Choosing the Right Path for Your CSSLP Exam Preparation
Welcome to PassExamHub's comprehensive study guide for the Certified Secure Software Lifecycle Professional exam. Our CSSLP dumps is designed to equip you with the knowledge and resources you need to confidently prepare for and succeed in the CSSLP certification exam.
What Our ISC2 CSSLP Study Material Offers
PassExamHub's CSSLP dumps PDF is carefully crafted to provide you with a comprehensive and effective learning experience. Our study material includes:
In-depth Content: Our study guide covers all the key concepts, topics, and skills you need to master for the CSSLP exam. Each topic is explained in a clear and concise manner, making it easy to understand even the most complex concepts.
Online Test Engine: Test your knowledge and build your confidence with a wide range of practice questions that simulate the actual exam format. Our test engine cover every exam objective and provide detailed explanations for both correct and incorrect answers.
Exam Strategies: Get valuable insights into exam-taking strategies, time management, and how to approach different types of questions.
Real-world Scenarios: Gain practical insights into applying your knowledge in real-world scenarios, ensuring you're well-prepared to tackle challenges in your professional career.
Why Choose PassExamHub?
Expertise: Our CSSLP exam questions answers are developed by experienced ISC2 certified professionals who have a deep understanding of the exam objectives and industry best practices.
Comprehensive Coverage: We leave no stone unturned in covering every topic and skill that could appear on the CSSLP exam, ensuring you're fully prepared.
Engaging Learning: Our content is presented in a user-friendly and engaging format, making your study sessions enjoyable and effective.
Proven Success: Countless students have used our study materials to achieve their CSSLP certifications and advance their careers.
Start Your Journey Today!
Embark on your journey to Certified Secure Software Lifecycle Professional success with PassExamHub. Our study material is your trusted companion in preparing for the CSSLP exam and unlocking exciting career opportunities.
Related Exams
ISC2 CSSLP Sample Question Answers
Question # 1
In which type of access control do user ID and password system come under?
A. Physical B. Technical C. Power D. Administrative
Answer: B
Explanation: Technical access controls include IDS systems, encryption, network
segmentation, and antivirus controls. Answer: D is incorrect. The policies and procedures
implemented by an organization come under administrative access controls. Answer: A is
incorrect. Security guards, locks on the gates, and alarms come under physical access
controls. Answer: C is incorrect. There is no such type of access control as power control.
Question # 2
Which of the following phases of NIST SP 800-37 C&A methodology examines the residualrisk for acceptability, and prepares the final security accreditation package?
A. Security Accreditation B. Initiation C. Continuous Monitoring D. Security Certification
Answer: A
Explanation: The various phases of NIST SP 800-37 C&A are as follows: Phase 1:
Initiation- This phase includes preparation, notification and resource identification. It
performs the security plan analysis, update, and acceptance. Phase 2: Security
Certification- The Security certification phase evaluates the controls and documentation.
Phase 3: Security Accreditation- The security accreditation phase examines the residual
risk for acceptability, and prepares the final security accreditation package. Phase 4:
Continuous Monitoring-This phase monitors the configuration management and control,
ongoing security control verification, and status reporting and documentation.
Question # 3
The Systems Development Life Cycle (SDLC) is the process of creating or altering thesystems; and the models and methodologies that people use to develop these systems.Which of the following are the different phases of system development life cycle? Eachcorrect answer represents a complete solution. Choose all that apply.
A. Testing B. Implementation C. Operation/maintenance D. Development/acquisition E. Disposal F. Initiation
Answer: B,C,D,E,F
Explanation: The Systems Development Life Cycle (SDLC), or Software Development Life
Cycle in systems engineering, information systems, and software engineering, is the
process of creating or altering the systems; and the models and methodologies that people
use to develop these systems. The concept generally refers to computers or information
systems. The following are the five phases in a generic System Development Life Cycle:
Which of the following describes the acceptable amount of data loss measured in time?
A. Recovery Point Objective (RPO) B. Recovery Time Objective (RTO) C. Recovery Consistency Objective (RCO) D. Recovery Time Actual (RTA)
Answer: A
Explanation: The Recovery Point Objective (RPO) describes the acceptable amount of
data loss measured in time. It is the point in time to which data must be recovered as
defined by the organization. The RPO is generally a definition of what an organization
determines is an "acceptable loss" in a disaster situation. If the RPO of a company is 2
hours and the time it takes to get the data back into production is 5 hours, the RPO is still 2
hours. Based on this RPO the data must be restored to within 2 hours of the disaster.
