ISC csslp practice test

Answer:

A

Explanation:
The Recovery Point Objective (RPO) describes the acceptable amount of data loss measured in time.
It is the point in time to which data must
be recovered as defined by the organization. The RPO is generally a definition of what an
organization determines is an "acceptable loss" in a
disaster situation. If the RPO of a company is 2 hours and the time it takes to get the data back into
production is 5 hours, the RPO is still 2
hours. Based on this RPO the data must be restored to within 2 hours of the disaster.
Answer B is incorrect. The Recovery Time Objective (RTO) is the duration of time and a service level
within which a business process
must be restored after a disaster or disruption in order to avoid unacceptable consequences
associated with a break in business continuity. It
includes the time for trying to fix the problem without a recovery, the recovery itself, tests and the
communication to the users. Decision time
for user representative is not included. The business continuity timeline usually runs parallel with an
incident management timeline and may
start at the same, or different, points.
In accepted business continuity planning methodology, the RTO is established during the Business
Impact Analysis (BIA) by the owner of a
process (usually in conjunction with the Business Continuity planner). The RTOs are then presented
to senior management for acceptance.
The RTO attaches to the business process and not the resources required to support the process.
Answer D is incorrect. The Recovery Time Actual (RTA) is established during an exercise, actual event,
or predetermined based on
recovery methodology the technology support team develops. This is the time frame the technology
support takes to deliver the recovered
infrastructure to the business.
Answer C is incorrect. The Recovery Consistency Objective (RCO) is used in Business Continuity
Planning in addition to Recovery Point
Objective (RPO) and Recovery Time Objective (RTO). It applies data consistency objectives to
Continuous Data Protection services.

Answer:

C, A, D

Explanation:
The security challenges for DRM are as follows:
Key hiding: It prevents tampering attacks that target the secret keys. In the key hiding process, secret
keys are used for
authentication, encryption, and node-locking.
Device fingerprinting: It prevents fraud and provides secure authentication. Device fingerprinting
includes the summary of hardware
and software characteristics in order to uniquely identify a device.
OTA provisioning: It provides end-to-end encryption or other secure ways for delivery of copyrighted
software to mobile devices.
Answer B is incorrect. Access control is not a security challenge for DRM.

Answer:

D

Explanation:
Confidentiality is a term that refers to the protection of data against unauthorized access.
Administrators can provide confidentiality by
encrypting data. Symmetric encryption is a relatively fast encryption method. Hence, this method of
encryption is best suited for encrypting
large amounts of data such as files on a computer.
Answer A is incorrect. Integrity ensures that no intentional or unintentional unauthorized
modification is made to data.
Answer C is incorrect. Auditing is used to track user accounts for file and object access, logon
attempts, system shutdown etc. This
enhances the security of the network. Before enabling auditing, the type of event to be audited
should be specified in the Audit Policy in User
Manager for Domains.

Answer:

B, A, D

Explanation:
The owner of information delegates the responsibility of protecting that information to a custodian.
The following are the responsibilities of a
custodian with regard to data in an information classification program:
Running regular backups and routinely testing the validity of the backup data
Performing data restoration from the backups when necessary
Controlling access, adding and removing privileges for individual users
Answer C is incorrect. Determining what level of classification the information requires is the
responsibility of the owner.

Answer:

D

Explanation:
DITSCAP stands for DoD Information Technology Security Certification and Accreditation Process. The
DoD Directive 5200.40 (DoD Information
Technology Security Certification and Accreditation Process) established the DITSCAP as the standard
C&A process for the Department of
Defense. The Department of Defense Information Assurance Certification and Accreditation Process
(DIACAP) is a process defined by the
United States Department of Defense (DoD) for managing risk. DIACAP replaced the former process,
known as DITSCAP, in 2006.
Answer B is incorrect. This DoD Directive is known as National Industrial Security Program Operating
Manual.
Answer C is incorrect. This DoD Directive is known as Defense Information Management (IM)
Program.
Answer A is incorrect. This DoD Directive is known as Management and Control of Information
Requirements.

