[Free] New Updated (October) ISC SSCP Real Exam 271-280

Ensurepass

 

QUESTION 271

What can be defined as: It confirms that users’ needs have been met by the supplied solution ?

 

A.

Accreditation

B.

Certification

C.

Assurance

D.

Acceptance

 

Correct Answer: D

Explanation:

Acceptance confirms that users’ needs have been met by the supplied solution. Verification and Validation informs Acceptance by establishing the evidence ?set against acceptance criteria – to determine if the solution meets the users’ needs. Acceptance should also explicitly address any integration or interoperability requirements involving other equipment or systems. To enable acceptance every user and system requirement must have a ‘testable’ characteristic.

 

Accreditation is the formal acceptance of security, adequacy, authorization for operation and acceptance of existing risk. Accreditation is the formal declaration by a Designated Approving Authority (DAA) that an IS is approved to operate in a particular security mode using a prescribed set of safeguards to an acceptable level of risk.

 

Certification is the formal testing of security safeguards and assurance is the degree of confidence that the implemented security measures work as intended. The certification is a Comprehensive evaluation of the technical and nontechnical security features of an IS and other safeguards, made in support of the accreditation process, to establish the extent to which a particular design and implementation meets a set of specified ecurity requirements.

 

Assurance is the descriptions of the measures taken during development and evaluation of the product to assure compliance with the claimed security functionality. For example, an evaluation may require that all source code is kept in a change management system, or that full functional testing is performed. The Common Criteria provides a catalogue of these, and the requirements may vary from one evaluation to the next. The requirements for particular targets or types of products are documented in the Security Targets (ST) and Protection Profiles (PP), respectively.

 

Source: ROTHKE, Ben, CISSP CBK Review presentation on domain 4, August 1999.

Official ISC2 Guide to the CISSP CBK, Second Edition, on page 211.

http://www.aof.mod.uk/aofcontent/tactical/randa/content/randaintroduction.htm

 

 

QUESTION 272

Who should DECIDE how a company should approach security and what security measures should be implemented?

 

A.

Senior management

B.

Data owner

C.

Auditor

D.

The information security specialist

 

Correct Answer: A

Explanation:

They are responsible for security of the organization and the protection of its assets.

 

The following answers are incorrect because :

 

Data owner is incorrect as data owners should not decide as to what security measures should be applied.

 

Auditor is also incorrect as auditor cannot decide as to what security measures should be applied.

 

The information security specialist is also incorrect as they may have the technical knowledge of how security measures should be implemented and configured , but they should not be in a position of deciding what measures should be applied.

 

Reference:

Shon Harris AIO v3 , Chapter-3: Security Management Practices , Page : 51.

 

 

QUESTION 273

A channel within a computer system or network that is designed for the authorized transfer of information is identified as a(n)?

 

A.

Covert channel

B.

Overt channel

C.

Opened channel

D.

Closed channel

 

Correct Answer: B

Explanation:

An overt channel is a path within a computer system or network that is designed for the authorized transfer of data. The opposite would be a covert channel which is an unauthorized path.

 

A covert channel is a way for an entity to receive information in an unauthorized manner. It is an information flow that is not controlled by a security mechanism. This type of information path was not developed for communication; thus, the system does not properly protect this path, because the developers never envisioned information being passed in this way. Receiving information in this manner clearly violates the system’s security policy.

 

All of the other choices are bogus detractors.

 

Reference(s) used for this question:

 

KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 219.

Shon Harris, CISSP All In One (AIO), 6th Edition , page 380

Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 378). McGraw- Hill. Kindle Edition.

 

 

QUESTION 274

Which must bear the primary responsibility for determining the level of protection needed for information systems resources?

 

A.

IS security specialists

B.

Senior Management

C.

Senior security analysts

D.

systems Auditors

 

Correct Answer: B

Explanation:

If there is no support by senior management to implement, execute, and enforce security policies and procedure, then they won’t work. Senior management must be involved in this because they have an obligation to the organization to protect the assests . The requirement here is for management to show “due diligence” in establishing an effective compliance, or security program. It is senior management that could face legal repercussions if they do not have sufficient controls in place.

 

The following answers are incorrect:

 

IS security specialists. Is incorrect because it is not the best answer. Senior management bears the primary responsibility for determining the level of protection needed.

Senior security analysts. Is incorrect because it is not the best answer. Senior management bears the primary responsibility for determining the level of protection needed.

systems auditors. Is incorrect because it is not the best answer, system auditors are responsible that the controls in place are effective. Senior management bears the primary responsibility for determining the level of protection needed.