Answer: B is incorrect. The Recovery Time Objective (RTO) is the duration of time and a
service level within which a business process must be restored after a disaster or
disruption in order to avoid unacceptable consequences associated with a break in
business continuity. It includes the time for trying to fix the problem without a recovery, the
recovery itself, tests and the communication to the users. Decision time for user
representative is not included. The business continuity timeline usually runs parallel with an
incident management timeline and may start at the same, or different, points. In accepted
business continuity planning methodology, the RTO is established during the Business
Impact Analysis (BIA) by the owner of a process (usually in conjunction with the Business
Continuity planner). The RTOs are then presented to senior management for acceptance.
The RTO attaches to the business process and not the resources required to support the
process. Answer: D is incorrect. The Recovery Time Actual (RTA) is established during an
exercise, actual event, or predetermined based on recovery methodology the technology
support team develops. This is the time frame the technology support takes to deliver the
recovered infrastructure to the business. Answer: C is incorrect. The Recovery Consistency
Objective (RCO) is used in Business Continuity Planning in addition to Recovery Point
Objective (RPO) and Recovery Time Objective (RTO). It applies data consistency
objectives to Continuous Data Protection services.
Question # 5
Rob is the project manager of the IDLK Project for his company. This project has a budgetof $5,600,000 and is expected to last 18 months. Rob has learned that a new law mayaffect how the project is allowed to proceed - even though the organization has alreadyinvested over $750,000 in the project. What risk response is the most appropriate for thisinstance?
A. Transference B. Enhance C. Mitigation D. Acceptance
Answer: D
Explanation: At this point all that Rob can likely do is accepting the risk event. Because
this is an external risk, there is little that Rob can do other than document the risk and
share the new with management and the project stakeholders. If the law is passed then
Rob can choose the most appropriate way for the project to continue. Acceptance
response is a part of Risk Response planning process. Acceptance response delineates
that the project plan will not be changed to deal with the risk. Management may develop a
contingency plan if the risk does occur. Acceptance response to a risk event is a strategy
that can be used for risks that pose either threats or opportunities. Acceptance response
can be of two types: Passive acceptance: It is a strategy in which no plans are made to try
or avoid or mitigate the risk. Active acceptance: Such responses include developing
contingency reserves to deal with risks, in case they occur. Acceptance is the only
response for both threats and opportunities. Answer: B is incorrect. Mitigation aims to lower
the probability and/or impact of the risk event. Answer: C is incorrect. Transference
transfers the ownership of the risk event to a third party, usually through a contractual
agreement. Answer: D is incorrect. Enhance is a risk response that tries to increase the
probability and/or impact of the positive risk event.
Question # 6
Which of the following terms refers to a mechanism which proves that the sender reallysent a particular message?
A. Confidentiality B. Non-repudiation C. Authentication D. Integrity
Answer: B
Explanation: Non-repudiation is a mechanism which proves that the sender really sent a
message. It provides an evidence of the identity of the senderand message integrity. It also
prevents a person from denying the submission or delivery of the message and the integrity
of its contents. Answer: C is incorrect. Authentication is a process of verifying the identity of
a person or network host. Answer: A is incorrect. Confidentiality ensures that no one can
read a message except the intended receiver. Answer: D is incorrect. Integrity assures the
receiver that the received message has not been altered in any way from the original.
Question # 7
Which of the following are the important areas addressed by a software system's securitypolicy? Each correct answer represents a complete solution. Choose all that apply.
A. Identification and authentication B. Punctuality C. Data protection D. Accountability E. Scalability F. Access control
Answer: A,C,D,F
Explanation: The security policy of a software system addresses the following important
areas: Access control Data protection Confidentiality Integrity Identification and
authentication Communication security Accountability Answer: E and B are incorrect.
Scalability and punctuality are not addressed by a software system's security policy.
Question # 8
Which of the following is a patch management utility that scans one or more computers on a network and alerts a user if any important Microsoft security patches are missing andalso provides links that enable those missing patches to be downloaded and installed?
