[Free] New Updated (October) ISC SSCP Real Exam 331-340

Ensurepass

 

QUESTION 331

Which of the following is used to interrupt the opportunity to use or perform collusion to subvert operation for fraudulent purposes?

 

A.

Key escrow

B.

Rotation of duties

C.

Principle of need-to-know

D.

Principle of least privilege

 

Correct Answer: B

Explanation:

Job rotations reduce the risk of collusion of activities between individuals. Companies with individuals working with sensitive information or systems where there might be the opportunity for personal gain through collusion can benefit by integrating job rotation with segregation of duties. Rotating the position may uncover activities that the individual is performing outside of the normal operatin
g procedures, highlighting errors or fraudulent behavior.

 

Rotation of duties is a method of reducing the risk associated with a subject performing a (sensitive) task by limiting the amount of time the subject is assigned to perform the task before being moved to a different task.

 

The following are incorrect answers:

Key escrow is related to the protection of keys in storage by splitting the key in pieces that will be controlled by different departments. Key escrow is the process of ensuring a third party maintains a copy of a private key or key needed to decrypt information. Key escrow also should be considered mandatory for most organization’s use of cryptography as encrypted information belongs to the organization and not the individual; however often an individual’s key is used to encrypt the information.

 

Separation of duties is a basic control that prevents or detects errors and irregularities by assigning responsibility for different parts of critical tasks to separate individuals, thus limiting the effect a single person can have on a system. One individual should not have the capability to execute all of the steps of a particular process. This is especially important in critical business areas, where individuals may have greater access and capability to modify, delete, or add data to the system. Failure to separate duties could result in individuals embezzling money from the company without the involvement of others.

 

The need-to-know principle specifies that a person must not only be cleared to access classified or other sensitive information, but have requirement for such information to carry out assigned job duties. Ordinary or limited user accounts are what most users are assigned. They should be restricted only to those privileges that are strictly required, following the principle of least privilege. Access should be limited to specific objects following the principle of need-to-know.

 

The principle of least privilege requires that each subject in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks. Least privilege refers to granting users only the accesses that are required to perform their job functions. Some employees will require greater access than others based upon their job functions. For example, an individual performing data entry on a mainframe system may have no need for Internet access or the ability to run reports regarding the information that they are entering into the system. Conversely, a supervisor may have the need to run reports, but should not be provided the capability to change information in the database.

 

Reference(s) used for this question:

 

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 10628-10631). Auerbach Publications. Kindle Edition.

and

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 10635-10638). Auerbach Publications. Kindle Edition.

and

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 10693-10697). Auerbach Publications. Kindle Edition.

and

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 16338-16341). Auerbach Publications. Kindle Edition.

 

 

 

 

 

 

QUESTION 332

Which of the following would be the MOST serious risk where a systems development life cycle methodology is inadequate?

 

A.

The project will be completed late.

B.

The project will exceed the cost estimates.

C.

The project will be incompatible with existing systems.

D.

The project will fail to meet business and user needs.

 

Correct Answer: D

Explanation:

This is the most serious risk of inadequate systems development life cycle methodolgy.

 

The following answers are incorrect because :

 

The project will be completed late is incorrect as it is not most devastating as the above answer.

 

The project will exceed the cost estimates is also incorrect when compared to the above correct answer.

 

The project will be incompatible with existing systems is also incorrect when compared to the above correct answer.

 

Reference:

Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 290).

 

 

QUESTION 333

Which of the following is the MOST important aspect relating to employee termination?

 

A.

The details of employee have been removed from active payroll files.

B.

Company property provided to the employee has been returned.

C.

User ID and passwords of the employee have been deleted.

D.

The appropriate company staff are notified about the termination.

 

Correct Answer: D

Explanation:

Even though Logical access to information by a terminated employee is possible if the ID and password of the terminated employee has not been deleted this is only one part of the termination procedures. If user ID is not disabled or deleted, it could be possible for the employee without physical access to visit the companies networks remotely and gain access to the information.

&nbsp
;

Please note that this can also be seen in a different way: the most important thing to do could also be to inform others of the person’s termination, because even if user ID’s and passwords are deleted, a terminated individual could simply socially engineer their way back in by calling an individual he/she used to work with and ask them for access. He could intrude on the facility or use other weaknesses to gain access to information after he has been terminated.

 

By notifying the appropriate company staff about the termination, they would in turn intitiate account termination, ask the employee to return company property, and all credentials would be withdrawn for the individual concerned. This answer is more complete than simply disabling account.

 

It seems harsh and cold when this actually takes place , but too many companies have been hurt by vengeful employees who have lashed out at the company when their positions were revoked for one reason or another. If an employee is disgruntled in any way, or the termination is unfriendly, that employee’s accounts should be disabled right away, and all passwords on all systems changed.

 

For your exam you should know the information below:

 

Employee Termination Processes

Employees join and leave organizations every day. The reasons vary widely, due to retirement,reduction in force, layoffs, termination with or without cause, relocation to another city, careeropportunities with other employers, or involuntary transfers. Terminations may be friendly or unfriendly and will need different levels of care as a result.

