[Mar-2022] Pass ISC CSSLP Tests Engine pdf - All Free Dumps [Q117-Q138]

NO.117 Which of the following describes the acceptable amount of data loss measured in time?

Recovery Point Objective (RPO)

Recovery Time Objective (RTO)

Recovery Consistency Objective (RCO)

Recovery Time Actual (RTA)

Explanation/Reference:
Explanation: The Recovery Point Objective (RPO) describes the acceptable amount of data loss measured in time. It is the point in time to which data must be recovered as defined by the organization. The RPO is generally a definition of what an organization determines is an “acceptable loss” in a disaster situation. If the RPO of a company is 2 hours and the time it takes to get the data back into production is 5 hours, the RPO is still 2 hours. Based on this RPO the data must be restored to within 2 hours of the disaster.
AnswerB is incorrect. The Recovery Time Objective (RTO) is the duration of time and a service level
within which a business process must be restored after a disaster or disruption in order to avoid unacceptable consequences associated with a break in business continuity. It includes the time for trying to fix the problem without a recovery, the recovery itself, tests and the communication to the users.
Decision time for user representative is not included. The business continuity timeline usually runs parallel with an incident management timeline and may start at the same, or different, points. In accepted business continuity planning methodology, the RTO is established during the Business Impact Analysis (BIA) by the owner of a process (usually in conjunction with the Business Continuity planner). The RTOs are then presented to senior management for acceptance. The RTO attaches to the business process and not the resources required to support the process. AnswerD is incorrect. The Recovery Time Actual (RTA) is established during an exercise, actual event, or predetermined based on recovery methodology the technology support team develops. This is the time frame the technology support takes to deliver the recovered infrastructure to the business. AnswerC is incorrect. The Recovery Consistency Objective (RCO) is used in Business Continuity Planning in addition to Recovery Point Objective (RPO) and Recovery Time Objective (RTO). It applies data consistency objectives to Continuous Data Protection services.

NO.118 Which of the following types of obfuscation transformation increases the difficulty for a de-obfuscation tool so that it cannot extract the true application from the obfuscated version?

Preventive transformation

Data obfuscation

Control obfuscation

Layout obfuscation

NO.119 Which of the following are the primary functions of configuration management? Each correct answer represents a complete solution. Choose all that apply.

It removes the risk event entirely by adding additional steps to avoid the event.

It ensures that the change is implemented in a sequential manner through formalized testing.

It reduces the negative impact that the change might have had on the computing services and resources.

It analyzes the effect of the change that is implemented on the system.

NO.120 A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. Which of the following are required to be addressed in a well designed policy? Each correct answer represents a part of the solution. Choose all that apply.

What is being secured?

Where is the vulnerability, threat, or risk?

Who is expected to exploit the vulnerability?

Who is expected to comply with the policy?

NO.121 Single Loss Expectancy (SLE) represents an organization’s loss from a single threat. Which of the following formulas best describes the Single Loss Expectancy (SLE)?

SLE = Asset Value (AV) * Exposure Factor (EF)

SLE = Annualized Loss Expectancy (ALE) * Annualized Rate of Occurrence (ARO)

SLE = Annualized Loss Expectancy (ALE) * Exposure Factor (EF)

SLE = Asset Value (AV) * Annualized Rate of Occurrence (ARO)

NO.122 What are the differences between managed and unmanaged code technologies? Each correct answer represents a complete solution. Choose two.

Managed code is referred to as Hex code, whereas unmanaged code is referred to as byte code.

C and C++ are the examples of managed code, whereas Java EE and Microsoft.NET are the examples of unmanaged code.

Managed code executes under management of a runtime environment, whereas unmanaged code is executed by the CPU of a computer system.

Managed code is compiled into an intermediate code format, whereas unmanaged code is compiled into machine code.

