[Free] New Updated (October) ISC SSCP Real Exam 291-300

Ensurepass

 

QUESTION 291

What is the main issue with media reuse?

 

A.

Degaussing

B.

Data remanence

C.

Media destruction

D.

Purging

 

Correct Answer: B

Explanation:

The main issue with media reuse is data remanence, where residual information still resides on a media that has been erased. Degaussing, purging and destruction are ways to handle media that contains data that is no longer needed or used.

Source: WALLHOFF, John, CBK#10 Physical Security (CISSP Study Guide), April 2002 (page 5).

 

 

QUESTION 292

As per the Orange Book, what are two types of system assurance?

 

A.

Operational Assurance and Architectural Assurance.

B.

Design Assurance and Implementation Assurance.

C.

Architectural Assurance and Implementation Assurance.

D.

Operational Assurance and Life-Cycle Assurance.

 

Correct Answer: D

Explanation:

Are the two types of assurance mentioned in the Orange book.

 

The following answers are incorrect:

 

Operational Assurance and Architectural Assurance. Is incorrect because Architectural Assurance is not a type of assurance mentioned in the Orange book.

Design Assurance and Implementation Assurance. Is incorrect because neither are types of assurance mentioned in the Orange book.

Architectural Assurance and Implementation Assurance. Is incorrect because neither are types of assurance mentioned in the Orange book.

 

 

QUESTION 293

Which of the following exemplifies proper separation of duties?

 

A.

Operators are not permitted modify the system time.

B.

Programmers are permitted to use the system console.

C.

Console operators are permitted to mount tapes and disks.

D.

Tape operators are permitted to use the system console.

 

Correct Answer: A

Explanation:

This is an example of Separation of Duties because operators are prevented from modifying the system time which could lead to fraud. Tasks of this nature should be performed by they system administrators.

 

AIO defines Separation of Duties as a security principle that splits up a critical task among two or more individuals to ensure that one person cannot complete a risky task by himself.

 

The following answers are incorrect:

 

Programmers are permitted to use the system console. Is incorrect because programmers should not be permitted to use the system console, this task should be performed by operators. Allowing programmers access to the system console could allow fraud to occur so this is not an example of Separation of Duties..

 

Console operators are permitted to mount tapes and disks. Is incorrect because operators should be able to mount tapes and disks so this is not an example of Separation of Duties.

 

Tape operators are permitted to use the system console. Is incorrect because operators should be able to use the system console so this is not an example of Separation of Duties.

 

References:

OIG CBK Access Control (page 98 – 101)

AIOv3 Access Control (page 182)

 

 

QUESTION 294

Related to information security, confidentiality is the opposite of which of the following?

 

A.

closure

B.

disclosure

C.

disposal

D.

disaster

 

Correct Answer: B

Explanation:

Confidentiality is the opposite of disclosure.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 59.

 

 

QUESTION 295

Which of the following is NOT an administrative control?

 

A.

Logical access control mechanisms

B.

Screening of personnel

C.

Development of policies, standards, procedures and guidelines

D.

Change control procedures

 

Correct Answer: A

Explanation:

It is considered to be a technical control.

 

Logical is synonymous with Technical Control. That was the easy answer.

 

There are three broad categories of access control: Administrative, Technical, and Physical.

 

Each category has different access control mechanisms that can be carried out manually or automatically. All of these access control mechanisms should work in concert with each other to protect an infrastructure and its data.

 

Each category of access control has several components that fall within it, as shown here:

 

Administrative Controls

 

Policy and procedures

Personnel controls

Supervisory structure

Security-awareness training

Testing

 

Physical Controls

 

Network segregation

Perimeter security

Computer controls

Work area separation

Data backups

 

Technical Controls

 

System access

Network architecture

Network access

Encryption and protocols

Control zone

Auditing

 

The following answers are incorrect:

 

Screening of personnel is considered to be an administrative control

Development of policies, standards, procedures and guidelines is considered to be an administrative control

Change control procedures is considered to be an administrative control.

 

Reference:

Shon Harris AIO v3 , Chapter – 3: Security Management Practices , Page: 52-54

 

 

QUESTION 296

Which of the following computer design approaches is based on the fact that in earlier technologies, the instruction fetch was the longest part of the cycle?

 

A.

Pipelining

B.

Reduced Instruction Set Computers (RISC)

C.

Complex Instruction Set Computers (CISC)

D.

Scalar processors

 

Correct Answer: C

Explanation:

Complex Instruction Set Computer (CISC) uses instructions that perform many operations per instruction. It was based on the fact that in earlier technologies, the instruction fetch was the longest part of the cycle. Therefore, by packing more operations into an instruction, the number of fetches could be reduced. Pipelining involves overlapping the steps of different instructions to increase the performance in a computer. Reduced Instruction Set Computers (RISC) involve simpler instructions that require fewer clock cycles to execute. Scalar processors are processors that execute one instruction at a time.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 188).

 

 

QUESTION 297

Buffer overflow and boundary condition errors are subsets of which of the following?

 

A.

Race condition errors.

B.

Access validation errors.

C.

Exceptional condition handling errors.