 

Friendly Terminations

Regular termination is when there is little or no evidence or reason to believe that the termination is not agreeable to both the company and the employee. A standard set of procedures, typically maintained by the human resources department, governs the dismissal of the terminated employee to ensure that company property is returned, and all access is removed. These procedures may include exit interviews and return of keys, identification cards, badges, tokens, and cryptographic keys. Other property, such as laptops, cable locks, credit cards, and phone cards, are also collected. The user manager notifies the security department of the termination to ensure that access is revoked for all platforms and facilities. Some facilities choose to immediately delete the accounts, while others choose to disable the accounts for a policy defined period, for example, 30 days, to account for changes or extensions in the final termination date. The termination process should include a conversation with the departing associate about their continued responsibility for confidentiality of information.

 

Unfriendly Terminations

Unfriendly terminations may occur when the individual is fired, involuntarily transferred, laid off,or when the organization has reason to believe that the individual has the means and intention to potentially cause harm to the system. Individuals with technical skills and higher levels of access, such as the systems administrators, computer program
mers, database administrators, or any individual with elevated privileges, may present higher risk to the environment. These individuals could alter files, plant logic bombs to create system file damage at a future date, or remove sensitive information. Other disgruntled users could enter erroneous data into the system that may not be discovered for several months. In these situations, immediate termination of systems access is warranted at the time of termination or prior to notifying the employee of the termination. Managing the people aspect of security, from pre-employment to postemployment, is critical to ensure that trustworthy, competent resources are employed to further the business objectives that will protect company information. Each of these actions contributes to preventive, detective, or corrective personnel controls.

 

The following answers are incorrect:

The other options are less important.

 

Following reference(s) were/was used to create this question:

CISA review manual 2014 Page number 99

Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 129). McGraw- Hill. Kindle Edition.

 

 

 

 

 

 

QUESTION 334

Who of the following is responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of IT systems and data?

 

A.

Business and functional managers

B.

IT Security practitioners

C.

System and information owners

D.

Chief information officer

 

Correct Answer: C

Explanation:

The system and information owners are responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of the IT systems and data they own. IT security practitioners are responsible for proper implementation of security requirements in their IT systems.

Source: STONEBURNER, Gary et al., NIST Special publication 800-30, Risk management Guide for Information Technology Systems, 2001 (page 6).

 

 

QUESTION 335

What is the difference between Advisory and Regulatory security policies?

 

A.

there is no difference between them

B.

regulatory policies are high level policy, while advisory policies are very detailed

C.

Advisory policies are not mandated. Regulatory policies must be implemented.

D.

Advisory policies are mandated while Regulatory policies are not

 

Correct Answer: C

Explanation:

Advisory policies are security polices that are not mandated to be followed but are strongly suggested, perhaps with serious consequences defined for failure to follow them (such as termination, a job action warning, and so forth). A company with such policies wants most employees to consider these policies mandatory.

 

Most policies fall under this broad category.

 

Advisory policies can have many exclusions or application levels. Thus, these policies can control some employees more than others, according to their roles and responsibilities within that organization. For example, a policy that requires a certain procedure for transaction processing might allow for an alternative procedure under certain, specified conditions.

 

Regulatory

Regulatory policies are security policies that an organization must implement due to compliance, regulation, or other legal requirements. These companies might be financial institutions, public utilities, or some other type of organization that operates in the public interest. These policies are usually very detailed and are specific to the industry in which the organization operates.

Regulatory polices commonly have two main purposes:

 

1. To ensure that an organization is following the standard procedures or base practices of operation in its specific industry

2. To give an organization the confidence that it is following the standard and accepted industry policy

 

Informative

Informative policies are policies that exist simply to inform the reader. There are no implied or specified requirements, and the audience for this information could be certain internal (within the organization) or external parties. This does not mean that the policies are authorized for public consumption but that they are general enough to be distributed to external parties (vendors accessing an extranet, for example) without a loss of confidentiality.

 

References:

KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Page 12, Chapter 1: Security Management Practices.

 

also see:

The CISSP Prep Guide:Mastering the Ten Domains of Computer Security by Ronald L.Krutz, Russell Dean Vines, Edward M.Stroz

 

also see:

http://i-data-recovery.com/information-security/information-security-policies-standards-guidelines-and-procedures

 

 

QUESTION 336

< font style="font-size: 10pt" color="#000000">If an operating system permits shared resources such as memory to be used sequentially by multiple users/application or subjects without a refresh of the objects/memory area, what security problem is MOST likely to exist?

 

A.

Disclosure of residual data.

B.

Unauthorized obtaining of a privileged execution state.

C.

Data leakage through covert channels.

D.

Denial of service through a deadly embrace.

 

Correct Answer: A

Explanation:

Allowing objects to be used sequentially by multiple users without a refresh of the objects can lead to disclosure of residual data. It is important that steps be taken to eliminate the chance for the disclosure of residual data.

