[Free] New Updated (October) ISC SSCP Real Exam 261-270

Ensurepass

 

QUESTION 261

Which of the following are the steps usually followed in the development of documents such as security policy, standards and procedures?

 

A.

design, development, publication, coding, and testing.

B.

design, evaluation, approval, publication, and implementation.

C.

initiation, evaluation, development, approval, publication, implementation, and maintenance.

D.

feasibility, development, approval, implementation, and integration.

 

Correct Answer: C

Explanation:

The common steps used the the development of security policy are initiation of the project, evaluation, development, approval, publication, implementation, and maintenance. The other choices listed are t
he phases of the software development life cycle and not the step used to develop ducuments such as Policies, Standards, etc…

 

Reference:

TIPTON, Harold F.& KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 3, 2002, Auerbach Publications.

 

 

QUESTION 262

Which of the following would be the best criterion to consider in determining the classification of an information asset?

 

A.

Value

B.

Age

C.

Useful life

D.

Personal association

 

Correct Answer: A

Explanation:

Information classification should be based on the value of the information to the organization and its sensitivity (reflection of how much damage would accrue due to disclosure).

 

Age is incorrect. While age might be a consideration in some cases, the guiding principles should be value and sensitivity.

 

Useful life. While useful lifetime is relevant to how long data protections should be applied, the classification is based on information value and sensitivity.

 

Personal association is incorrect. Information classification decisions should be based on value of the information and its sensitiviry.

 

References

CBK, pp. 101 – 102.

 

 

QUESTION 263

A security evaluation report and an accreditation statement are produced in which of the following phases of the system development life cycle?

 

A.

project initiation and planning phase

B.

system design specification phase

C.

development & documentation phase

D.

acceptance phase

 

Correct Answer: D

Explanation:

The Correct Answer: “acceptance phase”. Note the question asks about an “evaluation report” – which details how the system evaluated, and an “accreditation statement” which describes the level the system is allowed to operate at. Because those two activities are a part of testing and testing is a part of the acceptance phase, the only answer above that can be correct is “acceptance phase”.

 

The other answers are not correct because:

 

The “project initiation and planning phase” is just the idea phase. Nothing has been developed yet to be evaluated, tested, accredited, etc.

 

The “system design specification phase” is essentially where the initiation and planning phase is fleshed out. For example, in the initiation and planning phase, we might decide we want the system to have authentication. In the design specification phase, we decide that authentication will be accomplished via username/password. But there is still nothing actually developed at this point to evaluate or accredit.

 

The “development & documentation phase” is where th
e system is created and documented. Part of the documentation includes specific evaluation and accreditation criteria. That is the criteria that will be used to evaluate and accredit the system during the “acceptance phase”.

 

In other words – you cannot evaluate or accredit a system that has not been created yet. Of the four answers listed, only the acceptance phase is dealing with an existing system. The others deal with planning and creating the system, but the actual system isn’t there yet.

 

Reference:

Official ISC2 Guide Page: 558 – 559

All in One Third Edition page: 832 – 833 (recommended reading)

 

 

QUESTION 264

Which of the following is less likely to be included in the change control sub-phase of the maintenance phase of a software product?

 

A.

Estimating the cost of the changes requested

B.

Recreating and analyzing the problem

C.

Determining the interface that is presented to the user

D.

Establishing the priorities of requests

 

Correct Answer: D

Explanation:

Change control sub-phase includes Recreating and analyzing the problem, Determining the interface that is presented to the user, and Establishing the priorities of requests.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 7: Applications and Systems Development (page 252).

 

 

QUESTION 265

Which of the following should NOT be performed by an operator?

 

A.

Implementing the initial program load

B.

Monitoring execution of the system

C.

Data entry

D.

Controlling job flow

 

Correct Answer: C

Explanation:

Under the principle of separation of duties, an operator should not be performing data entry. This should be left to data entry personnel.

 

System operators represent a class of users typically found in data center environments where mainframe systems are used. They provide day-to-day operations of the mainframe environment, ensuring that scheduled jobs are running effectively and troubleshooting problems that may arise. They also act as the arms and legs of the mainframe environment, load and unloading tape and results of job print runs. Operators have elevated privileges, but less than those of system administrators. If misused, these privileges may be used to circumvent the system’s security policy. As such, use of these privileges should be monitored through audit logs.

 

Some of the privileges and responsibilities assigned to operators include:

 

Implementing the initial program load: This is used to start the operating system. The boot process or initial program load of a system is a critical time for ensuring system security. Interruptions to this process may reduce the integrity of the system or cause the system to crash, precluding its availability.

 

Monitoring execution of the system: Operators respond to various events, to include errors, interruptions, and job completion messages.