NO.123 To help review or design security controls, they can be classified by several criteria . One of these criteria is based on their nature. According to this criterion, which of the following controls consists of incident response processes, management oversight, security awareness, and training?

Compliance control

Physical control

Procedural control

Technical control

Explanation:
Procedural controls include incident response processes, management oversight,
security awareness, and training.

is incorrect. Physical controls include fences, doors,
locks, and fire extinguishers.

is incorrect. Technical controls include user authentication
(login) and logical access controls, antivirus software, and firewalls.

NO.124 Which of the following elements sets up a requirement to receive the constrained requests over a protected layer connection, such as TLS (Transport Layer Security)?

User data constraint

Authorization constraint

Web resource collection

Accounting constraint

NO.125 The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statements are true about ISSO and ISSE? Each correct answer represents a complete solution. Choose all that apply.

An ISSE manages the security of the information system that is slated for Certification & Accreditation (C&A).

An ISSE provides advice on the continuous monitoring of the information system.

An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A).

An ISSE provides advice on the impacts of system changes.

An ISSO takes part in the development activities that are required to implement system changes.

NO.126 FIPS 199 defines the three levels of potential impact on organizations: low, moderate, and high. Which of the following are the effects of loss of confidentiality, integrity, or availability in a high level potential impact?

The loss of confidentiality, integrity, or availability might result in a major damage to organizational assets.

The loss of confidentiality, integrity, or availability might result in severe damages like life threatening injuries or loss of life.

The loss of confidentiality, integrity, or availability might result in major financial losses.

The loss of confidentiality, integrity, or availability might cause severe degradation in or loss of mission capability to an extent.

NO.127 Which of the following governance bodies directs and coordinates implementations of the information security program?

Chief Information Security Officer

Information Security Steering Committee

Business Unit Manager

Senior Management

NO.128 You work as the senior project manager in SoftTech Inc. You are working on a software project using configuration management. Through configuration management you are decomposing the verification system into identifiable, understandable, manageable, traceable units that are known as Configuration Items (CIs). According to you, which of the following processes is known as the decomposition process of a verification system into Configuration Items?

Configuration status accounting

Configuration identification

Configuration auditing

Configuration control

Explanation/Reference:
Explanation: Configuration identification is known as the decomposition process of a verification system into Configuration Items. Configuration identification is the process of identifying the attributes that define every aspect of a configuration item. A configuration item is a product (hardware and/or software) that has an end-user purpose. These attributes are recorded in configuration documentation and baselined.
Baselining an attribute forces formal configuration change control processes to be effected in the event that these attributes are changed. Answer: D is incorrect. Configuration control is a procedure of the Configuration management. Configuration control is a set of processes and approval stages required to change a configuration item’s attributes and to re-baseline them. It supports the change of the functional and physical attributes of software at various points in time, and performs systematic control of changes to the identified attributes. Configuration control is a means of ensuring that system changes are approved before being implemented. Only the proposed and approved changes are implemented, and the implementation is complete and accurate. Answer: A is incorrect. The configuration status accounting procedure is the ability to record and report on the configuration baselines associated with each configuration item at any moment of time. It supports the functional and physical attributes of software at various points in time, and performs systematic control of accounting to the identified attributes for the purpose of maintaining software integrity and traceability throughout the software development life cycle.
Answer C is incorrect. Configuration auditing is the quality assurance element of configuration
management. It is occupied in the process of periodic checks to establish the consistency and completeness of accounting information and to validate that all configuration management policies are being followed. Configuration audits are broken into functional and physical configuration audits. They occur either at delivery or at the moment of effecting the change. A functional configuration audit ensures that functional and performance attributes of a configuration item are achieved, while a physical configuration audit ensures that a configuration item is installed in accordance with the requirements of its detailed design documentation.

NO.129 Which of the following rated systems of the Orange book has mandatory protection of the TCB?

A-rated

B-rated

D-rated

C-rated

NO.130 Which of the following testing methods verifies the interfaces between components against a software design?