 

Object reuse refers to the allocation or reallocation of system resources to a user or, more appropriately, to an application or process. Applications and services on a computer system may create or use objects in memory and in storage to perform programmatic functions. In some cases, it is nece
ssary to share these resources between various system applications. However, some objects may be employed by an application to perform privileged tasks on behalf of an authorized user or upstream application. If object usage is not controlled or the data in those objects is not erased after use, they may become available to unauthorized users or processes.

 

Disclosure of residual data and Unauthorized obtaining of a privileged execution state are both a problem with shared memory and resources. Not clearing the heap/stack can result in residual data and may also allow the user to step on somebody’s session if the security token/identify was maintained in that space. This is generally more malicious and intentional than accidental though. The MOST common issue would be Disclosure of residual data.

 

The following answers are incorrect:

 

Unauthorized obtaining of a privileged execution state. Is incorrect because this is not a problem with Object Reuse.

 

Data leakage through covert channels. Is incorrect because it is not the best answer. A covert channel is a communication path. Data leakage would not be a problem created by Object Reuse. In computer security, a covert channel is a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy. The term, originated in 1973 by Lampson is defined as “(channels) not intended for information transfer at all, such as the service program’s effect on system load.” to distinguish it from Legitimate channels that are subjected to access controls by COMPUSEC.

 

Denial of service through a deadly embrace. Is incorrect because it is only a detractor.

 

References:

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 4174-4179). Auerbach Publications. Kindle Edition.

https://www.fas.org/irp/nsa/rainbow/tg018.htm

http://en.wikipedia.org/wiki/Covert_channel

 

 

QUESTION 337

What can best be described as an abstract machine which must mediate all acce
ss to subjects to objects?

 

A.

A security domain

B.

The reference monitor

C.

The security kernel

D.

The security perimeter

 

Correct Answer: B

Explanation:

The reference monitor is an abstract machine which must mediate all access to subjects to objects, be protected from modification, be verifiable as correct, and is always invoked. The security kernel is the hardware, firmware and software elements of a trusted computing base that implement the reference monitor concept. The security perimeter includes the security kernel as well as other security-related system functions that are within the boundary of the trusted computing base. System elements that are outside of the security perimeter need not be trusted. A security domain is a domain of trust that shares a single security policy and single management.

Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

 

 

QUESTION 338

Who is ultimately responsible for the security of computer based information systems within an organization?

 

A.

The tech support team

B.

The Operation Team.

C.

The management team.

D.

The training team.

 

Correct Answer: C

Explanation:

If there is no support by management to implement, execute, and enforce security policies and procedure, then they won’t work. Senior management must be involved in this because they have an obligation to the organization to protect the assests . The requirement here is for management to show “due diligence” in establishing an effective compliance, or security program.

 

The following answers are incorrect:

 

The tech support team. Is incorrect because the ultimate responsibility is with management for the security of computer-based information systems.

The Operation Team. Is incorrect because the ultimate responsibility is with management for the security of computer-based information systems.

The Training Team. Is incorrect because the ultimate responsibility is with management for the security of computer-based information systems.

 

Reference(s) used for this question:

OIG CBK Information Security Management and Risk Management (page 20 – 22)

 

 

QUESTION 339

Which of the following is responsible for MOST of the security issues?

 

A.

Outside espionage

B.

Hackers

C.

Personnel

D.

Equipment failure

 

Correct Answer: C

Explanation:

Personnel cause more security issues than hacker attacks, outside espionage, or equipment failure.

 

The following answers are incorrect because:

 

Outside espionage is incorrect as it is not the best answer. Hackers is also incorrect as it is not the best answer. Equipment failure is also incorrect as it is not the best answer.

 

Reference:

Shon Harris AIO v3 , Chapter-3: Security Management Practices , Page: 56

 

 

QUESTION 340

What security problem is most likely to exist if an operating system permits objects to be used sequentially by multiple users without forcing a refresh of the objects?

 

A.

Disclosure of residual data.

B.

Unauthorized obtaining of a privileged execution state.

C.

Denial of service through a deadly embrace.

D.

Data leakage through covert channels.

 

Correct Answer: A

Explanation:

This question is asking you to consider the effects of object reuse. Object reuse is “reassigning to subject media that previously contained information. Object reuse is a security concern because if insufficient measures were taken to erase the information on the media, the information may be disclosed to unauthorized personnel.”

 

This concept relates to Security Architecture and Design, because it is in level C2:

Controlled Access Protection, of the Orange Book, where “The object reuse concept must be invoked, meaning that any medium holding data must not contain any remnants of information after it is release for another subject to use.”

Reference:

AIO Version 5 (Shon Harris), page 360

TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

Free VCE & PDF File for ISC SSCP Real Exam

Instant Access to Free VCE Files: ISC | ISC | SAP …
Instant Access to Free PDF Files: ISC | ISC | SAP …

This entry was posted in SSCP Real Exam (October) and tagged , , , , , , . Bookmark the permalink.