example, if a
user receives a copy of an object that is marked as "secret", he cannot grant permission to
other users to see this object unless they have the appropriate permission. Answer: A is
incorrect. DAC is an access control model. In this model, the data owner has the right to
decide who can access the data. This model is commonly used in PC environment. The
basis of this model is the use of Access Control List (ACL). Answer: C is incorrect. There is
no such access control model as Policy Access Control.
Question # 37
Which of the following refers to the ability to ensure that the data is not modified ortampered with?
A. Integrity B. Availability C. Non-repudiation D. Confidentiality
Answer: A
Explanation: Integrity refers to the ability to ensure that the data is not modified or
tampered with. Integrity means that data cannot be modified without authorization. Integrity
is violated when an employee accidentally or with malicious intent deletes important data
files, when a computer virus infects a computer, when an employee is able to modify his
own salary in a payroll database, when an unauthorized user vandalizes a Web site, when
someone is able to cast a very large number of votes in an online poll, and so on. Answer:
D is incorrect. Confidentiality is the property of preventing disclosure of information to
unauthorized individuals or systems. Breaches of confidentiality take many forms.
Permitting someone to look over your shoulder at your computer screen while you have
confidential data displayed on it could be a breach of confidentiality. If a laptop computer
containing sensitive information about a company's employees is stolen or sold, it could
result in a breach of confidentiality. Answer: B is incorrect. Availability means that data
must be available whenever it is needed. Answer: C is incorrect. Non-repudiation is the
concept of ensuring that a party in a dispute cannot refuse to acknowledge, or refute the
validity of a statement or contract. As a service, it provides proof of the integrity and origin
of data. Although this concept can be applied to any transmission, including television and
radio, by far the most common application is in the verification and trust of signatures.
Question # 38
Which of the following are Service Level Agreement (SLA) structures as defined by ITIL?Each correct answer represents a complete solution. Choose all that apply.
A. Component Based B. Service Based C. Segment Based D. Customer Based E. Multi-Level
Answer: B,D,E
Explanation: ITIL defines 3 types of Service Level Agreement (SLA) structures, which are
as follows: 1.Customer Based: It covers all services used by an individual customer group.
2.Service Based: It is one service for all customers. 3.Multi-Level: Some examples of MultiLevel SLA are 3 Tier SLA encompassing Corporate and Customer & Service Layers.
Answer: C and A are incorrect. There are no such SLA structures as Segment Based and
Component Based.
Question # 39
Which of the following test methods has the objective to test the IT system from theviewpoint of a threat-source and to identify potential failures in the IT system protectionschemes?
A. Security Test and Evaluation (ST&E) B. Penetration testing C. Automated vulnerability scanning tool D. On-site interviews
Answer: B
Explanation: The goal of penetration testing is to examine the IT system from the
perspective of a threat-source, and to identify potential failures in the IT system protection
schemes. Penetration testing, when performed in the risk assessment process, is used to
assess an IT system's capability to survive with the intended attempts to thwart system
security. Answer: A is incorrect. The objective of ST&E is to ensure that the applied
controls meet the approved security specification for the software and hardware and
implement the organization's security policy or meet industry standards.
Question # 40
Elizabeth is a project manager for her organization and she finds risk management to bevery difficult for her to manage. She asks you, a lead project manager, at what stage in theproject will risk management become easier. What answer best resolves the difficulty ofrisk management practices and the effort required?
A. Risk management only becomes easier when the project moves into project execution. B. Risk management only becomes easier when the project is closed. C. Risk management is an iterative process and never becomes easier. D. Risk management only becomes easier the more often it is practiced.
Answer: D
Explanation: According to the PMBOK, "Like many things in project management, the
more it is done the easier the practice becomes." Answer: B is incorrect. This answer is not
the best choice for the project. Answer: A is incorrect. Risk management likely becomes
more difficult in project execution that in other stages of the project. Answer: C is incorrect.
Risk management does become easier the more often it is done.
Question # 41
A service provider guarantees for end-to-end network traffic performance to a customer.Which of the following types of agreement is this?
A. SLA B. VPN C. NDA D. LA
Answer: A
Explanation: This is a type of service-level agreement. A service-level agreement (SLA) is
a negotiated agreement between two parties where one is the customer and the other is
the service provider. It records a common understanding about services, priorities,
responsibilities, guarantees, and warranties. Each area of service scope should have the
'level of service' defined. The SLA may specify the levels of availability, serviceability,
performance, operation, or other attributes of the service, such as billing. Answer: C is
incorrect. Non-disclosure agreements (NDAs) are often used to protect the confidentiality of
an invention as it is being evaluated by potential licensees. Answer: D is incorrect. License
agreements (LA) describe the rights and responsibilities of a party related to the use and
exploitation of intellectual property. Answer: B is incorrect. There is no such type of
agreement as VPN.
Question # 42
You work as a system engineer for BlueWell Inc. You want to verify that the build meets itsdata requirements, and correctly generates each expected display and report. Which of thefollowing tests will help you to perform the above task?
A. Performance test B. Functional test C. Reliability test D. Regression test
Answer: B
Explanation: The various types of internal tests performed on builds are as follows:
Regression tests: It is also known as the verification testing. These tests are developed to
confirm that capabilities in earlier builds continue to work correctly in the subsequent builds.