Regression testing

Integration testing

Black-box testing

Unit testing

Explanation/Reference:
Explanation: Integration testing is a software testing that seeks to verify the interfaces between components against a software design. Software components may be integrated in an iterative way or all together (“big bang”). Normally the former is considered a better practice since it allows interface issues to be localized more quickly and fixed. Integration testing works to expose defects in the interfaces and interaction between the integrated components (modules). Progressively larger groups of tested software components corresponding to elements of the architectural design are integrated and tested until the software works as a system. Answer: A is incorrect. Regression testing focuses on finding defects after a major code change has occurred. Specifically, it seeks to uncover software regressions, or old bugs that have come back. Such regressions occur whenever software functionality that was previously working correctly stops working as intended. Typically, regressions occur as an unintended consequence of program changes, when the newly developed part of the software collides with the previously existing code. Answer: D is incorrect. Unit testing refers to tests that verify the functionality of a specific section of code, usually at the function level. In an object-oriented environment, this is usually at the class level, and the minimal unit tests include the constructors and destructors. These types of tests are usually written by developers as they work on code (white-box style), to ensure that the specific function is working as expected. One function might have multiple tests, to catch corner cases or other branches in the code. Unit testing alone cannot verify the functionality of a piece of software, but rather is used to assure that the building blocks the software uses work independently of each other. Answer: C is incorrect. The black-box testing uses external descriptions of the software, including specifications, requirements, and design to derive test cases. These tests can be functional or non-functional, though usually functional. The test designer selects valid and invalid inputs and determines the correct output. There is no knowledge of the test object’s internal structure. This method of test design is applicable to all levels of software testing: unit, integration, functional testing, system and acceptance. The higher the level, and hence the bigger and more complex the box, the more one is forced to use black box testing to simplify. While this method can uncover unimplemented parts of the specification, one cannot be sure that all existent paths are tested.

NO.131 Which of the following intrusion detection systems (IDS) monitors network traffic and compares it against an established baseline?

File-based

Network-based

Anomaly-based

Signature-based

NO.132 Which of the following persons in an organization is responsible for rejecting or accepting the residual risk for a system?

Information Systems Security Officer (ISSO)

Designated Approving Authority (DAA)

System Owner

Chief Information Security Officer (CISO)

NO.133 You are the project manager for your organization. You are preparing for the quantitative risk analysis. Mark, a project team member, wants to know why you need to do quantitative risk analysis when you just completed qualitative risk analysis. Which one of the following statements best defines what quantitative risk analysis is?

Quantitative risk analysis is the process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact.

Quantitative risk analysis is the review of the risk events with the high probability and the highest impact on the project objectives.

Quantitative risk analysis is the planning and quantification of risk responses based on probability and impact of each risk event.

Quantitative risk analysis is the process of numerically analyzing the effect of identified risks on overall project objectives.

NO.134 Which of the following are the principle duties performed by the BIOS during POST (power-onself-test)? Each correct answer represents a part of the solution. Choose all that apply.

It provides a user interface for system’s configuration.

It identifies, organizes, and selects boot devices.

It delegates control to other BIOS, if it is required.

It discovers size and verifies system memory.

It verifies the integrity of the BIOS code itself.

It interrupts the execution of all running programs.

NO.135 In which of the following processes are experienced personnel and software tools used to investigate, resolve, and handle process deviation, malformed data, infrastructure, or connectivity issues?

Risk Management

Exception management

Configuration Management

Change Management

NO.136 You work as a Security Manager for Tech Perfect Inc. You find that some applications have failed to encrypt network traffic while ensuring secure communications in the organization. Which of the following will you use to resolve the issue?

