ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 761:

  Of the following, which is NOT a specific loss criteria that should be considered while developing a BIA?

  A. Loss of skilled workers knowledge
  B. Loss in revenue
  C. Loss in profits
  D. Loss in reputation
  A. Loss of skilled workers knowledge

  ---

  Although a loss of skilled workers knowledge would cause the company a great loss, it is not identified as a specific loss criteria. It would fall under one of the three other criteria listed as distracters. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter

  9: Disaster Recovery and Business continuity (page 598).

• Question 762:

  What is called the use of technologies such as fingerprint, retina, and iris scans to authenticate the individuals requesting access to resources?

  A. Micrometrics
  B. Macrometrics
  C. Biometrics
  D. MicroBiometrics
  C. Biometrics

  ---

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 35.

• Question 763:

  The International Standards Organization / Open Systems Interconnection (ISO/OSI) Layers does NOT have which of the following characteristics?

  A. Standard model for network communications
  B. Used to gain information from network devices such as count of packets received and routing tables
  C. Enables dissimilar networks to communicate
  D. Defines 7 protocol layers (a.k.a. protocol stack)
  B. Used to gain information from network devices such as count of packets received and routing tables

  ---

  The International Standards Organization / Open Systems Interconnection (ISO/OSI) Layers and Characteristics Standard model for network communications enables dissimilar networks to communicate, Defines 7 protocol layers (a.k.a.

  protocol stack) Each layer on one workstation communicates with its respective layer on another workstation using protocols (i.e. agreed-upon communication formats) "Mapping" each protocol to the model is useful for comparing protocols.

  Mnemonics: Please Do Not Throw Sausage Pizza Away (bottom to top layer)

  All People Seem To Need Data Processing (top to bottom layer).

  Source: STEINER, Kurt, Telecommunications and Network Security, Version 1, May 2002, CISSP Open Study Group (Domain Leader: skottikus), Page 12.

• Question 764:

  Which of the following control pairing places emphasis on "soft" mechanisms that support the access control objectives?

  A. Preventive/Technical Pairing
  B. Preventive/Administrative Pairing
  C. Preventive/Physical Pairing
  D. Detective/Administrative Pairing
  B. Preventive/Administrative Pairing

  ---

  Soft Control is another way of referring to Administrative control.

  Technical and Physical controls are NOT soft control, so any choice listing them was not the best answer.

  Preventative/Technical is incorrect because although access control can be technical control, it is commonly not referred to as a "soft" control

  Preventative/Administrative is correct because access controls are preventative in nature. it is always best to prevent a negative event, however there are times where controls might fail and you cannot prevent everything. Administrative

  controls are roles, responsibilities, policies, etc which are usually paper based. In the administrative category you would find audit, monitoring, and security awareness as well.

  Preventative/Physical pairing is incorrect because Access controls with an emphasis on "soft" mechanisms conflict with the basic concept of physical controls, physical controls are usually tangible objects such as fences, gates, door locks,

  sensors, etc...

  Detective/Administrative Pairing is incorrect because access control is a preventative control used to control access, not to detect violations to access.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 34.

• Question 765:

  What is the main objective of proper separation of duties?

  A. To prevent employees from disclosing sensitive information.
  B. To ensure access controls are in place.
  C. To ensure that no single individual can compromise a system.
  D. To ensure that audit trails are not tampered with.
  C. To ensure that no single individual can compromise a system.

  ---

  The primary objective of proper separation of duties is to ensure that one person acting alone cannot compromise the company's security in any way. A proper separation of duties does not prevent employees from disclosing information, nor does it ensure that access controls are in place or that audit trails are not tampered with.

  Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter

  12: Operations Security (Page 808).

• Question 766:

  Which of the following best defines source routing?

  A. The packets hold the forwarding information so they don't need to let bridges and routers decide what is the best route or way to get to the destination.
  B. The packets hold source information in a fashion that source address cannot be forged.
  C. The packets are encapsulated to conceal source information.
  D. The packets hold information about redundant paths in order to provide a higher reliability.
  A. The packets hold the forwarding information so they don't need to let bridges and routers decide what is the best route or way to get to the destination.

  ---

  With source routing, the packets hold the forwarding information so that they can find their way to the destination themselves without bridges and routers dictating their paths. In computer networking, source routing allows a sender of a packet

  to specify the route the packet takes through the network. With source routing the entire path to the destination is known to the sender and is included when sending data. Source routing differs from most other routing in that the source makes

  most or all of the routing decisions for each router along the way.

  Source:

  WALLHOFF, John, CISSP Summary 2002, April 2002, CBK#2 Telecommunications and Network Security (page 5)

  Wikipedia at http://en.wikipedia.org/wiki/Dynamic_Source_Routing

• Question 767:

  Which of the following would be the MOST serious risk where a systems development life cycle methodology is inadequate?

  A. The project will be completed late.
  B. The project will exceed the cost estimates.
  C. The project will be incompatible with existing systems.
  D. The project will fail to meet business and user needs.
  D. The project will fail to meet business and user needs.

  ---

  This is the most serious risk of inadequate systems development life cycle methodolgy.

  The following answers are incorrect because :

  The project will be completed late is incorrect as it is not most devastating as the above answer.

  The project will exceed the cost estimates is also incorrect when compared to the above correct answer.

  The project will be incompatible with existing systems is also incorrect when compared to the above correct answer.

  Reference: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 290).

• Question 768:

  Which of the following statements is most accurate regarding a digital signature?

  A. It is a method used to encrypt confidential data.
  B. It is the art of transferring handwritten signature to electronic media.
  C. It allows the recipient of data to prove the source and integrity of data.
  D. It can be used as a signature system and a cryptosystem.
  C. It allows the recipient of data to prove the source and integrity of data.

  ---

  Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

• Question 769:

  Which access control model achieves data integrity through well-formed transactions and separation of duties?

  A. Clark-Wilson model
  B. Biba model
  C. Non-interference model
  D. Sutherland model
  A. Clark-Wilson model

  ---

  The Clark-Wilson model differs from other models that are subject- and object- oriented by introducing a third access element programs resulting in what is called an access triple, which prevents unauthorized users from modifying data or

  programs. The Biba model uses objects and subjects and addresses integrity based on a hierarchical lattice of integrity levels. The non- interference model is related to the information flow model with restrictions on the information flow. The

  Sutherland model approaches integrity by focusing on the problem of inference.

  Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 2: Access Control Systems and Methodology (page 12).

  And: KRAUSE, Micki and TIPTON, Harold F., Handbook of Information Security Management, CRC Press, 1997, Domain 1: Access Control.

• Question 770:

  At what stage of the applications development process should the security department become involved?

  A. Prior to the implementation
  B. Prior to systems testing
  C. During unit testing
  D. During requirements development
  D. During requirements development

  ---

  Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.