Functional test: These tests emphasizes on verifying that the build meets its functional and
data requirements and correctly generates each expected display and report. Performance
tests: These tests are used to identify the performance thresholds of each build. Reliability
tests: These tests are used to identify the reliability thresholds of each build.
Question # 43
Which of the following characteristics are described by the DIAP Information ReadinessAssessment function? Each correct answer represents a complete solution. Choose all thatapply.
A. It provides for entry and storage of individual system data. B. It performs vulnerability/threat analysis assessment. C. It provides data needed to accurately assess IA readiness. D. It identifies and generates IA requirements.
Answer: B,C,D
Explanation: The characteristics of the DIAP Information Readiness Assessment function
are as follows: It provides data needed to accurately assess IA readiness. It identifies and
generates IA requirements. It performs vulnerability/threat analysis assessment. Answer: A
is incorrect. It is a function performed by the ASSET system.
Question # 44
You are the project manager for a construction project. The project involves casting of acolumn in a very narrow space. Because of lack of space, casting it is highly dangerous.High technical skill will be required for casting that column. You decide to hire a local expertteam for casting that column. Which of the following types of risk response are youfollowing?
A. Avoidance B. Acceptance C. Mitigation D. Transference
Answer: D
Explanation: According to the question, you are hiring a local expert team for casting the
column. As you have transferred your risk to a third party, this is the transference risk
response that you have adopted. Transference is a strategy to mitigate negative risks or
threats. In this strategy, consequences and the ownership of a risk is transferred to a third
party. This strategy does not eliminate the risk but transfers responsibility of managing the
risk to another party. Insurance is an example of transference. Answer: C is incorrect.
Mitigation is a risk response planning technique associated with threats that seeks to
reduce the probability of occurrence or impact of a risk to below an acceptable threshold.
Risk mitigation involves taking early action to reduce the probability and impact of a risk
occurring on the project. Adopting less complex processes, conducting more tests, or
choosing a more stable supplier are examples of mitigation actions. Answer: A is incorrect.
Avoidance involves changing the project management plan to eliminate the threat entirely.
Answer: B is incorrect. Acceptance response is a part of Risk Response planning process.
Acceptance response delineates that the project plan will not be changed to deal with the
risk. Management may develop a contingency plan if the risk does occur. Acceptance
response to a risk event is a strategy that can be used for risks that pose either threats or
opportunities. Acceptance response can be of two types: Passive acceptance: It is a
strategy in which no plans are made to try or avoid or mitigate the risk. Active acceptance:
Such responses include developing contingency reserves to deal with risks, in case they
occur. Acceptance is the only response for both threats and opportunities.
Question # 45
Samantha works as an Ethical Hacker for we-are-secure Inc. She wants to test the securityof the we-are-secure server for DoS attacks. She sends large number of ICMP ECHOpackets to the target computer. Which of the following DoS attacking techniques will sheuse to accomplish the task?
A. Smurf dos attack B. Land attack C. Ping flood attack D. Teardrop attack
Answer: C
Explanation: According to the scenario, Samantha is using the ping flood attack. In a ping
flood attack, an attacker sends a large number of ICMP packets to the target computer
using the ping command, i.e., ping -f target_IP_address. When the target computer
receives these packets in large quantities, it does not respond and hangs. However, for
such an attack to take place, the attacker must have sufficient Internet bandwidth, because
if the target responds with an "ECHO reply ICMP packet" message, the attacker must have
both the incoming and outgoing bandwidths available for communication. Answer: A is
incorrect. In a smurf DoS attack, an attacker sends a large amount of ICMP echo request
traffic to the IP broadcast addresses. These ICMP requests have a spoofed source
address of the intended victim. If the routing device delivering traffic to those broadcast
addresses delivers the IP broadcast to all the hosts, most of the IP addresses send an
ECHO reply message. However, on a multi- access broadcast network, hundreds of
computers might reply to each packet when the target network is overwhelmed by all the
messages sent simultaneously. Due to this, the network becomes unable to provide
services to all the messages and crashes. Answer: D is incorrect. In a teardrop attack, a
series of data packets are sent to the target computer with overlapping offset field values.
As a result, the target computer is unable to reassemble these packets and is forced to
crash, hang, or reboot. Answer: B is incorrect. In a land attack, the attacker sends a
spoofed TCP SYN packet in which the IP address of the target is filled in both the source
and destination fields. On receiving the spoofed packet, the target system becomes
confused and goes into a fr
Question # 46
You work as a Network Administrator for uCertify Inc. You need to secure web services ofyour company in order to have secure transactions. Which of the following will yourecommend for providing security?
A. SSL B. VPN C. S/MIME D. HTTP
Answer: A
Explanation: The Secure Sockets Layer (SSL) is a commonly-used protocol for managing
the security of a message transmission on the Internet. SSL has recently been succeeded
by Transport Layer Security (TLS), which is based on SSL. SSL uses a program layer
located between the Internet's Hypertext Transfer Protocol (HTTP) and Transport Control
Protocol (TCP) layers. SSL is included as part of both the Microsoft and Netscape
browsers and most Web server products. URLs that require an SSL connection start with
https: instead of http:. Answer: C is incorrect. S/MIME (Secure/Multipurpose Internet Mail
Extensions) is a standard for public key encryption and signing of e- mail encapsulated in
MIME. S/MIME provides the following cryptographic security services for electronic
messaging applications: authentication, message integrity, non-repudiation of origin (using
digital signatures), privacy, and data security (using encryption). Answer: D is incorrect.