SCP

TLS

IPSec

HTTPS

Explanation/Reference:
Explanation: In order to resolve the issue, you should use TLS (Transport Layer Security). Transport Layer Security (TLS) is a cryptographic protocol that provides security and data integrity for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end. Several versions of the protocols are in wide-spread use in applications like web browsing, electronic mail, Internet faxing, instant messaging, and voice-over-IP (VoIP). The TLS protocol, an application layer protocol, allows client/server applications to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and communications confidentiality over the Internet using cryptography. AnswerC is incorrect. Internet Protocol Security (IPSec) is a method of securing data. It secures traffic by using encryption and digital signing. It enhances the security of data as if an IPSec packet is captured, its contents cannot be read. IPSec also provides sender verification that ensures the certainty of the datagram’s origin to the receiver. Answer D is incorrect. Hypertext Transfer Protocol Secure (HTTPS) protocol is a protocol used in the Universal Resource Locater (URL) address line to connect to a secure site. If a site has been made secure by using the Secure Sockets Layer (SSL) then HTTPS, instead of HTTP protocol, should be used as a protocol type in the URL. Answer: A is incorrect. The SCP (secure copy) protocol is a network protocol that supports file transfers. The SCP protocol, which runs on port 22, is based on the BSD RCP protocol which is tunneled through the Secure Shell (SSH) protocol to provide encryption and authentication. SCP might not even be considered a protocol itself, but merely a combination of RCP and SSH. The RCP protocol performs the file transfer and the SSH protocol performs authentication and encryption. SCP protects the authenticity and confidentiality of the data in transit. It hinders the ability for packet sniffers to extract usable information from the data packets.

NO.137 Which of the following DITSCAP C&A phases takes place between the signing of the initial version of the SSAA and the formal accreditation of the system?

Phase 4

Phase 3

Phase 1

Phase 2

NO.138 Which of the following is a chronological record of system activities to enable the reconstruction and examination of the sequence of events and/or changes in an event?

Corrective controls

Audit trail

Security audit

Detective controls

Explanation/Reference:
Explanation: Audit trail or audit log is a chronological sequence of audit records, each of which contains evidence directly pertaining to and resulting from the execution of a business process or system function.
Audit records typically result from activities such as transactions or communications by individual people, systems, accounts, or other entities. The process that creates audit trail should always run in a privileged mode, so it could access and supervise all actions from all users, and normal user could not stop/change it. Furthermore, for the same reason, trail file or database table with a trail should not be accessible to normal users. AnswerC is incorrect. A computer security audit is a manual or systematic measurable technical assessment of a system or application. Manual assessments include interviewing staff, performing security vulnerability scans, reviewing application and operating system access controls, and analyzing physical access to the systems. Automated assessments, or CAAT’s, include system generated audit reports or using software to monitor and report changes to files and settings on a system. Systems can include personal computers, servers, mainframes, network routers, and switches. Answer D is incorrect. Detective controls are the audit controls that are not needed to be restricted. Any control that performs a monitoring activity can likely be defined as a Detective Control. For example, it is possible that mistakes, either intentional or unintentional, can be made. Therefore, an additional Protective control is that these companies must have their financial results audited by an independent Certified Public Accountant. The role of this accountant is to act as an auditor. In fact, any auditor acts as a Detective control. If the organization in question has not properly followed the rules, a diligent auditor should be able to detect the deficiency which indicates that some control somewhere has failed. Answer: A is incorrect.
Reactive or corrective controls typically work in response to a detective control, responding in such a way as to alert or otherwise correct an unacceptable condition. Using the example of account rules, either the internal Audit Committee or the SEC itself, based on the report generated by the external auditor, will take some corrective action. In this way, they are acting as a Corrective or Reactive control.

[Mar-2022] Pass ISC CSSLP Tests Engine pdf – All Free Dumps [Q117-Q138]

What is the duration of the CSSLP Exam

Who should take the exam

admin

Leave a Reply Cancel reply

What is the duration of the CSSLP Exam

Who should take the exam

Related posts:

admin

You might also like

Leave a Reply Cancel reply