A. MABS B. ASNB C. MBSA D. IDMS
Answer: C
Explanation: Microsoft Baseline Security Analyzer (MBSA) is a tool that includes a
graphical and command line interface that can perform local or remote scans of Windows
systems. It runs on computers running Windows 2000, Windows XP, or Windows Server
2003 operating system. MBSA scans for common security misconfigurations in Windows
NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Internet Information Server
(IIS) 4.0 and above, SQL Server 7.0 and 2000, and Office 2000 and 2002. It also scans for
missing hot fixes in several Microsoft products, such as Windows 2000, Windows XP, SQL
Server etc. Answer: B, D, and A are incorrect. These are invalid options.
Question # 9
John works as a professional Ethical Hacker. He has been assigned the project of testingthe security of www.we-are-secure.com. He finds that the We-are-secure server isvulnerable to attacks. As a countermeasure, he suggests that the Network Administratorshould remove the IPP printing capability from the server. He is suggesting this as acountermeasure against __________.
A. SNMP enumeration B. IIS buffer overflow C. NetBIOS NULL session D. DNS zone transfer
Answer: B
Explanation: Removing the IPP printing capability from a server is a good countermeasure
against an IIS buffer overflow attack. A Network Administrator should take the following
steps to prevent a Web server from IIS buffer overflow attacks: Conduct frequent scans for
server vulnerabilities. Install the upgrades of Microsoft service packs.
Implement effective firewalls. Apply URLScan and IISLockdown utilities. Remove the IPP
printing capability. Answer: D is incorrect. The following are the DNS zone transfer
countermeasures: Do not allow DNS zone transfer using the DNS property sheet: a.Open
DNS. b.Right-click a DNS zone and click Properties. c.On the Zone Transfer tab, clear the
Allow zone transfers check box. Configure the master DNS server to allow zone transfers
only from secondary DNS servers: a.Open DNS. b.Right-click a DNS zone and click
Properties. c.On the zone transfer tab, select the Allow zone transfers check box, and then
do one of the following: To allow zone transfers only to the DNS servers listed on the name
servers tab, click on the Only to the servers listed on the Name Server tab. To allow zone
transfers only to specific DNS servers, click Only to the following servers, and add the IP
address of one or more servers. Deny all unauthorized inbound connections to TCP port
53. Implement DNS keys and encrypted DNS payloads. Answer: A is incorrect. The
following are the countermeasures against SNMP enumeration: 1.Removing the SNMP
agent or disabling the SNMP service 2.Changing the default PUBLIC community name
when 'shutting off SNMP' is not an option 3.Implementing the Group Policy security option
called Additional restrictions for anonymous connections 4.Restricting access to NULL
session pipes and NULL session shares 5.Upgrading SNMP Version 1 with the latest
version 6.Implementing Access control list filtering to allow only access to the read-write
community from approved stations or subnets Answer: C is incorrect. NetBIOS NULL
session vulnerabilities are hard to prevent, especially if NetBIOS is needed as part of the
infrastructure. One or more of the following steps can be taken to limit NetBIOS NULL
session vulnerabilities: 1.Null sessions require access to the TCP 139 or TCP 445 port,
which can be disabled by a Network Administrator. 2.A Network Administrator can also
disable SMB services entirely on individual hosts by unbinding WINS Client TCP/IP from
the interface. 3.A Network Administrator can also restrict the anonymous user by editing
the registry values: a.Open regedit32, and go to HKLM\SYSTEM\CurrentControlSet\LSA.
b.Choose edit > add value. Value name: RestrictAnonymous Data Type: REG_WORD
Value: 2
Question # 10
"Enhancing the Development Life Cycle to Produce Secure Software" summarizes thetools and practices that are helpful in producing secure software. What are these tools andpractices? Each correct answer represents a complete solution. Choose three.
A. Leverage attack patterns B. Compiler security checking and enforcement C. Tools to detect memory violations D. Safe software libraries E. Code for reuse and maintainability
Answer: B,C,D
Explanation: The tools and practices that are helpful in producing secure software are
summarized in the report "Enhancing the Development Life Cycle to Produce Secure
Software". The tools and practices are as follows: Compiler security checking and
to detect memory violations Code obfuscation Answer: A and E are incorrect. These are
secure coding principles and practices of defensive coding.
Question # 11
Information Security management is a process of defining the security controls in order toprotect information assets. The first action of a management program to implementinformation security is to have a security program in place. What are the objectives of asecurity program? Each correct answer represents a complete solution. Choose all thatapply.
