CSSLP ISC2 Exam Questions and Free Practice Test

Question 13

You are responsible for network and information security at a large hospital. It is a significant concern that any change to any patient record can be easily traced back to the person who made that change. What is this called?

A. Availability

B. Confidentiality

C. Non repudiation

D. Data Protection

Correct Answer:C
Non repudiation refers to mechanisms that prevent a party from falsely denying involvement in some data transaction.

Question 14

You work as a security engineer for BlueWell Inc. According to you, which of the following DITSCAP/NIACAP model phases occurs at the initiation of the project, or at the initial C&A effort of a legacy system?

A. Validation

B. Definition

C. Verification

D. Post Accreditation

Correct Answer:B
The definition phase of the DITSCAP/NIACAP model takes place at the beginning of the project, or at the initial C&A effort of a legacy system. C&A consists of four phases in a DITSCAP assessment. These phases are the same as NIACAP phases. The order of these phases is as follows:
* 1.Definition: The definition phase is focused on understanding the IS business case, the mission, environment, and architecture. This phase determines the security requirements and level of effort necessary to achieve Certification & Accreditation (C&A). 2.Verification: The second phase confirms the evolving or modified system's compliance with the information. The verification phase ensures that the fully integrated system will be ready for certification testing. 3.Validation: The third phase confirms abidance of the fully integrated system with the security policy. This phase follows the requirements slated in the SSAA. The objective of the validation phase is to show the required evidence to support the DAA in accreditation process. 4.Post Accreditation: The Post Accreditation is the final phase of DITSCAP assessment and it starts after the system has been certified and accredited for operations. This phase ensures secure system management, operation, and maintenance to save an acceptable level of residual risk.

Question 15

Which of the following are the types of access controls? Each correct answer represents a complete solution. Choose three.

A. Physical

B. Technical

C. Administrative

D. Automatic

Correct Answer:ABC
Security guards, locks on the gates, and alarms come under physical access control. Policies and procedures implemented by an organization come under administrative access control. IDS systems, encryption, network segmentation, and antivirus controls come under technical access control. Answer D is incorrect. There is no such type of access control as automatic control.

Question 16

You and your project team have identified the project risks and now are analyzing the probability and impact of the risks. What type of analysis of the risks provides a quick and high-level review of each identified risk event?

A. Quantitative risk analysis

B. Qualitative risk analysis

C. Seven risk responses

D. A risk probability-impact matrix

Correct Answer:B
Qualitative risk analysis is a high-level, fast review of the risk event. Qualitative risk analysis qualifies the risk events for additional analysis.

Question 17

The NIST Information Security and Privacy Advisory Board (ISPAB) paper "Perspectives on Cloud Computing and Standards" specifies potential advantages and disdvantages of virtualization. Which of the following disadvantages does it include? Each correct answer represents a complete solution. Choose all that apply.

A. It increases capabilities for fault tolerant computing using rollback and snapshot features.

B. It increases intrusion detection through introspection.

C. It initiates the risk that malicious software is targeting the VM environment.

D. It increases overall security risk shared resources.

E. It creates the possibility that remote attestation may not work.

F. It involves new protection mechanisms for preventing VM escape, VM detection, and VM-VM interference.

G. It increases configuration effort because of complexity and composite system.

Correct Answer:CDEFG
The potential security disadvantages of virtualization are as follows: It increases configuration effort because of complexity and composite system. It initiates the problem of how to prevent overlap while mapping VM storage onto host files. It introduces the problem of virtualizing the TPM. It creates the possibility that remote attestation may not work. It initiates the problem of detecting VM covert channels. It involves new protection mechanisms for preventing VM escape, VM detection, and VM-VM interference. It initiates the possibility of virtual networking configuration errors. It initiates the risk that malicious software is targeting the VM environment.
It increases overall security risk shared resources, such as networks, clipboards, clocks, printers, desktop management, and folders. Answer A and B are incorrect. These are not the disadvantages of virtualization, as described in the NIST Information Security and Privacy Advisory Board (ISPAB) paper "Perspectives on Cloud Computing and Standards".

Question 18

Which of the following are the goals of risk management? Each correct answer represents a complete solution. Choose three.

A. Identifying the risk

B. Assessing the impact of potential threats

C. Identifying the accused

D. Finding an economic balance between the impact of the risk and the cost of the countermeasure

Correct Answer:ABD
There are three goals of risk management as follows: Identifying the risk Assessing the impact of potential threats Finding an economic balance between the impact of the risk and the cost of the countermeasure Answer B is incorrect. Identifying the accused does not come under the scope of risk management.

START CSSLP EXAM