[Q81-Q97] ISC CSSLP Practice Verified Answers - Pass Your Exams For Sure! [2024]

Q81. Which of the following recovery plans includes specific strategies and actions to deal with specific variances to assumptions resulting in a particular security problem, emergency, or state of affairs?

Disaster recovery plan

Business continuity plan

Continuity of Operations Plan

Contingency plan

Q82. You work as a CSO (Chief Security Officer) for Tech Perfect Inc. You want to perform the following tasks: Develop a risk-driven enterprise information security architecture. Deliver security infrastructure solutions that support critical business initiatives. Which of the following methods will you use to accomplish these tasks?

Service-oriented modeling and architecture

Service-oriented modeling framework

Sherwood Applied Business Security Architecture

Service-oriented architecture

Q83. John works as a security manager for SoftTech Inc. He is working with his team on the disaster recovery management plan. One of his team members has a doubt related to the most cost effective DRP testing plan. According to you, which of the following disaster recovery testing plans is the most cost-effective and efficient way to identify areas of overlap in the plan before conducting more demanding training exercises?

Full-scale exercise

Walk-through drill

Structured walk-through test

Evacuation drill

Q84. NIST SP 800-53A defines three types of interview depending on the level of assessment conducted. Which of the following NIST SP 800-53A interviews consists of informal and ad hoc interviews?

Comprehensive

Significant

Abbreviated

Substantial

Q85. Which of the following provides an easy way to programmers for writing lower-risk applications and retrofitting security into an existing application?

Watermarking

Code obfuscation

Encryption wrapper

ESAPI

Q86. Which of the following US Acts emphasized a “risk-based policy for cost-effective security” and makes mandatory for agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency’s information security program and report the results to Office of Management and Budget?

Federal Information Security Management Act of 2002 (FISMA)

The Electronic Communications Privacy Act of 1986 (ECPA)

The Equal Credit Opportunity Act (ECOA)

The Fair Credit Reporting Act (FCRA)

Explanation/Reference:
The Federal Information Security Management Act of 2002 (“FISMA”, 44 U.S.C. 3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (Pub.L.
107-347, 116 Stat. 2899). The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a “risk-based policy for cost-effective security”.
FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency’s information security program and report the results to Office of Management and Budget (OMB).
OMB uses this data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act. Answer C is incorrect. The Equal Credit Opportunity Act (ECOA) is a United States law (codified at 15 U S C 1691 et seq), enacted in 1974, that makes it unlawful for any creditor to discriminate against any applicant, with respect to any aspect of a credit transaction, on the basis of race, color, religion, national origin, sex, marital status, or age; to the fact that all or part of the applicant’s income derives from a public assistance program; or to the fact that the applicant has in good faith exercised any right under the Consumer Credit Protection Act. The law applies to any person who, in the ordinary course of business, regularly participates in a credit decision, including banks, retailers, bankcard companies, finance companies, and credit unions. Answer B is incorrect. The Electronic Communications Privacy Act of 1986 (ECPA Pub. L 99-508, Oct 21, 1986,
100 Stat. 1848, 18 U.S.C. 2510) was enacted by the United States Congress to extend government restrictions on wire taps from telephone calls to include transmissions of electronic data by computer.
Specifically, ECPA was an amendment to Title III of the Omnibus Crime Control and Safe Streets Act of
1968 (the Wiretap Statute), which was primarily designed to prevent unauthorized government access to private electronic communications. The ECPA also added new provisions prohibiting access to stored electronic communications, i.e., the Stored Communications Act,18 U.S.C. 2701-2712. AnswerD is incorrect. The Fair Credit Reporting Act (FCRA) is an American federal law (codified at 15 U.S.C. 1681 et seq.) that regulates the collection, dissemination, and use of consumer information, including consumer credit information. Along with the Fair Debt Collection Practices Act (FDCPA), it forms the base of consumer credit rights in the United States. It was originally passed in 1970, and is enforced by the US Federal Trade Commission.

Q87. DRAG DROP
RCA (root cause analysis) is an iterative and reactive method that identifies the root cause of various incidents, and the actions required to prevent these incidents from reoccurring. RCA is classified in various categories. Choose appropriate categories and drop them in front of their respective functions.
Select and Place:

Q88. You work as a project manager for a company. The company has started a new security software project.
The software configuration management will be used throughout the lifecycle of the project. You are tasked to modify the functional features and the basic logic of the software and then make them compatible to the initial design of the project. Which of the following procedures of the configuration management will you follow to accomplish the task?