Hypertext Transfer Protocol (HTTP) is a client/server TCP/IP protocol used on the World
Wide Web (WWW) to display Hypertext Markup Language (HTML) pages. HTTP defines
how messages are formatted and transmitted, and what actions Web servers and browsers
should take in response to various commands. For example, when a client application or
browser sends a request to the server using HTTP commands, the server responds with a
message containing the protocol version, success or failure code, server information, and
body content, depending on the request. HTTP uses TCP port 80 as the default port.
Answer: B is incorrect. A Virtual Private Network (VPN) is a computer network that is
implemented in an additional software layer (overlay) on top of an existing larger network
for the purpose of creating a private scope of computer communications or providing a
secure extension of a private network into an insecure network such as the Internet. The
links between nodes of a Virtual Private Network are formed over logical connections or
virtual circuits between hosts of the larger network. The Link Layer protocols of the virtual
network are said to be tunneled through the underlying transport network.
Question # 47
You work as a Network Administrator for uCertify Inc. You need to secure web services ofyour company in order to have secure transactions. Which of the following will yourecommend for providing security?
A. SSL B. VPN C. S/MIME D. HTTP
Answer: A
Explanation: The Secure Sockets Layer (SSL) is a commonly-used protocol for managing
the security of a message transmission on the Internet. SSL has recently been succeeded
by Transport Layer Security (TLS), which is based on SSL. SSL uses a program layer
located between the Internet's Hypertext Transfer Protocol (HTTP) and Transport Control
Protocol (TCP) layers. SSL is included as part of both the Microsoft and Netscape
browsers and most Web server products. URLs that require an SSL connection start with
https: instead of http:. Answer: C is incorrect. S/MIME (Secure/Multipurpose Internet Mail
Extensions) is a standard for public key encryption and signing of e- mail encapsulated in
MIME. S/MIME provides the following cryptographic security services for electronic
messaging applications: authentication, message integrity, non-repudiation of origin (using
digital signatures), privacy, and data security (using encryption). Answer: D is incorrect.
Hypertext Transfer Protocol (HTTP) is a client/server TCP/IP protocol used on the World
Wide Web (WWW) to display Hypertext Markup Language (HTML) pages. HTTP defines
how messages are formatted and transmitted, and what actions Web servers and browsers
should take in response to various commands. For example, when a client application or
browser sends a request to the server using HTTP commands, the server responds with a
message containing the protocol version, success or failure code, server information, and
body content, depending on the request. HTTP uses TCP port 80 as the default port.
Answer: B is incorrect. A Virtual Private Network (VPN) is a computer network that is
implemented in an additional software layer (overlay) on top of an existing larger network
for the purpose of creating a private scope of computer communications or providing a
secure extension of a private network into an insecure network such as the Internet. The
links between nodes of a Virtual Private Network are formed over logical connections or
virtual circuits between hosts of the larger network. The Link Layer protocols of the virtual
network are said to be tunneled through the underlying transport network.
Question # 48
You work as the Senior Project manager in Dotcoiss Inc. Your company has started asoftware project using configuration management and has completed 70% of it. You needto ensure that the network infrastructure devices and networking standards used in thisproject are installed in accordance with the requirements of its detailed project designdocumentation. Which of the following procedures will you employ to accomplish the task?
A. Configuration identification B. Configuration control C. Functional configuration audit . D. Physical configuration audit
Answer: D
Explanation: Physical Configuration Audit (PCA) is one of the practices used in Software
Configuration Management for Software Configuration Auditing. The purpose of the
software PCA is to ensure that the design and reference documentation is consistent with
the as-built software product. PCA checks and matches the really implemented layout with
the documented layout. Answer: C is incorrect. Functional Configuration Audit or FCA is
one of the practices used in Software Configuration Management for Software
Configuration Auditing. FCA occurs either at delivery or at the moment of effecting the
change. A Functional Configuration Audit ensures that functional and performance
attributes of a configuration item are achieved. Answer: B is incorrect. Configuration control
is a procedure of the Configuration management. Configuration control is a set of
processes and approval stages required to change a configuration item's attributes and to
re-baseline them. It supports the change of the functional and physical attributes of
software at various points in time, and performs systematic control of changes to the
identified attributes. Answer: A is incorrect. Configuration identification is the process of
identifying the attributes that define every aspect of a configuration item. A configuration
item is a product (hardware and/or software) that has an end-user purpose. These
attributes are recorded in configuration documentation and baselined. Baselining an
attribute forces formal configuration change control processes to be effected in the event
that these attributes are changed
Question # 49
What NIACAP certification levels are recommended by the certifier? Each correct answerrepresents a complete solution. Choose all that apply.
A. Comprehensive Analysis B. Maximum Analysis C. Detailed Analysis D. Minimum Analysis E. Basic Security Review F. Basic System Review
Answer: A,C,D,E
Explanation: NIACAP has four levels of certification. These levels ensure that the
appropriate C&A are performed for varying schedule and budget limitations. The certifier
must analyze the system's business functions. The certifier determines the degree of
confidentiality, integrity, availability, and accountability, and then recommends one of the
Analysis Level 3 - Detailed Analysis Level 4 - Comprehensive Analysis Answer: B and F
are incorrect. No such types of levels exist.
