ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 641:

  You have been tasked to develop an effective information classification program. Which one of the following steps should be performed first?

  A. Establish procedures for periodically reviewing the classification and ownership
  B. Specify the security controls required for each classification level
  C. Identify the data custodian who will be responsible for maintaining the security level of data
  D. Specify the criteria that will determine how data is classified
  D. Specify the criteria that will determine how data is classified

  ---

  According to the AIO 3rd edition, these are the necessary steps for a proper classification program:

  1.

  Define classification levels.

  2.

  Specify the criteria that will determine how data is classified.

  3.

  Have the data owner indicate the classification of the data she is responsible for.

  4.

  Identify the data custodian who will be responsible for maintaining data and its security level.

  5.

  Indicate the security controls, or protection mechanisms, that are required for each classification level.

  6.

  Document any exceptions to the previous classification issues.

  7.

  Indicate the methods that can be used to transfer custody of the information to a different data owner.

  8.

  Create a procedure to periodically review the classification and ownership. Communicate any changes to the data custodian.

  9.

  Indicate termination procedures for declassifying the data.

  10.

  Integrate these issues into the security-awareness program so that all employees understand how to handle data at different classification levels. Domain: Information security and risk management Reference: AIO 3rd edition page 50

• Question 642:

  What is the difference between Advisory and Regulatory security policies?

  A. there is no difference between them
  B. regulatory policies are high level policy, while advisory policies are very detailed
  C. Advisory policies are not mandated. Regulatory policies must be implemented.
  D. Advisory policies are mandated while Regulatory policies are not
  C. Advisory policies are not mandated. Regulatory policies must be implemented.

  ---

  Advisory policies are security polices that are not mandated to be followed but are strongly suggested, perhaps with serious consequences defined for failure to follow them (such as termination, a job action warning, and so forth). A company

  with such policies wants most employees to consider these policies mandatory.

  Most policies fall under this broad category.

  Advisory policies can have many exclusions or application levels. Thus, these policies can control some employees more than others, according to their roles and responsibilities within that organization. For example, a policy that

  requires a certain procedure for transaction processing might allow for an alternative procedure under certain, specified conditions.

  Regulatory

  Regulatory policies are security policies that an organization must implement due to compliance, regulation, or other legal requirements. These companies might be financial institutions, public utilities, or some other type of organization that

  operates in the public interest. These policies are usually very detailed and are specific to the industry in which the organization operates.

  Regulatory polices commonly have two main purposes:

  1.

  To ensure that an organization is following the standard procedures or base practices of operation in its specific industry

  2.

  To give an organization the confidence that it is following the standard and accepted industry policy

  Informative

  Informative policies are policies that exist simply to inform the reader. There are no implied or specified requirements, and the audience for this information could be certain internal (within the organization) or external parties. This does not

  mean that the policies are authorized for public consumption but that they are general enough to be distributed to external parties (vendors accessing an extranet, for example) without a loss of confidentiality.

  References:

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Page 12, Chapter 1: Security Management Practices.

  also see:

  The CISSP Prep Guide:Mastering the Ten Domains of Computer Security by Ronald L. Krutz, Russell Dean Vines, Edward M. Stroz

  also see:

  http://i-data-recovery.com/information-security/information-security-policies-standards- guidelines-and- procedures

• Question 643:

  In an organization, an Information Technology security function should:

  A. Be a function within the information systems function of an organization.
  B. Report directly to a specialized business unit such as legal, corporate security or insurance.
  C. Be lead by a Chief Security Officer and report directly to the CEO.
  D. Be independent but report to the Information Systems function.
  C. Be lead by a Chief Security Officer and report directly to the CEO.

  ---

  In order to offer more independence and get more attention from management, an IT security function should be independent from IT and report directly to the CEO. Having it report to a specialized business unit (e.g. legal) is not recommended as it promotes a low technology view of the function and leads people to believe that it is someone else's problem.

  Source: HARE, Chris, Security management Practices CISSP Open Study Guide, version 1.0, april 1999.

• Question 644:

  Which of the following is an advantage of a qualitative over a quantitative risk analysis?

  A. It prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities.
  B. It provides specific quantifiable measurements of the magnitude of the impacts.
  C. It makes a cost-benefit analysis of recommended controls easier.
  D. It can easily be automated.
  A. It prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities.

  ---

  The main advantage of the qualitative impact analysis is that it prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities. It does not provide specific quantifiable measurements of the magnitude of

  the impacts, therefore making a cost-analysis of any recommended controls difficult. Since it involves a consensus of export and some guesswork based on the experience of Subject Matter Experts (SME's), it can not be easily automated.

  Reference used for this question:

  STONEBURNER, Gary et al., NIST Special publication 800-30, Risk management Guide for Information Technology Systems, 2001 (page 23).

• Question 645:

  Which of the following does not address Database Management Systems (DBMS) Security?

  A. Perturbation
  B. Cell suppression
  C. Padded cells
  D. Partitioning
  C. Padded cells

  ---

  Padded cells complement Intrusion Detection Systems (IDSs) and are not related to DBMS security. Padded cells are simulated environments to which IDSs seamlessly transfer detected attackers and are designed to convince an attacker that the attack is going according to the plan. Cell suppression is a technique used against inference attacks by not revealing information in the case where a statistical query produces a very small result set. Perturbation also addresses inference attacks but involves making minor modifications to the results to a query. Partitioning involves splitting a database into two or more physical or logical parts; especially relevant for multilevel secure databases.