Configuration status accounting

Configuration control

Configuration audits

Configuration identification

Q89. Joseph works as a Software Developer for WebTech Inc. He wants to protect the algorithms and the techniques of programming that he uses in developing an application. Which of the following laws are used to protect a part of software?

Code Security law

Patent laws

Trademark laws

Copyright laws

Q90. At which of the following levels of robustness in DRM must the security functions be immune to widely available tools and specialized tools and resistant to professional tools?

Level 2

Level 4

Level 1

Level 3

Q91. Which of the following scanning techniques helps to ensure that the standard software configuration is currently with the latest security patches and software, and helps to locate uncontrolled or unauthorized software?

Port Scanning

Discovery Scanning

Server Scanning

Workstation Scanning

Q92. The Phase 1 of DITSCAP C&A is known as Definition Phase. The goal of this phase is to define the C&A level of effort, identify the main C&A roles and responsibilities, and create an agreement on the method for implementing the security requirements. What are the process activities of this phase? Each correct answer represents a complete solution. Choose all that apply.

Negotiation

Registration

Document mission need

Initial Certification Analysis

Q93. Which of the following refers to a process that is used for implementing information security?

Classic information security model

Five Pillars model

Certification and Accreditation (C&A)

Information Assurance (IA)

Explanation/Reference:
Explanation: Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. The C&A process is used extensively in the U.S. Federal Government.
Some C&A processes include FISMA, NIACAP, DIACAP, and DCID 6/3. Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls. AnswerD is incorrect. Information Assurance (IA) is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. While focused dominantly on information in digital form, the full range of IA encompasses not only digital but also analog or physical form. Information assurance as a field has grown from the practice of information security, which in turn grew out of practices and procedures of computer security.
AnswerA is incorrect. The classic information security model is used in the practice of Information
Assurance (IA) to define assurance requirements. The classic information security model, also called the CIA Triad, addresses three attributes of information and information systems, confidentiality, integrity, and availability. This C-I-A model is extremely useful for teaching introductory and basic concepts of information security and assurance; the initials are an easy mnemonic to remember, and when properly understood, can prompt systems designers and users to address the most pressing aspects of assurance.
AnswerB is incorrect. The Five Pillars model is used in the practice of Information Assurance (IA) to
define assurance requirements. It was promulgated by the U.S. Department of Defense (DoD) in a variety of publications, beginning with the National Information Assurance Glossary, Committee on National Security Systems Instruction CNSSI-4009. Here is the definition from that publication: “Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.” The Five Pillars model is sometimes criticized because authentication and non-repudiation are not attributes of information or systems; rather, they are procedures or methods useful to assure the integrity and authenticity of information, and to protect the confidentiality of the same.

Q94. In which of the following cryptographic attacking techniques does an attacker obtain encrypted messages that have been encrypted using the same encryption algorithm?

Chosen plaintext attack

Chosen ciphertext attack

Ciphertext only attack

Known plaintext attack

Q95. What are the differences between managed and unmanaged code technologies? Each correct answer represents a complete solution. Choose two.

Managed code is referred to as Hex code, whereas unmanaged code is referred to as byte code.

C and C++ are the examples of managed code, whereas Java EE and Microsoft.NET are the examples of unmanaged code.

Managed code executes under management of a runtime environment, whereas unmanaged code is executed by the CPU of a computer system.

Managed code is compiled into an intermediate code format, whereas unmanaged code is compiled into machine code.

Q96. Which of the following characteristics are described by the DIAP Information Readiness Assessment function? Each correct answer represents a complete solution. Choose all that apply.

It provides for entry and storage of individual system data.

It performs vulnerability/threat analysis assessment.

It provides data needed to accurately assess IA readiness.

It identifies and generates IA requirements.

Q97. Which of the following fields of management focuses on establishing and maintaining consistency of a system’s or product’s performance and its functional and physical attributes with its requirements, design, and operational information throughout its life?

Configuration management

Risk management

Change management

Procurement management

[Q81-Q97] ISC CSSLP Practice Verified Answers – Pass Your Exams For Sure! [2024]

Leave a Reply Cancel reply