Question # 50
The mission and business process level is the Tier 2. What are the various Tier 2activities? Each correct answer represents a complete solution. Choose all that apply.
A. Developing an organization-wide information protection strategy and incorporating highlevel information security requirements B. Defining the types of information that the organization needs, to successfully executethe stated missions and business processes C. Specifying the degree of autonomy for the subordinate organizations D. Defining the core missions and business processes for the organization E. Prioritizing missions and business processes with respect to the goals and objectives ofthe organization
Answer: A,B,C,D,E
Explanation: The mission and business process level is the Tier 2. It addresses risks from
the mission and business process perspective. It is guided by the risk decisions at Tier 1.
The various Tier 2 activities are as follows: It defines the core missions and business
processes for the organization. It also prioritizes missions and business processes, with
respect to the goals and objectives of the organization. It defines the types of information
that an organization requires, to successfully execute the stated missions and business
processes. It helps in developing an organization-wide information protection strategy and
incorporating high-level information security requirements. It specifies the degree of
autonomy for the subordinate organizations.
Question # 51
Which of the following are the basic characteristics of declarative security? Each correctanswer represents a complete solution. Choose all that apply.
A. It is a container-managed security. B. It has a runtime environment. C. All security constraints are stated in the configuration files. D. The security policies are applied at the deployment time.
Answer: A,B,C
Explanation: The following are the basic characteristics of declarative security: In
declarative security, programming is not required. All security constraints are stated in the
configuration files. It is a container-managed security. The application server manages the
enforcing process of security constraints. It has a runtime environment. The security
policies for runtime environment are represented by the deployment descriptor. It can
support different environments, such as development, testing, and production. Answer: D is
incorrect. It is the characteristic of programmatic security.
Question # 52
You are the project manager of the GHY project for your organization. You are about tostart the qualitative risk analysis process for the project and you need to determine theroles and responsibilities for conducting risk management. Where can you find thisinformation?
A. Risk register B. Staffing management plan C. Risk management plan D. Enterprise environmental factors
Answer: C
Explanation: The risk management plan defines the roles and responsibilities for
conducting risk management. A Risk management plan is a document arranged by a
project manager to estimate the effectiveness, predict risks, and build response plans to
mitigate them. It also consists of the risk assessment matrix. Risks are built in with any
project, and project managers evaluate risks repeatedly and build plans to address them.
The risk management plan consists of analysis of possible risks with both high and low
impacts, and the mitigation strategies to facilitate the project and avoid being derailed
through which the common problems arise. Risk management plans should be timely
reviewed by the project team in order to avoid having the analysis become stale and not
reflective of actual potential project risks. Most critically, risk management plans include a
risk strategy for project execution. Answer: A is incorrect. The risk register does not define
the risk management roles and responsibilities. Answer: D is incorrect. Enterprise
environmental factors may define the roles that risk management officials or departments
play in the project, but the best answer for all projects is the risk management plan.
Answer: B is incorrect. The staffing management plan does not define the risk
management roles and responsibilities.
Question # 53
Which of the following acts is used to recognize the importance of information security tothe economic and national security interests of the United States?
A. Computer Misuse Act B. Lanham Act C. Computer Fraud and Abuse Act D. FISMA
Answer: D
Explanation: The Federal Information Security Management Act of 2002 is a United States
federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act
recognized the importance of information security to the economic and national security
interests of the United States. The act requires each federal agency to develop, document,
and implement an agency-wide program to provide information security for the information
those provided or managed by another agency, contractor, or other source. FISMA has
brought attention within the federal government to cybersecurity and explicitly emphasized
a 'risk-based policy for cost-effective security'. FISMA requires agency program officials,
chief information officers, and Inspectors Generals (IGs) to conduct annual reviews of the
agency's information security program and report the results to Office of Management and
Budget (OMB). OMB uses this data to assist in its oversight responsibilities and to prepare
this annual report to Congress on agency compliance with the act. Answer: B is incorrect.
The Lanham Act is a piece of legislation that contains the federal statutes of trademark law
in the United States. The Act prohibits a number of activities, including trademark
infringement, trademark dilution, and false advertising. It is also called Lanham Trademark
Act. Answer: A is incorrect. The Computer Misuse Act 1990 is an act of the UK Parliament
which states the following statement: Unauthorized access to the computer material is
punishable by 6 months imprisonment or a fine "not exceeding level 5 on the standard
scale" (currently 5000). Unauthorized access with the intent to commit or facilitate
commission of further offences is punishable by 6 months/maximum fine on summary
conviction or 5 years/fine on indictment. Unauthorized modification of computer material is
subject to the same sentences as section 2 offences.
Answer: C is incorrect. The Computer Fraud and Abuse Act is a law passed by the United
States Congress in 1984 intended to reduce cracking of computer systems and to address
federal computer-related offenses. The Computer Fraud and Abuse Act (codified as 18
U.S.C. 1030) governs cases with a compelling federal interest, where computers of the
federal government or certain financial institutions are involved, where the crime itself is
interstate in nature, or computers used in interstate and foreign commerce. It was amended
in 1986, 1994, 1996, in 2001 by the USA PATRIOT Act, and in 2008 by the Identity Theft
Enforcement and Restitution Act. Section (b) of the act punishes anyone who not just
commits or attempts to commit an offense under the Computer Fraud and Abuse Act but
also those who conspire to do so.