A. Security education B. Security organization C. System classification D. Information classification
Answer: A,B,D
Explanation: The first action of a management program to implement information security
is to have a security program in place. The objectives of a security program are as follows:
Protect the company and its assets Manage risks by identifying assets, discovering threats,
and estimating the risk Provide direction for security activities by framing of information
security policies, procedures, standards, guidelines and baselines Information classification
Security organization Security education Answer: C is incorrect. System classification is not
one of the objectives of a security program.
Question # 12
Which of the following are the types of intellectual property? Each correct answerrepresents a complete solution. Choose all that apply.
A. Patent B. Copyright C. Standard D. Trademark
Answer: A,B,D
Explanation: Common types of intellectual property include copyrights, trademarks,
patents, industrial design rights, and trade secrets. A copyright is a form of intellectual
property, which secures to its holder the exclusive right to produce copies of his or her
works of original expression, such as a literary work, movie, musical work or sound
recording, painting, photograph, computer program, or industrial design, for a defined, yet
extendable, period of time. It does not cover ideas or facts. Copyright laws protect
intellectual property from misuse by other individuals. A trademark is a distinctive sign used
by an individual, business organization, or other legal entity to identify that the products or
services to consumers with which the trademark appears originate from a unique source,
and to distinguish its products or services from those of other entities. A trademark is
designated by the following symbols: : It is for an unregistered trade mark and it is used to
promote or brand goods. : It is for an unregistered service mark and it is used to promote or
brand services. : It is for a registered trademark. A patent is a set of exclusive rights
granted by a state to an inventor or their assignee for a limited period of time in exchange
for a public disclosure of an invention. Answer: C is incorrect. It is not a type of intellectual
property
Question # 13
Which of the following approaches can be used to build a security program? Each correctanswer represents a complete solution. Choose all that apply.
A. Right-Up Approach B. Left-Up Approach C. Top-Down Approach D. Bottom-Up Approach
Answer: C,D
Explanation: Top-Down Approach is an approach to build a security program. The
initiation, support, and direction come from the top management and work their way
through middle management and then to staff members. It is treated as the best approach.
This approach ensures that the senior management, who is ultimately responsible for
protecting the company assets, is driving the program. Bottom-Up Approach is an
approach to build a security program. The lower-end team comes up with a security control
or a program without proper management support and direction. It is less effective and
doomed to fail. Answer: A and B are incorrect. No such types of approaches exist
Question # 14
Fill in the blank with an appropriate phrase The is a formal state transition system ofcomputer security policy that describes a set of access control rules designed to ensuredata integrity.
A. Biba model
Answer: A
Explanation: The Biba model is a formal state transition system of computer security
policy that describes a set of access control rules designed to ensure data integrity. Data
and subjects are grouped into ordered levels of integrity. The model is designed so that
subjects may not corrupt data in a level ranked higher than the subject, or be corrupted by
data from a lower level than the subject.
Question # 15
A security policy is an overall general statement produced by senior management thatdictates what role security plays within the organization. What are the different types ofpolicies? Each correct answer represents a complete solution. Choose all that apply.
A. Advisory B. Systematic C. Informative D. Regulatory
Answer: A,C,D
Explanation: Following are the different types of policies: Regulatory: This type of policy
ensures that the organization is following standards set by specific industry regulations.
This policy type is very detailed and specific to a type of industry. This is used in financial
institutions, health care facilities, public utilities, and other government-regulated industries,
e.g., TRAI. Advisory: This type of policy strongly advises employees regarding which types
of behaviors and activities should and should not take place within the organization. It also
outlines possible ramifications if employees do not comply with the established behaviors
and activities. This policy type can be used, for example, to describe how to handle medical
information, handle financial transactions, or process confidential information. Informative:
This type of policy informs employees of certain topics. It is not an enforceable policy, but
rather one to teach individuals about specific issues relevant to the company. It could
explain how the company interacts with partners, the company's goals and mission, and a
general reporting structure in different situations. Answer: B is incorrect. No such type of
policy exists.
Question # 16
Single Loss Expectancy (SLE) represents an organization's loss from a single threat.Which of the following formulas best describes the Single Loss Expectancy (SLE)?