Answer:

D

Explanation:
The scope and plan initiation process in BCP symbolizes the beginning of the BCP process. It
emphasizes on creating the scope and the
additional elements required to define the parameters of the plan.
The scope and plan initiation phase embodies a check of the company's operations and support
services. The scope activities include creating
a detailed account of the work required, listing the resources to be used, and defining the
management practices to be employed.
Answer C is incorrect. The business impact assessment is a method used to facilitate business units
to understand the impact of a
disruptive event. This phase includes the execution of a vulnerability assessment. This process makes
out the mission-critical areas and
business processes that are important for the survival of business.
It is similar to the risk assessment process. The function of a business impact assessment process is
to create a document, which is used to
help and understand what impact a disruptive event would have on the business.
Answer A is incorrect. The business continuity plan development refers to the utilization of the
information collected in the Business
Impact Analysis (BIA) for the creation of the recovery strategy plan to support the critical business
functions. The information gathered from
the BIA is mapped out to make a strategy for creating a continuity plan. The business continuity plan
development process includes the areas
of plan implementation, plan testing, and ongoing plan maintenance. This phase also consists of
defining and documenting the continuity
strategy.
Answer B is incorrect. The plan approval and implementation process involves creating enterprise-
wide awareness of the plan, getting
the final senior management signoff, and implementing a maintenance procedure for updating the
plan as required.

Answer:

Biba model

Explanation:
The Biba model is a formal state transition system of computer security policy that describes a set of
access control rules
designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity. The
model is designed so that subjects may
not corrupt data in a level ranked higher than the subject, or be corrupted by data from a lower level
than the subject.

Answer:

D A

Explanation:
The Certification and Accreditation (C&A) process consists of four distinct phases:
1.Initiation
2.Security Certification
3.Security Accreditation
4.Continuous Monitoring
The C&A activities can be applied to an information system at appropriate phases in the system
development life cycle by selectively tailoring
the various tasks and subtasks.
Answer B and C are incorrect. Auditing and detection are not phases of the Certification and
Accreditation process.

Answer:

B

Explanation:
The Chinese Wall Model is the basic security model developed by Brewer and Nash. This model
prevents information flow that may cause a
conflict of interest in an organization representing competing clients. The Chinese Wall Model
provides both privacy and integrity for data.
Answer D is incorrect. The Biba model is a formal state transition system of computer security policy
that describes a set of access
control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of
integrity. The model is designed so that
subjects may not corrupt data in a level ranked higher than the subject, or be corrupted by data from
a lower level than the subject.
Answer C is incorrect. The Clark-Wilson model provides a foundation for specifying and analyzing an
integrity policy for a computing
system. The model is primarily concerned with formalizing the notion of information integrity.
Information integrity is maintained by preventing
corruption of data items in a system due to either error or malicious intent.
The model's enforcement and certification rules define data items and processes that provide the
basis for an integrity policy. The core of the
model is based on the notion of a transaction.
Answer A is incorrect. The Bell-La Padula Model is a state machine model used for enforcing access
control in government and military
applications. The model is a formal state transition model of computer security policy that describes
a set of access control rules which use
security labels on objects and clearances for subjects. Security labels range from the most sensitive
(e.g.,"Top Secret"), down to the least
sensitive (e.g., "Unclassified" or "Public").
The Bell-La Padula model focuses on data confidentiality and controlled access to classified
information, in contrast to the Biba Integrity Model
which describes rules for the protection of data integrity.

Answer:

D

Explanation:
There are four risk responses available for a negative risk event.
The risk response strategies for negative risks are:
Avoid: It involves altering the project management plan to remove the threats completely.
Transfer: It requires shifting some or all of the negative effects of a threat including the ownership of
response, to a third party.
Mitigate: It implies a drop in the probability and impact of an unfavorable risk event to be within
suitable threshold limits.
Accept: It delineates that the project plan will not be changed to deal with the risk. Management
may develop a contingency plan if the
risk occurs. It is used for both negative and positive risks.
Answer C is incorrect. There are four responses for negative risk events.
Answer A is incorrect. There are four, not three, responses for negative risk events. Do not forget that
acceptance can be used for
negative risk events.
Answer B is incorrect. There are seven total risk responses, four of which can be used for negative
risk events.