Question # 54
You work as a CSO (Chief Security Officer) for Tech Perfect Inc. You have a disasterscenario and you want to discuss it with your team members for getting appropriateresponses of the disaster. In which of the following disaster recovery tests can this task beperformed?
A. Structured walk-through test B. Full-interruption test C. Parallel test D. Simulation test .
Answer: D
Explanation: A simulation test is a method used to test the disaster recovery plans. It
operates just like a structured walk-through test. In the simulation test, the members of a
disaster recovery team present with a disaster scenario and then, discuss on appropriate
responses. These suggested responses are measured and some of them are taken by the
team. The range of the simulation test should be defined carefully for avoiding excessive
disruption of normal business activities. Answer: A is incorrect. The structured walk-through
test is also known as the table-top exercise. In structured walk-through test, the team
members walkthrough the plan to identify and correct weaknesses and how they will
respond to the emergency scenarios by stepping in the course of the plan. It is the most
effective and competent way to identify the areas of overlap in the plan before conducting
more challenging training exercises. Answer: B is incorrect. A full-interruption test includes
the operations that shut down at the primary site and are shifted to the recovery site
according to the disaster recovery plan. It operates just like a parallel test. The fullinterruption test is very expensive and difficult to arrange. Sometimes, it causes a major
disruption of operations if the test fails. Answer: C is incorrect. A parallel test includes the
next level in the testing procedure, and relocates the employees to an alternate recovery
site and implements site activation procedures. These employees present with their
disaster recovery responsibilities as they would for an actual disaster. The disaster
recovery sites have full responsibilities to conduct the day-to-day organization's business
Question # 55
What are the differences between managed and unmanaged code technologies? Eachcorrect answer represents a complete solution. Choose two.
A. Managed code is referred to as Hex code, whereas unmanaged code is referred to asbyte code. B. C and C++ are the examples of managed code, whereas Java EE and Microsoft.NETare the examples of unmanaged code. C. Managed code executes under management of a runtime environment, whereasunmanaged code is executed by the CPU of a computer system. D. Managed code is compiled into an intermediate code format, whereas unmanaged codeis compiled into machine code.
Answer: C,D
Explanation: Programming languages are categorized into two technologies: 1.Managed
code: This computer program code is compiled into an intermediate code format. Managed
code is referred to as byte code. It executes under the management of a runtime
environment. Java EE and Microsoft.NET are the examples of managed code.
2.Unmanaged code: This computer code is compiled into machine code. Unmanaged code
is executed by the CPU of a computer system. C and C++ are the examples of unmanaged
code. Answer: A is incorrect. Managed code is referred to as byte code. Answer: B is
incorrect. C and C++ are the examples of unmanaged code, whereas Java EE and
Microsoft.NET are the examples of managed code.
Question # 56
Which of the following fields of management focuses on establishing and maintainingconsistency of a system's or product's performance and its functional and physicalattributes with its requirements, design, and operational information throughout its life?
A. Configuration management B. Risk management C. Change management D. Procurement management
Answer: A
Explanation: Configuration management is a field of management that focuses on
establishing and maintaining consistency of a system's or product's performance and its
functional and physical attributes with its requirements, design, and operational information
throughout its life. Configuration Management System is a subsystem of the overall project
management system. It is a collection of formal documented procedures used to identify
and document the functional and physical characteristics of a product, result, service, or
component of the project. It also controls any changes to such characteristics, and records
and reports each change and its implementation status. It includes the documentation,
tracking systems, and defined approval levels necessary for authorizing and controlling
changes. Audits are performed as part of configuration management to determine if the
requirements have been met. Answer: D is incorrect. The procurement management plan
defines more than just the procurement of team members, if needed. It defines how
procurements will be planned and executed, and how the organization and the vendor will
fulfill the terms of the contract. Answer: B is incorrect. Risk Management is used to identify,
assess, and control risks. It includes analyzing the value of assets to the business,
identifying threats to those assets, and evaluating how vulnerable each asset is to those
threats. Answer: C is incorrect. Change Management is used to ensure that standardized
methods and procedures are used for efficient handling of all changes.
Question # 57
You work as a CSO (Chief Security Officer) for Tech Perfect Inc. You want to perform thefollowing tasks: Develop a risk-driven enterprise information security architecture. Deliversecurity infrastructure solutions that support critical business initiatives. Which of thefollowing methods will you use to accomplish these tasks?