A. SLE = Asset Value (AV) * Exposure Factor (EF) B. SLE = Annualized Loss Expectancy (ALE) * Annualized Rate of Occurrence (ARO) C. SLE = Annualized Loss Expectancy (ALE) * Exposure Factor (EF) D. SLE = Asset Value (AV) * Annualized Rate of Occurrence (ARO)
Answer: A
Explanation: Single Loss Expectancy is a term related to Risk Management and Risk
Assessment. It can be defined as the monetary value expected from the occurrence of a
risk on an asset. It is mathematically expressed as follows: Single Loss Expectancy (SLE)
= Asset Value (AV) * Exposure Factor (EF) where the Exposure Factor is represented in
the impact of the risk over the asset, or percentage of asset lost. As an example, if the
Asset Value is reduced two thirds, the exposure factor value is .66. If the asset is
completely lost, the Exposure Factor is 1.0. The result is a monetary value in the same unit
as the Single Loss Expectancy is expressed. Answer: C, D, and B are incorrect. These are
not valid formulas of SLE.
Question # 17
Security is a state of well-being of information and infrastructures in which the possibilitiesof successful yet undetected theft, tampering, and/or disruption of information and servicesare kept low or tolerable. Which of the following are the elements of security? Each correctanswer represents a complete solution. Choose all that apply.
A. Integrity B. Authenticity C. Confidentiality D. Availability
Answer: A,B,C,D
Explanation: The elements of security are as follows: 1.Confidentiality: It is the
concealment of information or resources. 2.Authenticity: It is the identification and
assurance of the origin of information. 3.Integrity: It refers to the trustworthiness of data or
resources in terms of preventing improper and unauthorized changes. 4.Availability: It
refers to the ability to use the information or resources as desired.
Question # 18
Which of the following steps of the LeGrand Vulnerability-Oriented Risk Managementmethod determines the necessary compliance offered by risk management practices andassessment of risk levels?
A. Assessment, monitoring, and assurance B. Vulnerability management C. Risk assessment D. Adherence to security standards and policies for development and deployment
Answer: A
Explanation: Assessment, monitoring, and assurance determines the necessary
compliance that are offered by risk management practices and assessment of risk levels.
Question # 19
Which of the following steps of the LeGrand Vulnerability-Oriented Risk Managementmethod determines the necessary compliance offered by risk management practices andassessment of risk levels?
A. Assessment, monitoring, and assurance B. Vulnerability management C. Risk assessment D. Adherence to security standards and policies for development and deployment
Answer: A
Explanation: Assessment, monitoring, and assurance determines the necessary
compliance that are offered by risk management practices and assessment of risk levels.
Question # 20
Security controls are safeguards or countermeasures to avoid, counteract, or minimizesecurity risks. Which of the following are types of security controls? Each correct answerrepresents a complete solution. Choose all that apply.
A. Common controls B. Hybrid controls C. Storage controls D. System-specific controls
Answer: A,B,D
Explanation: Security controls are safeguards or countermeasures to avoid, counteract, or
minimize security risks. The following are the types of security controls for information
systems, that can be employed by an organization: 1.System-specific controls: These types
of security controls provide security capability for a particular information system only.
2.Common controls: These types of security controls provide security capability for multiple
information systems. 3.Hybrid controls: These types of security controls have features of
both system-specific and common controls. Answer: C is incorrect. It is an invalid control.
Question # 21
In which of the following levels of exception safety are operations succeeded with fullguarantee and fulfill all needs in the presence of exceptional situations?
A. Commit or rollback semantics B. Minimal exception safety C. Failure transparency D. Basic exception safety
Answer: C
Explanation: Failure transparency is the best level of exception safety. In this level,
operations are succeeded with full guarantee and fulfill all needs in the presence of
exceptional situations. Failure transparency does not throw the exception further up even
when an exception occurs. This level is also known as no throw guarantee.
Question # 22
Which of the following security related areas are used to protect the confidentiality,integrity, and availability of federal information systems and information processed by thosesystems?
A. Personnel security B. Access control C. Configuration management D. Media protection E. Risk assessment
Answer: A,B,C,D,E
Explanation: The minimum security requirements cover seventeen security related areas
to protect the confidentiality, integrity, and availability of federal information systems and
information processed by those systems. They are as follows: Access control Awareness
and training Audit and accountability Certification, accreditation, and security assessment
Configuration management Contingency planning Identification and authentication Inciden
response Maintenance Media protection Physical and environmental protection Planning
Personnel security Risk assessment Systems and services acquisition System and
communications protection System and information integrity
Question # 23
What are the various benefits of a software interface according to the "Enhancing theDevelopment Life Cycle to Produce Secure Software" document? Each correct answerrepresents a complete solution. Choose three.