D.

Input validation errors.

 

Correct Answer: D

Explanation:

In an input validation error, the input received by a system is not properly checked, resulting in a vulnerability that can be exploited by sending a certain input sequence. There are two important types of input validation errors: buffer overflows (input received is longer than expected input length) and boundary condition error (where an input received causes the system to exceed an assumed boundary). A race condition occurs when there is a delay between the time when a system checks to see if a
n operation is allowed by the security model and the time when the system actually performs the operation. In an access validation error, the system is vulnerable because the access control mechanism is faulty. In an exceptional condition handling error, the system somehow becomes vulnerable due to an exceptional condition that has arisen.

Source: DUPUIS, Clement, Access Control Systems and Methodology CISSP Open Study Guide, version 1.0, march 2002 (page 105).

 

 

 

 

 

QUESTION 298

Which of the following security modes of operation involves the highest risk?

 

A.

Compartmented Security Mode

B.

Multilevel Security Mode

C.

System-High Security Mode

D.

Dedicated Security Mode

 

Correct Answer: B

Explanation:

In multilevel mode, two or more classification levels of data exist, some people are not cleared for all the data on the system.

Risk is higher because sensitive data could be made available to someone not validated as being capable of maintaining secrecy of that data (i.e., not cleared for it).

In other security modes, all users have the necessary clearance for all data on the system.

Source: LaROSA, Jeanette (domain leader), Application and System Development Security CISSP Open Study Guide, version 3.0, January 2002.

 

 

QUESTION 299

Which of the following is the act of performing tests and evaluations to test a system’s security level to see if it complies with the design specifications and security requirements?

 

A.

Validation

B.

Verification

C.

Assessment

D.

Accuracy

 

Correct Answer: B

Explanation:

Verification vs. Validation:

Verification determines if the product accurately represents and meets the specifications. A product can be developed that does not match the original specifications. This step ensures that the specifications are properly met.

 

Validation determines if the product provides the necessary solution intended real-world problem. In large projects, it is easy to lose sight of overall goal. This exercise ensures that the main goal of the project is met.

 

From DITSCAP:

6.3.2. Phase 2, Verification. The Verification phase shall include activities to verify compliance of the system with previously agreed security requirements. For each life-cycle development activity, DoD Directive 5000.1 (reference (i)), there is a corresponding set of security activities, enclosure 3, that shall verify compliance with the security requirements and evaluate vulnerabilities.

 

6.3.3. Phase 3, Validation. The Validation phase shall include activities to evaluate the fully integrated system to validate system operation in a specified computing environment with an acceptable level of residual risk. Validation shall culminate in an approval to operate.

 

You must also be familiar with Verification and Validation for the purpose of the exam. A simple definition for Verification would be whether or not the developers followed the design specifications along with the security requirements. A simple definition for Validation would be whether or not the final product meets the end user needs and can be use for a specific purpose.

 

Wikipedia has an informal description that is currently written as: Validation can be expressed by the query “Are you building the right thing?” and Verification by “Are you building it right?

 

NOTE:

DITSCAP was replaced by DIACAP some time ago (2007). While DITSCAP had defined both a verification and a validation phase, the DIACAP only has a validation phase. It may not make a difference in the answer for the exam; however, DIACAP is the cornerstone policy of DOD C&A and IA efforts today. Be familiar with both terms just in case all of a sudden the exam becomes updated with the new term.

 

Reference(s) used for this question:

 

Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 1106). McGraw- Hill. Kindle Edition.

http://iase.disa.mil/ditscap/DITSCAP.html

https://en.wikipedia.org/wiki/Verification_and_validation

For the definition of “validation” in DIACAP, Click Here Further sources for the phases in DIACAP, Click Here.

 

 

QUESTION 300

What is the appropriate role of the security analyst in the application system development or acquisition project?

 

A.

policeman

B.

control evaluator & consultant

C.

data owner

D.

application user

 

Correct Answer: B

Explanation:

The correct answer is “control evaluator & consultant”. During any system development or acquisition, the security staff should evaluate security controls and advise (or consult) on the strengths and weaknesses with those responsible for making the final decisions on the project.

 

The other answers are not correct because:

 

policeman – It is never a good idea for the security staff to be placed into this type of role (though it is sometimes unavoidable). During system development or acquisition, there should be no need of anyone filling the role of policeman.

 

data owner – In this case, the data owner would be the person asking for the new system to manage, control, and secure information they are responsible for. While it is possible the security staff could also be the data owner for such a project if they happen to have responsibility for the information, it is also possible someone else would fill this role. Therefore, the best answer remains “control evaluator & consultant”.

 

application user – Again, it is possible this could be the security staff, but it could also be many other people or groups. So this is not the best answer.

 

Reference:

Official ISC2 Guide page: 555 – 560

All in One Third Edition page: 832 – 846

 

Free VCE & PDF File for ISC SSCP Real Exam

Instant Access to Free VCE Files: ISC | ISC | SAP …
Instant Access to Free PDF Files: ISC | ISC | SAP …

This entry was posted in SSCP Real Exam (October) and tagged , , , , , , . Bookmark the permalink.