A. Service-oriented modeling and architecture B. Service-oriented modeling framework C. Sherwood Applied Business Security Architecture D. Service-oriented architecture
Answer: C
Explanation: SABSA (Sherwood Applied Business Security Architecture) is a framework
and methodology for Enterprise Security Architecture and Service Management. SABSA is
a model and a methodology for developing risk-driven enterprise information security
architectures and for delivering security infrastructure solutions that support critical
business initiatives. The primary characteristic of the SABSA model is that everything must
be derived from an analysis of the business requirements for security, especially those in
which security has an enabling function through which new business opportunities can be
developed and exploited. Answer: B is incorrect. The service-oriented modeling framework
(SOMF) is a service-oriented development life cycle methodology. It offers a number of
modeling practices and disciplines that contribute to a successful service-oriented life cycle
management and modeling. The service-oriented modeling framework illustrates the major
elements that identify the "what to do" aspects of a service development scheme. Answer:
A is incorrect. The service-oriented modeling and architecture (SOMA) includes an analysis
and design method that extends traditional object-oriented and component-based analysis
and design methods to include concerns relevant to and supporting SOA. Answer: D is
incorrect. The service-oriented architecture (SOA) is a flexible set of design principles used
during the phases of systems development and integration.
Question # 58
Maria has been recently appointed as a Network Administrator in Gentech Inc. She hasbeen tasked to perform network security testing to find out the vulnerabilities andshortcomings of the present network infrastructure. Which of the following testingapproaches will she apply to accomplish this task?
A. Gray-box testing B. White-box testing C. Black-box testing D. Unit testing
Answer: C
Explanation: Maria is new for this organization and she does not have any idea regarding
the present infrastructure. Therefore, black box testing is best suited for her. Blackbox
testing is a technique in which the testing team has no knowledge about the infrastructure
of the organization. The testers must first determine the location and extent of the systems
before commencing their analysis. This testing technique is costly and time consuming.
Answer: B is incorrect. White box testing, also known as Clear box or Glass box testing,
takes into account the internal mechanism of a system or application. The connotations of
"Clear box" and "Glass box" indicate that a tester has full visibility of the internal workings
of the system. It uses knowledge of the internal structure of an application. It is applicable
at the unit, integration, and system levels of the software testing process. It consists of the
following testing methods: Control flow-based testing Create a graph from source code.
Describe the flow of control through the control flow graph. Design test cases to cover
certain elements of the graph. Data flow-based testing Test connections between variable
definitions. Check variation of the control flow graph. Set DEF (n) contains variables that
are defined at node n. Set USE (n) are variables that are read. Answer: A is incorrect.
Graybox testing is a combination of whitebox testing and blackbox testing. In graybox
testing, the test engineer is equipped with the knowledge of system and designs test cases
or test data based on system knowledge. The security tester typically performs graybox
testing to find vulnerabilities in software and network system. Answer: D is incorrect. Unit
testing is a type of testing in which each independent unit of an application is tested
separately. During unit testing, a developer takes the smallest unit of an application,
isolates it from the rest of the application code, and tests it to determine whether it works as
expected. Unit testing is performed before integrating these independent units into
modules. The most common approach to unit testing requires drivers and stubs to be
written. Drivers and stubs are programs. A driver simulates a calling unit, and a stub
simulates a called unit.
Question # 59
In digital rights management, the level of robustness depends on the various types of toolsand attacks to which they must be resistant or immune. Which of the following types oftools are expensive, require skill, and are not easily available?
A. Hand tools B. Widely available tools C. Specialized tools D. Professional tools
Answer: D
Explanation: The tools used in DRM to define the level of robustness are as follows:
1.Widely available tools: These tools are easy to use and are available to everyone. For
example, screw-drivers and file editors. 2.Specialized tools: These tools require skill and
are available at reasonable prices. For example, debuggers, decompilers, and memory
scanners. 3.Professional tools: These tools are expensive, require skill, and are not easily
available. For example, logic analyzers, circuit emulators, and chip disassembly systems.
Question # 60
Certification and Accreditation (C&A or CnA) is a process for implementing informationsecurity. Which of the following is the correct order of C&A phases in a DITSCAPassessment?
A. Verification, Definition, Validation, and Post Accreditation B. Definition, Validation, Verification, and Post Accreditation C. Definition, Verification, Validation, and Post Accreditation D. Verification, Validation, Definition, and Post Accreditation
Answer: C
Explanation: C&A consists of four phases in a DITSCAP assessment. These phases are
the same as NIACAP phases. The order of these phases is as follows: 1.Definition: The
definition phase is focused on understanding the IS business case, the mission,
environment, and architecture. This phase determines the security requirements and level
of effort necessary to achieve Certification & Accreditation (C&A). 2.Verification: The
second phase confirms the evolving or modified system's compliance with the information.
The verification phase ensures that the fully integrated system will be ready for certification
testing. 3.Validation: The third phase confirms abidance of the fully integrated system with
the security policy. This phase follows the requirements slated in the SSAA. The objective
of the validation phase is to show the required evidence to support the DAA in accreditation
process. 4.Post Accreditation: The Post Accreditation is the final phase of DITSCAP
assessment and it starts after the system has been certified and accredited for operations.
This phase ensures secure system management, operation, and maintenance to save an
acceptable level of residual risk.
Question # 61
Which of the following are the responsibilities of a custodian with regard to data in aninformation classification program? Each correct answer represents a complete solution.Choose three.
A. Performing data restoration from the backups when necessary B. Running regular backups and routinely testing the validity of the backup data C. Determining what level of classification the information requires D. Controlling access, adding and removing privileges for individual users
Answer: A,B,D
Explanation: The owner of information delegates the responsibility of protecting that
information to a custodian. The following are the responsibilities of a custodian with regard
to data in an information classification program: Running regular backups and routinely
testing the validity of the backup data Performing data restoration from the backups when
necessary Controlling access, adding and removing privileges for individual users Answer:
C is incorrect. Determining what level of classification the information requires is the
responsibility of the owner.