 

 

QUESTION 275

What is used to protect programs from all unauthorized modification or executional interference?

 

A.

A protection domain

B.

A security perimeter

C.

Security labels

D.

Abstraction

 

Correct Answer: A

Explanation:

A protection domain consists of the execution and memory space assigned to each process. The purpose of establishing a protection domain is to protect programs from all unauthorized modification or executional interference. The security perimeter is the boundary that separates the Trusted Computing Base (TCB) from the remainder of the system. Security labels are assigned to resources to denote a type of classification. Abstraction is a way to protect resources in the fact that it involves viewing system components at a high level and ignoring its specific details, thus performing information hiding.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architecture and Models (page 193).

 

 

QUESTION 276

In an organization, an Information Technology security function should:

 

A.

Be a function within the information systems function of an organization.

B.

Report directly to a specialized business unit such as legal, corporate security or insurance.

C.

Be lead by a Chief Security Officer and report directly to the CEO.

D.

Be independent but report to the Information Systems function.

 

Correct Answer: C

Explanation:

In order to offer more independence and get more attention from management, an IT security function should be independent from IT and report directly to the CEO. Having it report to a specialized business unit (e.g. legal) is not recommended as it promotes a low technology view of the function and leads people to believe that it is someone else’s problem.

Source: HARE, Chris, Security management Practices CISSP Open Study Guide, version 1.0, april 1999.

 

 

QUESTION 277

In what way could Java applets pose a security threat?

 

A.

Their transport can interrupt the secure distribution of World Wide Web pages over the Internet by removing SSL and S-HTTP

B.

Java interpreters do not provide the ability to limit system access that an applet could have on a client system.

C.

Executables from the Internet may attempt an intentional attack when they are downloaded on a client system.

D.

Java does not check the bytecode
at runtime or provide other safety mechanisms for program isolation from the client system.

 

Correct Answer: C

Explanation:

Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

 

 

QUESTION 278

Which of the following is NOT a basic component of security architecture?

 

A.

Motherboard

B.

Central Processing Unit (CPU

C.

Storage Devices

D.

Pe
ripherals (input/output devices)

 

Correct Answer: A

Explanation:

The CPU, storage devices and peripherals each have specialized roles in the security archecture. The CPU, or microprocessor, is the brains behind a computer system and performs calculations as it solves problemes and performs system tasks. Storage devices provide both long- and short-term stoarge of information that the CPU has either processed or may process. Peripherals (scanners, printers, modems, etc) are devices that either input datra or receive the data output by the CPU.

 

The motherboard is the main circuit board of a microcomputer and contains the connectors for attaching additional boards. Typically, the motherboard contains the CPU, BIOS, memory, mass storage interfaces, serial and parallel ports, expansion slots, and all the controllers required to control standard peripheral devices.

 

Reference(s) used for this question:

TIPTON, Harold F., The Official (ISC)2 Guide to the CISSP CBK (2007), page 308.

 

 

QUESTION 279

Who is responsible for initiating corrective measures and capabilities used when there are security violations?

 

A.

Information systems auditor

B.

Security administrator

C.

Management

D.

Data owners

 

Correct Answer: C

Explanation:

Management is responsible for protecting all assets that are directly or indirectly under their control.

They must ensure that employees understand their obligations to protect the company’s assets, and implement security in accordance with the company policy. Finally, management is responsible for initiating corrective actions when there are security violations.

Source: HARE, Chris, Security management Practices CISSP Open Study Guide, version 1.0, april 1999.

 

 

QUESTION 280

A ‘Pseudo flaw’ is which of the following?

 

A.

An apparent loophole deliberately implanted in an operating system program as a trap for intruders.

B.

An omission when generating Psuedo-code.

C.

Used for testing for bounds violations in application programming.

D.

A normally generated page fault causing the system to halt.

 

Correct Answer: A

Explanation:

A Pseudo flaw is something that looks like it is vulnerable to attack, but really acts as an alarm or triggers automatic actions when an intruder attempts to exploit the flaw.

 

The following answers are incorrect:

 

An omission when generating Psuedo-code. Is incorrect because it is a distractor. Used for testing for bounds violations in application programming. Is incorrect, this is a testing methodology.

A normally generated page fault causing the system to halt. This is incorrect because it is distractor.

Free VCE & PDF File for ISC SSCP Real Exam

Instant Access to Free VCE Files: ISC | ISC | SAP …
Instant Access to Free PDF Files: ISC | ISC | SAP …

This entry was posted in SSCP Real Exam (October) and tagged , , , , , , . Bookmark the permalink.