 

Volume mounting: This allows the desired application access to the system and its data.

 

Controlling job flow: Operators can initiate, pause, or terminate programs. This may allow an operator to affect the scheduling of jobs. Controlling job flow involves the manipulation of configuration information needed by the system. Operators with the ability to control a job or application can cause output to be altered or diverted, which can threaten the confidentiality.

 

Bypass label processing: This allows the operator to bypass security label information to run foreign tapes (foreign tapes are those from a different data center that would not be using the same label format that the system could run). This privilege should be strictly controlled to prevent unauthorized access.

 

Renaming and relabeling resources: This is sometimes necessary in the mainframe environment to allow programs to properly execute. Use of this privilege should be monitored, as it can allow the unauthorized viewing of sensitive information.

 

Reassignment of ports and lines: Operators are allowed to reassign ports or lines. If misused, reassignment can cause program errors, such as sending sensitive output to an unsecured location. Furthermore, an incidental port may be opened, subjecting the system to an attack through the creation of a new entry point into the system.

 

Reference(s) used for this question:

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 19367-19395). Auerbach Publications. Kindle Edition.

 

 

QUESTION 266

Which of the following is not a responsibility of an information (data) owner?

 

A.

Determine what level of classification the information requires.

B.

Periodically review the classification assignments against business needs.

C.

Delegate the responsibility of data protection to data custodians.

D.

Running regular backups and periodically testing the validity of the backup data.

 

Correct Answer: D

Explanation:

This responsibility would be delegated to a data custodian rather than being performed directly by the information owner.

 

“Determine what level of classification the information requires” is incorrect. This is one of the major responsibilities of an information owner.

 

“Periodically review the classification assignments against business needs” is incorrect. This is one of the major responsibilities of an information owner.

 

“Delegates responsibility of maintenance of the data protection mechanisms to the data custodian” is incorrect. This is a responsibility of the information owner.

 

References:

CBK p. 105.

AIO3, p. 53-54, 960

 

 

QUESTION 267

Which of the following is an advantage of prototyping?

 

A.

Prototype systems can provide significant time and cost savings.

B.

Change control is often less complicated with prototype systems.

C.

It ensures that functions or extras are not added to the intended system.

D.

Strong internal controls are easier to implement.

 

Correct Answer: A

Explanation:

Prototype systems can provide significant time and cost savings, however they also have several disadvantages. They often have poor internal controls, change control becomes much more complicated and it often leads to functions or extras being added to the system that were not originally intended.

 

Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 306).

 

 

QUESTION 268

Which of the following is not a component of a Operations Security “triples”?

 

A.

Asset

B.

Threat

C.

Vulnerability

D.

Risk

< font face="Arial"> 

Correct Answer: D

Explanation:

The Operations Security domain is concerned with triples – threats, vulnerabilities and assets.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 216.

 

 

QUESTION 269

Which of the following BEST explains why computerized information systems frequently fail to meet the needs of users?

 

A.

Inadequate quality assurance (QA) tools.

B.

Constantly changing user needs.

C.

Inadequate user participation in defining the system’s requirements.

D.

Inadequate project management.

 

Correct Answer: C

Explanation:

Inadequate user participation in defining the system’s requirements. Most projects fail to meet the needs of the users because there was inadequate input in the initial steps of the project from the user community and what their needs really are.

 

The other answers, while potentially valid, are incorrect because they do not represent the most common problem assosciated with information systems failing to meet the needs of users.

 

References:

All in One pg 834

Only users can define what their needs are and, therefore, what the system should accomplish. Lack of adequate user involvement, especially in the systems requirements phase, will usually result in a system that doesn’t fully or adequately address the needs of the user.

 

Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 296).

 

 

QUESTION 270

What can best be defined as the sum of protection mechanisms inside the computer, including hardware, firmware and software?

 

A.

Trusted system

B.

Security kernel

C.

Trusted computing base

D.

Security perimeter

 

Correct Answer: C

Explanation:

The Trusted Computing Base (TCB) is defined as the total combination of protection mechanisms within a computer system. The TCB includes hardware, software, and firmware. These are part of the TCB because the system is sure that these components will enforce the security policy and not violate it.

 

The security kernel is made up of hardware, software, and firmware components at fall within the TCB and implements and enforces the reference monitor concept.

 

Reference:

AIOv4 Security Models and Architecture pgs 268, 273

Free VCE & PDF File for ISC SSCP Real Exam

Instant Access to Free VCE Files: ISC | ISC | SAP …
Instant Access to Free PDF Files: ISC | ISC | SAP …

This entry was posted in Uncategorized and tagged , , , , , , . Bookmark the permalink.