Question # 62
Which of the following DoD directives defines DITSCAP as the standard C&A process forthe Department of Defense?
A. DoD 8910.1 B. DoD 5200.22-M C. DoD 8000.1 D. DoD 5200.40
Answer: D
Explanation: DITSCAP stands for DoD Information Technology Security Certification and
Accreditation Process. The DoD Directive 5200.40 (DoD Information Technology Security
Certification and Accreditation Process) established the DITSCAP as the standard C&A
process for the Department of Defense. The Department of Defense Information Assurance
Certification and Accreditation Process (DIACAP) is a process defined by the United States
Department of Defense (DoD) for managing risk. DIACAP replaced the former process,
known as DITSCAP, in 2006. Answer: B is incorrect. This DoD Directive is known as
National Industrial Security Program Operating Manual. Answer: C is incorrect. This DoD
Directive is known as Defense Information Management (IM) Program. Answer: A is
incorrect. This DoD Directive is known as Management and Control of Information
Requirements.
Question # 63
You work as an analyst for Tech Perfect Inc. You want to prevent information flow that maycause a conflict of interest in your organization representing competing clients. Which ofthe following security models will you use?
A. Bell-LaPadula model B. Chinese Wall model C. Clark-Wilson model D. Biba model
Answer: B
Explanation: The Chinese Wall Model is the basic security model developed by Brewer
and Nash. This model prevents information flow that may cause a conflict of interest in an
organization representing competing clients. The Chinese Wall Model provides both
privacy and integrity for data. Answer: D is incorrect. The Biba model is a formal state
transition system of computer security policy that describes a set of access control rules
designed to ensure data integrity. Data and subjects are grouped into ordered levels of
integrity. The model is designed so that subjects may not corrupt data in a level ranked
higher than the subject, or be corrupted by data from a lower level than the subject.
Answer: C is incorrect. The Clark-Wilson model provides a foundation for specifying and
analyzing an integrity policy for a computing system. The model is primarily concerned with
formalizing the notion of information integrity. Information integrity is maintained by
preventing corruption of data items in a system due to either error or malicious intent. The
model's enforcement and certification rules define data items and processes that provide
the basis for an integrity policy. The core of the model is based on the notion of a
transaction. Answer: A is incorrect. The Bell-La Padula Model is a state machine model
used for enforcing access control in government and military applications. The model is a
formal state transition model of computer security policy that describes a set of access
control rules which use security labels on objects and clearances for subjects. Security
labels range from the most sensitive (e.g.,"Top Secret"), down to the least sensitive (e.g.,
"Unclassified" or "Public"). The Bell-La Padula model focuses on data confidentiality and
controlled access to classified information, in contrast to the Biba Integrity Model which
describes rules for the protection of data integrity.
Question # 64
Henry is the project manager of the QBG Project for his company. This project has abudget of $4,576,900 and is expected to last 18 months to complete. The CIO, astakeholder in the project, has introduced a scope change request for additionaldeliverables as part of the project work. What component of the change control systemwould review the proposed changes' impact on the features and functions of the project'sproduct?
A. Configuration management system B. Scope change control system C. Cost change control system D. Integrated change control
Answer: A
Explanation: The configuration management system ensures that proposed changes to
the project's scope are reviewed and evaluated for their affect on the project's product.
Configuration Management System is a subsystem of the overall project management
system. It is a collection of formal documented procedures used to identify and document
the functional and physical characteristics of a product, result, service, or component of the
project. It also controls any changes to such characteristics, and records and reports each
change and its implementation status. It includes the documentation, tracking systems, and
defined approval levels necessary for authorizing and controlling changes. Audits are
performed as part of configuration management to determine if the requirements have
been met. Answer: B is incorrect. The scope change control system focuses on reviewing
the actual changes to the project scope. When a change to the project's scope is proposed,
the configuration management system is also invoked. Answer: C is incorrect. The cost
change control system is responsible for reviewing and controlling changes to the project
costs. Answer: D is incorrect. Integrated change control examines the affect of a proposed
change on the project as a whole.
Question # 65
Which of the following describes a residual risk as the risk remaining after a risk mitigationhas occurred?
A. DIACAP B. SSAA C. DAA D. ISSO
Answer: A
Explanation: DIACAP describes a residual risk as the risk remaining after a risk mitigation
has occurred. The Department of Defense Information Assurance Certification and
Accreditation Process (DIACAP) is a process defined by the United States Department of
Defense (DoD) for managing risk. DIACAP replaced the former process, known as
DITSCAP (Department of Defense Information Technology Security Certification and
Accreditation Process), in 2006. DoD Instruction (DoDI) 8510.01 establishes a standard
DoD-wide process with a set of activities, general tasks, and a management structure to
certify and accredit an Automated Information System (AIS) that will maintain the
Information Assurance (IA) posture of the Defense Information Infrastructure (DII)
throughout the system's life cycle.DIACAP applies to the acquisition, operation, and
sustainment of any DoD system that collects, stores, transmits, or processes unclassified
or classified information since December 1997. It identifies four phases: 1.System
Definition 2.Verification 3.Validation 4.Re-Accreditation Answer: D is incorrect. An
Information System Security Officer (ISSO) plays the role of a supporter. The
responsibilities of an Information System Security Officer (ISSO) are as follows: Manages
the security of the information system that is slated for Certification & Accreditation (C&A).