  Source: LaROSA, Jeanette (domain leader), Application and System Development Security CISSP Open Study Guide, version 3.0, January 2002.

• Question 646:

  Which of the following best describes remote journaling?

  A. Send hourly tapes containing transactions off-site.
  B. Send daily tapes containing transactions off-site.
  C. Real-time capture of transactions to multiple storage devices.
  D. Real time transmission of copies of the entries in the journal of transactions to an alternate site.
  D. Real time transmission of copies of the entries in the journal of transactions to an alternate site.

  ---

  Remote Journaling is a technology to facilitate sending copies of the journal of transaction entries from a production system to a secondary system in realtime. The remote nature of such a connection is predicated upon having local journaling already established. Local journaling on the production side allows each change that ensues for a journal-eligible object e.g., database physical file, SQL table, data area, data queue, byte stream file residing within the IFS) to be recorded and logged. It's these local images that flow to the remote system. Once there, the journal entries serve a variety of purposes, from feeding a high availability software replay program or data warehouse to offering an offline, realtime vault of the most recent database changes.

  Reference(s) used for this question:

  The Essential Guide to Remote Journaling by IBM

  and

  TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

  and

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 286).

• Question 647:

  In the context of access control, locks, gates, guards are examples of which of the following?

  A. Administrative controls
  B. Technical controls
  C. Physical controls
  D. Logical controls
  C. Physical controls

  ---

  Administrative, technical and physical controls are categories of access control mechanisms.

  Logical and Technical controls are synonymous. So both of them could be eliminated as possible choices.

  Physical Controls: These are controls to protect the organization's people and physical environment, such as locks, gates, and guards. Physical controls may be called "operational controls" in some contexts.

  Physical security covers a broad spectrum of controls to protect the physical assets (primarily the people) in an organization. Physical Controls are sometimes referred to as "operational" controls in some risk management frameworks. These

  controls range from doors, locks, and windows to environment controls, construction standards, and guards. Typically, physical security is based on the notion of establishing security zones or concentric areas within a facility that require

  increased security as you get closer to the valuable assets inside the facility. Security zones are the physical representation of the defense-in-depth principle discussed earlier in this chapter. Typically, security zones are associated with

  rooms, offices, floors, or smaller elements, such as a cabinet or storage locker. The design of the physical security controls within the facility must take into account the protection of the asset as well as the individuals working in that area.

  Reference(s) used for this question:

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1301-1303). Auerbach Publications. Kindle Edition.

  and

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1312-1318). Auerbach Publications. Kindle Edition.

• Question 648:

  Which of the following statements pertaining to access control is false?

  A. Users should only access data on a need-to-know basis.
  B. If access is not explicitly denied, it should be implicitly allowed.
  C. Access rights should be granted based on the level of trust a company has on a subject.
  D. Roles can be an efficient way to assign rights to a type of user who performs certain tasks.
  B. If access is not explicitly denied, it should be implicitly allowed.

  ---

  Access control mechanisms should default to no access to provide the necessary level of security and ensure that no security holes go unnoticed. If access is not explicitly allowed, it should be implicitly denied. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter

  4: Access Control (page 143).

• Question 649:

  Which of the following is defined as an Internet, IPsec, key-establishment protocol, partly based on OAKLEY, that is intended for putting in place authenticated keying material for use with ISAKMP and for other security associations?

  A. Internet Key exchange (IKE)
  B. Security Association Authentication Protocol (SAAP)
  C. Simple Key-management for Internet Protocols (SKIP)
  D. Key Exchange Algorithm (KEA)
  A. Internet Key exchange (IKE)

  ---

  RFC 2828 (Internet Security Glossary) defines IKE as an Internet, IPsec, key-establishment protocol (partly based on OAKLEY) that is intended for putting in place authenticated keying material for use with ISAKMP and for other security associations, such as in AH and ESP.

  The following are incorrect answers:

  SKIP is a key distribution protocol that uses hybrid encryption to convey session keys that are used to encrypt data in IP packets.

  The Key Exchange Algorithm (KEA) is defined as a key agreement algorithm that is similar to the Diffie- Hellman algorithm, uses 1024-bit asymmetric keys, and was developed and formerly classified at the secret level by the NSA.

  Security Association Authentication Protocol (SAAP) is a distracter.

  Reference(s) used for this question:

  SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.

• Question 650:

  Controls to keep password sniffing attacks from compromising computer systems include which of the following?

  A. static and recurring passwords.
  B. encryption and recurring passwords.
  C. one-time passwords and encryption.
  D. static and one-time passwords.
  C. one-time passwords and encryption.

  ---

  To minimize the chance of passwords being captured one-time passwords would prevent a password sniffing attack because once used it is no longer valid. Encryption will also minimize these types of attacks.

  The following answers are correct:

  static and recurring passwords. This is incorrect because if there is no encryption then someone password sniffing would be able to capture the password much easier if it never changed.

  encryption and recurring passwords. This is incorrect because while encryption helps, recurring passwords do nothing to minimize the risk of passwords being captured.

  static and one-time passwords. This is incorrect because while one-time passwords will prevent these types of attacks, static passwords do nothing to minimize the risk of passwords being captured.