[Free] New Updated (October) ISC SSCP Real Exam 301-310

Ensurepass

 

QUESTION 301

Which of the following can be defined as the process of rerunning a portion of the test scenario or test plan to ensure that changes or corrections have not introduced new errors?

 

A.

Unit testing

B.

Pilot testing

C.

Regression testing

D.

Parallel testing

 

Correct Answer: C

Explanation:

Regression testing is the process of rerunning a portion of the test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing should be the same as the data used in the original test. Unit testing refers to the testing of an individual program or module. Pilot testing is a preliminary test that focuses on
ly on specific and predetermined aspects of a system. Parallel testing is the process of feeding test data into two systems and comparing the results.

Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 300).

 

 

QUESTION 302

What is called the formal acceptance of the adequacy of a system’s overall security by the management?

 

A.

Certification

B.

Acceptance

C.

Accreditation

D.

Evaluation

 

Correct Answer: C

Explanation:

Accreditation is the authorization by management to implement software or systems in a production environment. This authorization may be either provisional or full.

 

The following are incorrect answers:

 

Certification is incorrect. Certification is the process of evaluating the security stance of the software or system against a selected set of standards or policies. Certification is the technical evaluation of a product. This may precede accreditation but is not a required precursor.

 

Acceptance is incorrect. This term is sometimes used as the recognition that a piece of software or system has met a set of functional or service level criteria (the new payroll system has passed its acceptance test). Certification is the better tem in this context.

 

Evaluation is incorrect. Evaluation is certainly a part of the certification process but it is not the best answer to the question.

 

Reference(s) used for this question:

The Official Study Guide to the CBK from ISC2, pages 559-560

 

AIO3, pp. 314 – 317

AIOv4 Security Architecture and Design (pages 369 – 372) AIOv5 Security Architecture and Design (pages 370 – 372)

QUESTION 303

Which of the following determines that the product developed meets the projects goals?

 

A.

verification

B.

validation

C.

concurrence

D.

accuracy

 

Correct Answer: B

Explanation:

Software Development Verification vs. Validation:

 

Verification determines if the product accurately represents and meets the design specifications given to the developers. A product can be developed that does not match the original specifications. This step ensures that the specifications are properly met and closely followed by the development team.

 

Validation determines if the product provides the necessary solution intended real-world problem. It validates whether or not the final product is what the user expected in the first place and whether or not it solve the problem it intended to solve. In large projects, it is easy to lose sight of overall goal. This exercise ensures that the main goal of the project is met.

 

From DITSCAP:

6.3.2. Phase 2, Verification. The Verification phase shall include activities to verify compliance of the system with previously agreed security requirements. For each life-cycle development activity, DoD Directive 5000.1 (reference (i)), there is a corresponding set of security activities, enclosure 3, that shall verify compliance with the security requirements and evaluate vulnerabilities.

 

6.3.3. Phase 3, Validation. The Validation phase shall include activities to evaluate the fully integrated system to validate system operation in a specified computing environment with an acceptable level of residual risk. Validation shall culminate in an approval to operate.

 

NOTE:

DIACAP has replace DITSCAP but the definition above are still valid and applicable for the purpose of the exam.

 

Reference(s) used for this question:

 

Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 1106). McGraw- Hill. Kindle Edition.

http://iase.disa.mil/ditscap/DITSCAP.html

 

 

QUESTION 304

The major objective of system configuration management is which of the following?

 

A.

system maintenance.

B.

system stability.

C.

system operations.

D.

system tracking.

 

Correct Answer: B

Explanation:

A major objective with Configuration Management is stability. The changes to the system are controlled so that they don’t lead to weaknesses or faults in th system.

The following answers are incorrect:

 

system maintenance. Is incorrect because it is not the best answer. Configuration Management does control the changes to the system but it is not as important as the overall stability of the system.

system operations. Is incorrect because it is not the best answer, the overall stability of the system is much more important.

system tracking. Is incorrect because while tracking changes is important, it is not the best answer. The overall stability of the system is much more important.

 

 

QUESTION 305

The security of a computer application is most effective and economical in which of the following cases?