Insures the information systems configuration with the agency's information security policy.
Supports the information system owner/information owner for the completion of securityrelated responsibilities. Takes part in the formal configuration management process.
Prepares Certification & Accreditation (C&A) packages. Answer: C is incorrect. The
Designated Approving Authority (DAA), in the United States Department of Defense, is the
official with the authority to formally assume responsibility for operating a system at an
acceptable level of risk. The DAA is responsible for implementing system security. The
DAA can grant the accreditation and can determine that the system's risks are not at an
acceptable level and the system is not ready to be operational. Answer: B is incorrect.
System Security Authorization Agreement (SSAA) is an information security document
used in the United States Department of Defense (DoD) to describe and accredit networks
and systems. The SSAA is part of the Department of Defense Information Technology
Security Certification and Accreditation Process, or DITSCAP (superseded by DIACAP).
The DoD instruction (issues in December 1997, that describes DITSCAP and provides an
outline for the SSAA document is DODI 5200.40. The DITSCAP application manual (DoD
8510.1-M), published in July 2000, provides additional details.
Question # 66
Which of the following statements reflect the 'Code of Ethics Canons' in the '(ISC)2 Code ofEthics'? Each correct answer represents a complete solution. Choose all that apply.
A. Act honorably, honestly, justly, responsibly, and legally. B. Give guidance for resolving good versus good and bad versus bad dilemmas. C. Provide diligent and competent service to principals. D. Protect society, the commonwealth, and the infrastructure.
Answer: A,C,D
Explanation: The Code of Ethics Canons in (ISC)2 code of ethics are as follows: Protect
society, the commonwealth, and the infrastructure. Act honorably, honestly, justly,
responsibly, and legally. Provide diligent and competent service to principals. Advance and
protect the profession.
Question # 67
In which of the following SDLC phases is the system's security features configured andenabled, the system is tested and installed or fielded, and the system is authorized forprocessing?
A. Development/Acquisition Phase B. Operation/Maintenance Phase C. Implementation Phase D. Initiation Phase
Answer: C
Explanation: It is the implementation phase, in which the system's security features are
configured and enabled, the system is tested and installed or fielded, and the system is
authorized for processing. A design review and systems test should be performed prior to
placing the system into operation to ensure that it meets security specifications. Answer: B
is incorrect. In Operation/Maintenance Phase, the system performs its work. The system is
almost always being continuously modified by the addition of hardware and software and
by numerous other events. Answer: D is incorrect. In the initiation phase, the need for a
system is expressed and the purpose of the system is documented. Answer: A is incorrect.
In Development/Acquisition Phase, the system is designed, purchased, programmed,
developed, or otherwise constructed.
Question # 68
According to the NIST SAMATE, dynamic analysis tools operate by generating runtimevulnerability scenario using some functions. Which of the following are functions that areused by the dynamic analysis tools and are summarized in the NIST SAMATE? Eachcorrect answer represents a complete solution. Choose all that apply.
A. Implementation attack B. Source code security C. File corruption D. Network fault injection
Answer: A,C,D
Explanation: According to the NIST SAMATE, dynamic analysis tools operate by
generating runtime vulnerability scenario using the following functions: Resource fault
injection Network fault injection System fault injection User interface fault injection Design
attack Implementation attack File corruption Answer: B is incorrect. This function is
summarized for static analysis tools.
Question # 69
Which of the following documents is defined as a source document, which is most usefulfor the ISSE when classifying the needed security functionality?
A. Information Protection Policy (IPP) B. IMM C. System Security Context D. CONOPS
Answer: A
Explanation: The Information Protection Policy (IPP) is defined as a source document,
which is most useful for the ISSE when classifying the needed security functionality. The
IPP document consists of the threats to the information management and the security
services and controls needed to respond to those threats. Answer: B is incorrect. The IMM
is the source document describing the customer's needs based on identifying users,
processes, and information. Answer: C is incorrect. The System Security Context is the
output of SE and ISSEP. It is the translation of the requirements into system parameters
and possible measurement concepts that meet the defined requirements. Answer: D is
incorrect. The Concept of Operations (CONOPS) is a document describing the
characteristics of a proposed system from the viewpoint of an individual who will use that
system. It is used to communicate the quantitative and qualitative system characteristics to
all stakeholders. CONOPS are widely used in the military or in government services, as
well as other fields. A CONOPS generally evolves from a concept and is a description of
how a set of capabilities may be employed to achieve desired objectives or a particular end
state for a specific scenario.
Question # 70
Which of the following processes does the decomposition and definition sequence of theVee model include? Each correct answer represents a part of the solution. Choose all thatapply.
A. Component integration and test B. System security analysis C. Security requirements allocation D. High level software design
Answer: B,C,D
Explanation: Decomposition and definition sequence includes the following processes:
System security analysis Security requirements allocation Software security requirements
analysis High level software design Detailed software design Answer: A is incorrect. This
process is included in the integration and verification sequence of the Vee model.
Leave a comment
Your email address will not be published. Required fields are marked *