[Free] New Updated (October) ISC SSCP Real Exam 111-120

Ensurepass

 

QUESTION 111

In regards to information classification what is the main responsibility of information (data) owner?

 

A.

determining the data sensitivity or classification level

B.

running regular data backups

C.

audit the data users

D.

periodically check the validity and accuracy of the data

 

Correct Answer: A

Explanation:

Making the determination to decide what level of classification the information requires is the main responsibility of the data owner.

 

The data owner within classification is a person from Management who has been entrusted with a data set that belong to the company. It could be for example the Chief Financial Officer (CFO) who has been entrusted with all financial date or it could be the Human Resource Director who has been entrusted with all Human Resource data. The information owner will decide what classification will be applied to the data based on Confidentiality, Integrity, Availability, Criticality, and Sensitivity of the data.

 

The Custodian is the technical person who will implement the proper classification on objects in accordance with the Data Owner. The custodian DOES NOT decide what classification to apply, it is the Data Owner who will dictate to the Custodian what is the classification to apply.

 

NOTE:

The term Data Owner is also used within Discretionary Access Control (DAC). Within DAC it means the person who has created an object. For example, if I create a file on my system then I am the owner of the file and I can decide who else could get access to the file. It is left to my discretion. Within DAC access is granted based solely on the Identity of the subject, this is why sometimes DAC is referred to as Identity Based Access Control.

 

The other choices were not the best answer

 

Running regular backups is the responsibility of custodian. Audit the data users is the responsibility of the auditors Periodically check the validity and accuracy of the data is not one of the data owner responsibility

 

Reference(s) used for this question:

KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Page 14, Chapter 1: Security Management Practices.

 

 

QUESTION 112

Which of the following are additional access control objectives?

 

A.

Consistency and utility

B.

Reliability and utility

C.

Usefulness and utility

D.

Convenience and utility

 

Correct Answer: B

Explanation:

Availability assures that a system’s authorized users have timely and uninterrupted access to the information in the system. The additional access control objectives are reliability and utility. These and other related objectives flow from the organizational security policy. This policy is a high-level statement of management intent regarding the control of access to information and the personnel who are authorized to receive that information. Three things that must be considered for the planning and implementation of access control mechanisms are the threats to the system, the system’s vulnerability to these threats, and the risk that the threat may materialize.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 32.

 

 

QUESTION 113

Which of the following models does NOT include data integrity or conflict of interest?

 

A.

Biba

B.

Clark-Wilson

C.

Bell-LaPadula

D.

Brewer-Nash

 

Correct Answer: C

Explanation:

Bell LaPadula model (Bell 1975): The granularity of objects and subjects is not predefined, but the model prescribes simple access rights. Based on simple access restrictions the Bell LaPadula model enforces a discretionary access control policy enhanced with mandatory rules. Applications with rigid confidentiality requirements and without strong integrity requirements may properly be modeled.

 

These simple rights combined with the mandatory rules of the policy considerably restrict the spectrum of applications which can be appropriately modeled.

 

Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

 

Also check:

Proceedings of the IFIP TC11 12th International Conference on Information Security, Samos (Greece), May 1996, On Security Models.

 

 

QUESTION 114

Which of the following best ensures accountability of users for the actions taken within a system or domain?

 

A.

Identification

B.

Authentication

C.

Authorization

D.

Credentials

 

Correct Answer: B

Explanation:

Details:

The only way to ensure accountability is if the subject is uniquely identified and authenticated. Identification alone does not provide proof the user is who they claim to be. After showing proper credentials, a user is authorized access to resources.

 

References:

HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 4: Access Control (page 126).

 

 

QUESTION 115

Access Control techniques do not include which of the following?

 

A.

Rule-Based Access Controls

B.

Role-Based Access Control

C.

Mandatory Access Control

D.

Random Number Based Access Control

 

Correct Answer: D

Explanation:

Access Control Techniques

Discretionary Access Control

Mandatory Access Control

Lattice Based Access Control

Rule-Based Access Control

Role-Based Access Control

Source: DUPUIS, Clement, Access Control Systems and Methodology, Version 1, May 2002, CISSP Open Study Group Study Guide for Domain 1, Page 13.

 

 

QUESTION 116

Which of the following was developed by the National Computer Security Center (NCSC) for the US Department of Defense ?

 

A.

TCSEC

B.

ITSEC

C.

DIACAP

D.

NIACAP

 

Correct Answer: A

Explanation:

The Correct Answer: TCSEC; The TCSEC, frequently referred to as the Orange Book, is the centerpiece of the DoD Rainbow Series publications.

 

Initially issued by the National Computer Security Center (NCSC) an arm of the National Security Agency in 1983 and then updated in 1985, TCSEC was replaced with the development of the Common Criteria international standard originally published in 2005.

 

References:

KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, pages 197-199.

 

Wikepedia

http://en.wikipedia.org/wiki/TCSEC

 

 

 

QUESTION 117

Which of the following access control models requires security clearance for subjects?

 

A.

Identity-based access control

B.

Role-based access control

C.

Discretionary access control

D.

Mandatory access control

 

Correct Answer: D

Explanation:

With mandatory access control (MAC), the authorization of a subject’s access to an object is dependant upon labels, which indicate the subject’s clearance. Identity-based access control is a type of discretionary access control. A role-based access control is a type of non-discretionary access control.

 

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33).

 

 

QUESTION 118

What is the name of the first mathematical model of a multi-level security policy used to define the concept of a secure state, the modes of access, and rules for granting access?

 

A.

Clark and Wilson Model

B.

Harrison-Ruzzo-Ullman Model

C.

Rivest and Shamir Model

D.

Bell-LaPadula Model

 

Correct Answer: D

Explanation:

Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

 

 

QUESTION 119

Logical or technical controls involve the restriction of access to systems and the protection of information. Which of the following statements pertaining to these types of controls is correct?

 

A.

Examples of these types of controls include policies and procedures, security awareness training, background checks, work habit checks but do not include a review of vacation history, and also do not include increased supervision.

B.

Examples of these types of controls do not include encryption, smart cards, access lists, and transmission protocols.

C.

Examples of these types of controls are encryption, smart cards, access lists, and transmission protocols.

D.

Examples of these types of controls include policies and procedures, security awareness training, background checks, work habit checks, a review of vacation history, and increased supervision.

 

Correct Answer: C

Explanation:

Logical or technical controls involve the restriction of access to systems and the protection of information. Examples of these types of controls are encryption, smart cards, access lists, and transmission protocols.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.

 

 

QUESTION 120

Technical controls such as encryption and access control can be built into the operating system, be software applications, or can be supplemental hardware/software units. Such controls, also known as logical controls, represent which pairing?

 

A.

Preventive/Administrative Pairing

B.

Preventive/Technical Pairing

C.

Preventive/Physical Pairing

D.

Detective/Technical Pairing

 

Correct Answer: B

Explanation:

Preventive/Technical controls are also known as logical controls and can be built into the operating system, be software applications, or can be supplemental hardware/software units.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 34.

Free VCE & PDF File for ISC SSCP Real Exam

Instant Access to Free VCE Files: ISC | ISC | SAP …
Instant Access to Free PDF Files: ISC | ISC | SAP …

This entry was posted in SSCP Real Exam (October) and tagged , , , , , , . Bookmark the permalink.