 

A.

The system is optimized prior to the addition of security.

B.

The system is procured off-the-shelf.

C.

The system is customized to meet the specific security threat.

D.

The system is originally designed to provide the necessary security.

 

Correct Answer: D

Explanation:

The earlier in the process that security is planned for and implement the cheaper it is. It is also much more efficient if security is addressed in each phase of the development cycle rather than an add-on because it gets more complicated to add at the end. If security plan is developed at the beginning it ensures that security won’t be overlooked.

 

The following answers are incorrect:

 

The system is optimized prior to the addition of
security. Is incorrect because if you wait to implement security after a system is completed the cost of adding security increases dramtically and can become much more complex.

The system is procured off-the-shelf. Is incorrect because it is often difficult to add security to off-the shelf systems.

The system is customized to meet the specific security threat. Is incorrect because this is a distractor. This implies only a single threat.

 

 

QUESTION 306

Who is responsible for implementing user clearances in computer-based information systems at the B3 level of the TCSEC rating ?

 

A.

Security administrators

B.

Operators

C.

Data owners

D.

Data custodians

 

Correct Answer: A

Explanation:

Security administrator functions include user-oriented activities such as setting user clearances, setting initial password, setting other security characteristics for new users or changing security profiles for existing users. Data owners have the ultimate responsibility for protecting data, thus determining proper user access rights to data.

Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

 

QUESTION 307

Which of the following best corresponds to the type of memory addressing where the address location that is specified in the program instruction contains the address of the final desired location?

 

A.

Direct addressing

B.

Indirect addressing

C.

Indexed addressing

D.

Program addressing

 

Correct Answer: B

Explanation:

Indirect addressing is when the address location that is specified in the program instruction contains the address of the final desired location. Direct addressing is when a portion of primary memory is accessed by specifying the actual address of the memory location. Indexed addressing is when the contents of the address defined in the program’s instruction is added to that of an index register. Program addressing is not a defined memory addressing mode.

Source: WALLHOFF, John, CBK#6 Security Architecture and Models (CISSP Study Guide), April 2002 (page 2).

 

 

QUESTION 308

Which of the following is NOT true concerning Application Control?

 

A.

It limits end users use of applications in such a way that only particular screens are visible.

B.

Only specific records can be requested through the application controls

C.

Particular usage of the application can be recorded for audit purposes

D.

It is non-transparent to the endpoint applications so changes are needed to the applications and databases involved

 

Correct Answer: D

Explanation:

Source: TIPTON, Harold F.& KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2, Auerbach.

 

 

QUESTION 309

Making sure that the data is accessible when and where it is needed is which of the following?

 

A.

confidentiality

B.

integrity

C.

acceptability

D.

availability

 

Correct Answer: D

Explanation:

Availability is making sure that the data is accessible when and where it is needed.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 59.

 

 

 

 

 

QUESTION 310

What does “System Integrity” mean?

 

A.

The software of the system has been implemented as designed.

B.

Users can’t tamper with processes they do not own.

C.

Hardware and firmware have undergone periodic testing to verify that they are functioning properly.

D.

Design specifications have been verified against the formal top-level specification.

 

Correct Answer: C

Explanation:

System Integrity means that all components of the system cannot be tampered with by unauthorized personnel and can be verified that they work properly.

 

The following answers are incorrect:

 

The software of the system has been implemented as designed. Is incorrect because this would fall under Trusted system distribution.

 

Users can’t tamper with processes they do not own. Is incorrect because this would fall under Configuration Management.

 

Design specifications have been verified against the formal top-level specification. Is incorrect because this would fall under Specification and verification.

 

References:

AIOv3 Security Models and Architecture (pages 302 – 306) DOD TCSEC – http://www.cerberussystems.com/INFOSEC/stds/d520028.htm

Free VCE & PDF File for ISC SSCP Real Exam

Instant Access to Free VCE Files: ISC | ISC | SAP …
Instant Access to Free PDF Files: ISC | ISC | SAP …

This entry was posted in SSCP Real Exam (October) and tagged , , , , , , . Bookmark the permalink.