A. It modifies the implementation of a component without affecting the specifications of theinterface. B. It controls the accessing of a component. C. It displays the implementation details of a component. D. It provides a programmatic way of communication between the components that areworking with different programming languages.
Answer: A,B,D
Explanation: The benefits of a software interface are as follows: It provides a
programmatic way of communication between the components that are working with
different programming languages. It prevents direct communication between components.
It modifies the implementation of a component without affecting the specifications of the
interface. It hides the implementation details of a component. It controls the accessing of a
component. Answer: C is incorrect. A software interface hides the implementation details of
the component
Question # 24
Fill in the blank with an appropriate security type. applies the internal security policies of thesoftware applications when they are deployed.
A. Programmatic security
Answer: A
Explanation: Programmatic security applies the internal security policies of the software
applications when they are deployed. In this type of security, the code of the software
application controls the security behavior, and authentication decisions are made based on
the business logic, such as the user role or the task performed by the user in a specific
security context.
Question # 25
Fill in the blank with an appropriate security type. applies the internal security policies of thesoftware applications when they are deployed.
A. Programmatic security
Answer: A
Explanation: Programmatic security applies the internal security policies of the software
applications when they are deployed. In this type of security, the code of the software
application controls the security behavior, and authentication decisions are made based on
the business logic, such as the user role or the task performed by the user in a specific
security context.
Question # 26
Audit trail or audit log is a chronological sequence of audit records, each of which containsevidence directly pertaining to and resulting from the execution of a business process orsystem function. Under which of the following controls does audit control come?
A. Reactive controls B. Detective controls C. Protective controls D. Preventive controls
Answer: B
Explanation: Audit trail or audit log comes under detective controls. Detective controls are
the audit controls that are not needed to be restricted. Any control that performs a
monitoring activity can likely be defined as a Detective Control. For example, it is possible
that mistakes, either intentional or unintentional, can be made. Therefore, an additional
Protective control is that these companies must have their financial results audited by an
independent Certified Public Accountant. The role of this accountant is to act as an auditor.
In fact, any auditor acts as a Detective control. If the organization in question has not
properly followed the rules, a diligent auditor should be able to detect the deficiency which
indicates that some control somewhere has failed. Answer: A is incorrect. Reactive or
corrective controls typically work in response to a detective control, responding in such a
way as to alert or otherwise correct an unacceptable condition. Using the example of
account rules, either the internal Audit Committee or the SEC itself, based on the report
generated by the external auditor, will take some corrective action. In this way, they are
acting as a Corrective or Reactive control. Answer: C and D are incorrect. Protective or
preventative controls serve to proactively define and possibly enforce acceptable
behaviors. As an example, a set of common accounting rules are defined and must be
followed by any publicly traded company. Each quarter, any particular company must
publicly state its current financial standing and accounting as reflected by an application of
these rules. These accounting rules and the SEC requirements serve as protective or
preventative controls.
Question # 27
Which of the following concepts represent the three fundamental principles of informationsecurity? Each correct answer represents a complete solution. Choose three.
A. Privacy B. Availability C. Integrity D. Confidentiality
Answer: B,C,D
Explanation: The following concepts represent the three fundamental principles of
information security: 1.Confidentiality 2.Integrity 3.Availability Answer: B is incorrect.
Privacy, authentication, accountability, authorization and identification are also concepts
related to information security, but they do not represent the fundamental principles of
information security.
Question # 28
Which of the following DoD policies establishes policies and assigns responsibilities toachieve DoD IA through a defense-in-depth approach that integrates the capabilities ofpersonnel, operations, and technology, and supports the evolution to network-centricwarfare?
A. DoDI 5200.40 B. DoD 8500.1 Information Assurance (IA) C. DoD 8510.1-M DITSCAP D. DoD 8500.2 Information Assurance Implementation
Answer: B
Explanation: DoD 8500.1 Information Assurance (IA) sets up policies and allots
responsibilities to achieve DoD IA through a defense-in-depth approach that integrates the
capabilities of personnel, operations, and technology, and supports the evolution to
network-centric warfare. DoD 8500.1 also summarizes the roles and responsibilities for the
persons responsible for carrying out the IA policies. Answer: D is incorrect. The DoD
8500.2 Information Assurance Implementation pursues 8500.1. It provides assistance on
how to implement policy, assigns responsibilities, and prescribes procedures for applying
integrated, layered protection of the DoD information systems and networks. DoD
Instruction 8500.2 allots tasks and sets procedures for applying integrated layered
protection of the DOD information systems and networks in accordance with the DoD
8500.1 policy. It also provides some important guidelines on how to implement an IA
program. Answer: A is incorrect. DoDI 5200.40 executes the policy, assigns
responsibilities, and recommends procedures under reference for Certification and
Accreditation(C&A) of information technology (IT). Answer: C is incorrect. DoD 8510.1-M
DITSCAP provides standardized activities leading to accreditation, and establishes a process and management baseline.
Question # 29
Shoulder surfing is a type of in-person attack in which the attacker gathers informationabout the premises of an organization. This attack is often performed by lookingsurreptitiously at the keyboard of an employee's computer while he is typing in hispassword at any access point such as a terminal/Web site. Which of the following isviolated in a shoulder surfing attack?
A. Integrity B. Availability C. Confidentiality D. Authenticity
Answer: C
Explanation: Confidentiality is violated in a shoulder surfing attack. The CIA triad provides
the following three tenets for which security practices are measured: Confidentiality: It is
the property of preventing disclosure of information to unauthorized individuals or systems.
Breaches of confidentiality take many forms. Permitting someone to look over your
shoulder at your computer screen while you have confidential data displayed on it could be
a breach of confidentiality. If a laptop computer containing sensitive information about a
company's employees is stolen or sold, it could result in a breach of confidentiality.
Integrity: It means that data cannot be modified without authorization. Integrity is violated
when an employee accidentally or with malicious intent deletes important data files, when a
computer virus infects a computer, when an employee is able to modify his own salary in a
payroll database, when an unauthorized user vandalizes a web site, when someone is able
to cast a very large number of votes in an online poll, and so on. Availability: It means that
data must be available at every time when it is needed. Answer: D is incorrect. Authenticity
is not a tenet of the CIA triad.
Question # 30
You work as a Security Manager for Tech Perfect Inc. You want to save all the data fromthe SQL injection attack, which can read sensitive data from the database and modifydatabase data using some commands, such as Insert, Update, and Delete. Which of thefollowing tasks will you perform? Each correct answer represents a complete solution.Choose three.
A. Apply maximum number of database permissions. B. Use an encapsulated library for accessing databases. C. Create parameterized stored procedures. D. Create parameterized queries by using bound and typed parameters.
Answer: B,C,D
Explanation: The methods of mitigating SQL injection attacks are as follows: 1.Create
parameterized queries by using bound and typed parameters. 2.Create parameterized
stored procedures. 3.Use a encapsulated library in order to access databases. 4.Minimize
database permissions. Answer: A is incorrect. In order to save all the data from the SQL
injection attack, you should minimize database permissions.
Question # 31
A part of a project deals with the hardware work. As a project manager, you have decidedto hire a company to deal with all hardware work on the project. Which type of riskresponse is this?
A. Exploit B. Mitigation C. Transference D. Avoidance
Answer: C
Explanation: When you are hiring a third party to own risk, it is known as transference risk
response. Transference is a strategy to mitigate negative risks or threats. In this strategy,
consequences and the ownership of a risk is transferred to a third party. This strategy does
not eliminate the risk but transfers responsibility of managing the risk to another party.
Insurance is an example of transference. Answer: B is incorrect. The act of spending
money to reduce a risk probability and impact is known as mitigation. Answer: A is
incorrect. Exploit is a strategy that may be selected for risks with positive impacts where
the organization wishes to ensure that the opportunity is realized. Answer: D is incorrect.
When extra activities are introduced into the project to avoid the risk, this is an example of
avoidance.
Question # 32
Which of the following statements about the integrity concept of information securitymanagement are true? Each correct answer represents a complete solution. Choose three.
A. It ensures that unauthorized modifications are not made to data by authorized personnelor processes. B. It determines the actions and behaviors of a single individual within a system C. It ensures that internal information is consistent among all subentities and alsoconsistent with the real-world, external situation. D. It ensures that modifications are not made to data by unauthorized personnel orprocesses.
Answer: A,C,D
Explanation: The following statements about the integrity concept of information security
management are true: It ensures that modifications are not made to data by unauthorized
personnel or processes. It ensures that unauthorized modifications are not made to data by
authorized personnel or processes. It ensures that internal information is consistent among
all subentities and also consistent with the real-world, external situation. Answer: B is
incorrect. Accountability determines the actions and behaviors of an individual within a
system, and identifies that particular individual. Audit trails and logs support accountability.
Question # 33
You work as a security manager for BlueWell Inc. You are performing the externalvulnerability testing, or penetration testing to get a better snapshot of your organization'ssecurity posture. Which of the following penetration testing techniques will you use forsearching paper disposal areas for unshredded or otherwise improperly disposed-ofreports?
A. Sniffing B. Scanning and probing C. Dumpster diving D. Demon dialing
Answer: C
Explanation: Dumpster diving technique is used for searching paper disposal areas for
unshredded or otherwise improperly disposed-of reports. Answer: B is incorrect. In
scanning and probing technique, various scanners, like a port scanner, can reveal
information about a network's infrastructure and enable an intruder to access the network's
unsecured ports. Answer: D is incorrect. Demon dialing technique automatically tests every
phone line in an exchange to try to locate modems that are attached to the network.
Answer: A is incorrect. In sniffing technique, protocol analyzer can be used to capture data
packets that are later decoded to collect information such as passwords or infrastructure
configurations.
Question # 34
Which of the following models manages the software development process if thedevelopers are limited to go back only one stage to rework?
A. Waterfall model B. Spiral model C. RAD model D. Prototyping model
Answer: A
Explanation: In the waterfall model, software development can be managed if the
developers are limited to go back only one stage to rework. If this limitation is not imposed
mainly on a large project with several team members, then any developer can be working
on any phase at any time, and the required rework might be accomplished several times.
Answer: B is incorrect. The spiral model is a software development process combining
elements of both design and prototyping-in- stages, in an effort to combine advantages of
top-down and bottom-up concepts. The basic principles of the spiral model are as follows:
The focus is on risk assessment and minimizing project risks by breaking a project into
smaller segments and providing more ease-of- change during the development process, as
well as providing the opportunity to evaluate risks and weigh consideration of project
continuation throughout the life cycle. Each cycle involves a progression through the same
sequence of steps, for each portion of the product and for each of its levels of elaboration,
from an overall concept-of-operation document down to the coding of each individual
program. Each trip around the spiral traverses the following four basic quadrants:
Determine objectives, alternatives, and constraints of the iteration. Evaluate alternatives,
and identify and resolve risks. Develop and verify deliverables from the iteration. Plan the
next iteration.
Begin each cycle with an identification of stakeholders and their win conditions, and end
each cycle with review and commitment. Answer: D is incorrect. The Prototyping model is a
systems development method (SDM). In this model, a prototype is created, tested, and
then reworked as necessary until an adequate prototype is finally achieved from which the
complete system or product can now be developed. Answer: C is incorrect. Rapid
Application Development (RAD) refers to a type of software development methodology that
uses minimal planning in favor of rapid prototyping.
Question # 35
Which of the following is NOT a responsibility of a data owner?
A. Approving access requests B. Ensuring that the necessary security controls are in place C. Delegating responsibility of the day-to-day maintenance of the data protectionmechanisms to the data custodian D. Maintaining and protecting data
Answer: D
Explanation: It is not a responsibility of a data owner. The data custodian (information
custodian) is responsible for maintaining and protecting the data.
Answer: B, A, and C are incorrect. All of these are responsibilities of a data owner. The
roles and responsibilities of a data owner are as follows: The data owner (information
owner) is usually a member of management, in charge of a specific business unit, and is
ultimately responsible for the protection and use of a specific subset of information. The
data owner decides upon the classification of the data that he is responsible for and alters
that classification if the business needs arise. This person is also responsible for ensuring
that the necessary security controls are in place, ensuring that proper access rights are
being used, defining security requirements per classification and backup requirements,
approving any disclosure activities, and defining user access criteria. The data owner
approves access requests or may choose to delegate this function to business unit
managers. And it is the data owner who will deal with security violations pertaining to the
data he is responsible for protecting. The data owner, who obviously has enough on his
plate, delegates responsibility of the day-to-day maintenance of the data protection