Answer:

C

Explanation:
The risk management plan defines the roles and responsibilities for conducting risk management.
A Risk management plan is a document arranged by a project manager to estimate the effectiveness,
predict risks, and build response plans
to mitigate them. It also consists of the risk assessment matrix.
Risks are built in with any project, and project managers evaluate risks repeatedly and build plans to
address them. The risk management
plan consists of analysis of possible risks with both high and low impacts, and the mitigation
strategies to facilitate the project and avoid
being derailed through which the common problems arise. Risk management plans should be timely
reviewed by the project team in order to
avoid having the analysis become stale and not reflective of actual potential project risks. Most
critically, risk management plans include a risk
strategy for project execution.
Answer A is incorrect. The risk register does not define the risk management roles and
responsibilities.
Answer D is incorrect. Enterprise environmental factors may define the roles that risk management
officials or departments play in the
project, but the best answer for all projects is the risk management plan.
Answer B is incorrect. The staffing management plan does not define the risk management roles and
responsibilities.

Answer:

C

Explanation:
The DAA, also known as Authorizing Official, makes the final accreditation decision. The Designated
Approving Authority (DAA), in the United
States Department of Defense, is the official with the authority to formally assume responsibility for
operating a system at an acceptable level
of risk. The DAA is responsible for implementing system security. The DAA can grant the accreditation
and can determine that the system's
risks are not at an acceptable level and the system is not ready to be operational.
Answer D is incorrect. An Information System Security Officer (ISSO) plays the role of a supporter. The
responsibilities of an Information
System Security Officer (ISSO) are as follows:
Manages the security of the information system that is slated for Certification & Accreditation (C&A).
Insures the information systems configuration with the agency's information security policy.
Supports the information system owner/information owner for the completion of security-related
responsibilities.
Takes part in the formal configuration management process.
Prepares Certification & Accreditation (C&A) packages.
Answer A is incorrect. An Information System Security Engineer (ISSE) plays the role of an advisor.
The responsibilities of an
Information System Security Engineer are as follows:
Provides view on the continuous monitoring of the information system.
Provides advice on the impacts of system changes.
Takes part in the configuration management process.
Takes part in the development activities that are required to implement system changes.
Follows approved system changes.
Answer B is incorrect. A Chief Risk Officer (CRO) is also known as Chief Risk Management Officer
(CRMO). The Chief Risk Officer or Chief
Risk Management Officer of a corporation is the executive accountable for enabling the efficient and
effective governance of significant risks,
and related opportunities, to a business and its various segments. Risks are commonly categorized as
strategic, reputational, operational,
financial, or compliance-related. CRO's are accountable to the Executive Committee and The Board
for enabling the business to balance risk
and reward. In more complex organizations, they are generally responsible for coordinating the
organization's Enterprise Risk Management
(ERM) approach.

Answer:

C D

Explanation:
A host-based intrusion prevention system (HIPS) is an application usually employed on a single
computer. It complements traditional finger-
print-based and heuristic antivirus detection methods, since it does not need continuous updates to
stay ahead of new malware. When a
malicious code needs to modify the system or other software residing on the machine, a HIPS system
will notice some of the resulting changes
and prevent the action by default or notify the user for permission. It can handle encrypted and
unencrypted traffic equally and cannot detect
events scattered over the network.
Answer B is incorrect. Network address translation (NAT) is a technique that allows multiple
computers to share one or more IP
addresses. NAT is configured at the server between a private network and the Internet. It allows the
computers in a private network to share
a global, ISP assigned address. NAT modifies the headers of packets traversing the server. For packets
outbound to the Internet, it translates
the source addresses from private to public, whereas for packets inbound from the Internet, it
translates the destination addresses from
public to private.
Answer A is incorrect. Network intrusion prevention system (NIPS) is a hardware/software platform
that is designed to analyze, detect,
and report on security related events. NIPS is designed to inspect traffic and based on its
configuration or security policy, it can drop malicious
traffic. NIPS is able to detect events scattered over the network and can react.

Answer:

A D

Explanation:
In private cloud, the cloud infrastructure is operated exclusively for an organization. The private
cloud infrastructure is administered by the
organization or a third party, and exists on premise and off premise.
In community cloud, the cloud infrastructure is shared by a number of organizations and supports a
particular community. The community cloud
infrastructure is administered by the organizations or a third party and exists on premise or off
premise.
Answer B is incorrect. In public cloud, the cloud infrastructure is administered by an organization that
sells cloud services.
Answer C is incorrect. In hybrid cloud, the cloud infrastructure is administered by both, i.e., an
organization and a third party.

Answer:

Explanation: The various SSE-CMM levels are described in the table below: