[Free] New Updated (October) ISC SSCP Real Exam 311-320

Ensurepass

 

QUESTION 311

What is it called when a computer uses more than one CPU in parallel to execute instructions?

 

A.

Multiprocessing

B.

Multitasking

C.

Multithreading

D.

Parallel running

 

Correct Answer: A

Explanation:

A system with multiple processors is called a multiprocessing system.

 

Multitasking is incorrect. Multitasking involves sharing the processor amoung all ready processes. Though it appears to the user that multiple processes are executing at the same time, only one process is running at any point in time.

 

Multithreading is incorrect. The developer can structure a program as a collection of independent threads to achieve better concurrency. For example, one thread of a program might be performing a calculation while another is waiting for additional input from the user.

 

“Parallel running” is incorrect. This is not a real term and is just a distraction.

 

References:

CBK, pp. 315-316

AIO3, pp. 234 – 239

QUESTION 312

The information security staff’s participation in which of the following system development life cycle phases provides maximum benefit to the organization?

 

A.

project initiation and planning phase

B.

system design specifications phase

C.

development and documentation phase

D.

in parallel with every phase throughout the project

 

Correct Answer: D

Explanation:

The other answers are not correct because:

 

You are always looking for the “best” answer. While each of the answers listed here could be considered correct in that each of them require input from the security staff, the best answer is for that input to happen at all phases of the project.

 

Reference:

Official ISC2 Guide page: 556

All in One Third Edition page: 832 – 833

 

 

QUESTION 313

What is the goal of the Maintenance phase in a common development process of a security policy?

 

A.

to review the document on the specified review date

B.

publication within the organization

C.

to write a proposal to management that states the objectives of the policy

D.

to present the document to an approving body

 

Correct Answer: A

Explanation:

“publication within the organization” is the goal of the Publication Phase “write a proposal to management that states the objectives of the policy” is part of Initial and Evaluation Phase “Present the document to an approving body” is part of Approval Phase.

 

Reference:

TIPTON, Harold F.& KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 3, 2002, Auerbach Publications.

 

Also:

KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 286).

 

 

QUESTION 314

When backing up an applications system’s data, which of the following is a key question to be answered first?

 

A.

When to make backups

B.

Where to keep backups

C.

What records to backup

D.

How to store backups

 

Correct Answer: C

Explanation:

It is critical that a determination be made of WHAT data is important and should be retained and protected. Without determining the data to be backed up, the potential for error increases. A record or file could be vital and yet not included in a backup routine. Alternatively, temporary or insignificant files could be included in a backup routine unnecessarily.

 

The following answers were incorrect:

 

When to make backups Although it is important to consider schedules for backups, this is done after the decisions are made of what should be included in the backup routine.

Where to keep backups The location of storing backup copies of data (Such as tapes, on- line backups, etc) should be made after determining what should be included in the backup routine and the method to store the backup.

How to store backups The backup methodology should be considered after determining what data should be included in the backup routine.

 

 

QUESTION 315

Who can best decide what are the adequate technical security controls in a computer- based application system in regards to the protection of the data being used, the criticality of the data, and it’s sensitivity level ?

 

A.

System Auditor

B.

Data or Information Owner

C.

System Manager

D.

Data or Information user

 

Correct Answer: B

Explanation:

The data or information owner also referred to as “Data Owner” would be the best person. That is the individual or officer who is ultimately responsible for the protection of the information and can therefore decide what are the adequate security controls according to the data sensitivity and data criticality. The auditor would be the best person to determine the adequacy of controls and whether or not they are working as expected by the owner.

 

The function of the auditor is to come around periodically and make sure you are doing what you are supposed to be doing. They ensure the correct controls are in place and are being maintained securely. The goal of the auditor is to make sure the organization complies with its own policies and the applicable laws and regulations.

 

Organizations can have internal auditors and/ or external auditors. The external auditors commonly work on behalf of a regulatory body to make sure compliance is being met. For example CobiT, which is a model that most information security auditors follow when evaluating a security program. While many security professionals fear and dread auditors, they can be valuable tools in ensuring the overall security of the organization. Their goal is to find the things you have missed and help you understand how to fix the problem.

 

The Official ISC2 Guide (OIG) says:

IT auditors determine whether users, owners, custodians, systems, and networks are in compliance with the security policies, procedures, standards, baselines, designs, architectures, management direction, and other requirements placed on systems. The auditors provide independent assurance to the management on the appropriateness of the security controls. The auditor examines the information systems and determines whether they are designed, configured, implemented, operated, and managed in a way ensuring that the organizational objectives are being achieved. The auditors provide top company management with an independent view of the controls and their effectiveness.

 

Example:

Bob is the head of payroll. He is therefore the individual with primary responsibility over the payroll database, and is therefore the information/data owner of the payroll database. In Bob’s department, he has Sally and Richard working for him. Sally is responsible for making changes to the payroll database, for example if someone is hired or gets a raise. Richard is only responsible for printing paychecks. Given those roles, Sally requires both read and write access to the payroll database, but Richard requires only read access to it. Bob communicates these requirements to the system administrators (the “information/data custodians”) and they set the file permissions for Sally’s and Richard’s user accounts so that Sally has read/write access, wh
ile Richard has only read access.

 

So in short Bob will determine what controls are required, what is the sensitivily and criticality of the Data. Bob will communicate this to the custodians who will implement the requirements on the systems/DB. The auditor would assess if the controls are in fact providing the level of security the Data Owner expects within the systems/DB. The auditor does not determine the sensitivity of the data or the crititicality of the data.

 

The other answers are not correct because:

 

A “system auditor” is never responsible for anything but auditing… not actually making control decisions but the auditor would be the best person to determine the adequacy of controls and then make recommendations.

 

A “system manager” is really just another name for a system administrator, which is actually an information custodian as explained above.

 

A “Data or information user” is responsible for implementing security controls on a day-to- day basis as they utilize the information, but not for determining what the controls should be or if they are adequate.

 

References:

Official ISC2 Guide to the CISSP CBK, Third Edition , Page 477 Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :

Information Security Governance and Risk Management ((ISC)2 Press) (Kindle Locations 294-298). Auerbach Publications. Kindle Edition.

Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 3108-3114).

 

Information Security Glossary

Responsibility for use of information resources

 

 

QUESTION 316

Which of the following would best classify as a management control?

 

A.

Review of security controls

B.

Personnel security

C.

Physical and environmental protection

D.

Documentation

 

Correct Answer: A

Explanation:

Management controls focus on the management of the IT security system and the management of risk for a system.

 

They are techniques and concerns that are normally addressed by management. Routine evaluations and response to identified vulnerabilities are important elements of managing the risk of a system, thus considered management controls.

 

SECURITY CONTROLS: The management, operational, and technical controls (i.e.,safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.

 

SECURITY CONTROL BASELINE: The set of minimum security controls defined for a low- impact, moderate-impact,or high-impact information system.

 

The following are incorrect answers:

Personnel security, physical and environmental protection and documentation are forms of operational controls.

 

Reference(s) used for this question:

 

http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf and

FIPS PUB 200 at http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf

 

 

QUESTION 317

A trusted system does NOT involve which of the following?

 

A.

Enforcement of a security policy.

B.

Sufficiency and effectiveness of mechanisms to be able to enforce a security policy.

C.

Assurance that the security policy can be enforced in an efficient and reliable manner.

D.

Independently-verifiable evidence that the security policy-enforcing mechanisms are sufficient and effective.

 

Correct Answer: C

Explanation:

A trusted system is one that meets its intended security requirements. It involves sufficiency and effectiveness, not necessarily efficiency, in enforcing a security policy. Put succinctly, trusted systems have (1) policy, (2) mechanism, and (3) assurance.

Source: HARE, Chris, Security Architecture and Models, Area 6 CISSP Open Study Guide, January 2002.

 

 

QUESTION 318

Which of the following is not a method to protect objects and the data within the objects?

 

A.

Layering

B.

Data mining

C.

Abstraction

D.

Data hiding

 

Correct Answer: B

Explanation:

Data mining is used to reveal hidden relationships, patterns and trends by running queries on large data stores.

 

Data mining is the act of collecting and analyzing large quantities of information to determine patterns of use or behavior and use those patterns to form conclusions about past, current, or future behavior. Data mining is typically used by large organizations with large databases of customer or consumer behavior. Retail and credit companies will use data mining to identify buying patterns or trends in geographies, age groups, products, or services. Data mining is essentially the statistical analysis of general information in the absence of specific data.

 

The following are incorrect answers:

 

They are incorrect as they all apply to Protecting Objects and the data within them. Layering, abstraction and data hiding are related concepts that can work together to produce modular software that implements an organizations security policies and is more reliable in operation.

 

Layering is incorrect. Layering assigns specific functions to each layer and communication between layers is only possible through well-defined interfaces. This helps preclude tampering in violation of security policy. In computer programming, layering is the organization of programming into separate functional components that interact in some sequential and hierarchical way, with each layer usually having an interface only to the layer above it and the layer below it.

 

Abstraction is incorrect. Abstraction “hides” the particulars of how an object functions or stores information and requires the object to be manipulated through well-defined interfaces that can be designed to enforce security policy. Abstraction involves the removal of characteristics from an entity in order to easily represent its essential properties.

 

Data hiding is incorrect. Data hiding conceals the details of information storage and manipulation within an object by only exposing well defined interfaces to the information rather than the information itslef. For example, the details of how passwords are stored could be hidden inside a password object with exposed interfaces such as check_password, set_password, etc. When a password needs to be verified, the test password is passed to the check_password method and a boolean (true/false) result is returned to indicate if the password is correct without revealing any details of how/where the real passwords are stored. Data hiding maintains activities at different security levels to separate these levels from each other.

 

The following reference(s) were used for this question:

 

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 27535-27540). Auerbach Publications. Kindle Edition.

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 4269-4273). Auerbach Publications. Kindle Edition.

 

 

QUESTION 319

An effective information security policy should not have which of the following characteristic?

 

A.

Include separation of duties

B.

Be designed with a short- to mid-term focus

C.

Be understandable and supported by all stakeholders

D.

Specify areas of responsibility and authority

 

Correct Answer: B

Explanation:

An effective information security policy should be designed with a long-term focus. All other characteristics apply.

Source: ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley, 2001, Appendix B, Practice-Level Policy Considerations (page 397).

 

 

QUESTION 320

What mechanism does a system use to compare the security labels of a subject and an object?

 

A.

Validation Module.

B.

Reference Monitor.

C.

Clearance Check.

D.

Security Module.

 

Correct Answer: B

Explanation:

Because the Reference Monitor is responsible for access control to the objects by the subjects it compares the security labels of a subject and an object.

 

According to the OIG: The reference monitor is an access control concept referring to an abstract machine that mediates all accesses to objects by subjects based on information in an access control database. The reference monitor must mediate all access, be protected from modification, be verifiable as correct, and must always be invoked. The reference monitor, in accordance with the security policy, controls the checks that are made in the access control database.

 

The following are incorrect:

 

Validation Module. A Validation Module is typically found in application source code and is used to validate data being inputted.

Clearance Check. Is a distractor, there is no such thing other than what someone would do when checking if someone is authorized to access a secure facility.

Security Module. Is typically a general purpose module that prerforms a variety of security related functions.

 

References:

OIG CBK, Security Architecture and Design (page 324) AIO, 4th Edition, Security Architecture and Design, pp 328-328. Wikipedia – http://en.wikipedia.org/wiki/Reference_monitor

Free VCE & PDF File for ISC SSCP Real Exam

Instant Access to Free VCE Files: ISC | ISC | SAP …
Instant Access to Free PDF Files: ISC | ISC | SAP …

This entry was posted in SSCP Real Exam (October) and tagged , , , , , , . Bookmark the permalink.