[Mar-2022] Dumps Brief Outline Of The CSSLP Exam - Exams4sures [Q14-Q38]

NEW QUESTION 14
Which of the following phases of DITSCAP includes the activities that are necessary for the continuing operation of an accredited IT system in its computing environment and for addressing the changing threats that a system faces throughout its life cycle?

Phase 2, Verification

Phase 3, Validation

Phase 1, Definition

Phase 4, Post Accreditation Phase

NEW QUESTION 15
A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. Which of the following are required to be addressed in a well designed policy? Each correct answer represents a part of the solution. Choose all that apply.

What is being secured?

Where is the vulnerability, threat, or risk?

Who is expected to exploit the vulnerability?

Who is expected to comply with the policy?

NEW QUESTION 16
DRAG DROP
Drag and drop the correct DoD Policy Series at their appropriate places.
Select and Place:

NEW QUESTION 17
Which of the following cryptographic system services ensures that information will not be disclosed to any unauthorized person on a local network?

Authentication

Integrity

Non-repudiation

Confidentiality

NEW QUESTION 18
Which of the following allows multiple operating systems (guests) to run concurrently on a host computer?

Emulator

Hypervisor

Grid computing

CP/CMS

NEW QUESTION 19
Which of the following elements of the BCP process emphasizes on creating the scope and the additional elements required to define the parameters of the plan?

Business continuity plan development

Plan approval and implementation

Business impact analysis

Scope and plan initiation

NEW QUESTION 20
Which of the following is an example of penetration testing?

Implementing NIDS on a network

Implementing HIDS on a computer

Simulating an actual attack on a network

Configuring firewall to block unauthorized traffic

NEW QUESTION 21
Which of the following phases of the DITSCAP C&A process is used to define the C&A level of effort, to identify the main C&A roles and responsibilities, and to create an agreement on the method for implementing the security requirements?

Phase 1

Phase 4

Phase 2

Phase 3

NEW QUESTION 22
In which of the following testing methodologies do assessors use all available documentation and work under no constraints, and attempt to circumvent the security features of an information system?

Full operational test

Penetration test

Paper test

Walk-through test

A penetration testing is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution. The intent of a penetration test is to determine feasibility of an attack and the amount of business impact of a successful exploit, if discovered. It is a component of a full security audit. Answer C is incorrect. A paper test is the least complex test in the disaster recovery and business continuity testing approaches. In this test, the BCP/DRP plan documents are distributed to the appropriate managers and BCP/DRP team members for review, markup, and comment. This approach helps the auditor to ensure that the plan is complete and that all team members are familiar with their responsibilities within the plan. Answer D is incorrect. A walk-through test is an extension of the paper testing in the business continuity and disaster recovery process. In this testing methodology, appropriate managers and BCP/DRP team members discuss and walk through procedures of the plan. They also discuss the training needs, and clarification of critical plan elements. Answer A is incorrect. A full operational test includes all team members and participants in the disaster recovery and business continuity process. This full operation test involves the mobilization of personnel. It restores operations in the same manner as an outage or disaster would. The full operational test extends the preparedness test by including actual notification, mobilization of resources, processing of data, and utilization of backup media for restoration.

NEW QUESTION 23
Which of the following are examples of the application programming interface (API)? Each correct answer represents a complete solution. Choose three.

HTML

PHP

.NET

Perl

NEW QUESTION 24
Which of the following coding practices are helpful in simplifying code? Each correct answer represents a complete solution. Choose all that apply.

Programmers should use multiple small and simple functions rather than a single complex function.

Software should avoid ambiguities and hidden assumptions, recursions, and GoTo statements.

Programmers should implement high-consequence functions in minimum required lines of code and follow proper coding standards.

Processes should have multiple entry and exit points.

NEW QUESTION 25
You work as a Security Manager for Tech Perfect Inc. You find that some applications have failed to encrypt network traffic while ensuring secure communications in the organization. Which of the following will you use to resolve the issue?

SCP

TLS

IPSec

HTTPS

Explanation/Reference:
Explanation: In order to resolve the issue, you should use TLS (Transport Layer Security). Transport Layer Security (TLS) is a cryptographic protocol that provides security and data integrity for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end. Several versions of the protocols are in wide-spread use in applications like web browsing, electronic mail, Internet faxing, instant messaging, and voice-over-IP (VoIP). The TLS protocol, an application layer protocol, allows client/server applications to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and communications confidentiality over the Internet using cryptography. AnswerC is incorrect. Internet Protocol Security (IPSec) is a method of securing data. It secures traffic by using encryption and digital signing. It enhances the security of data as if an IPSec packet is captured, its contents cannot be read. IPSec also provides sender verification that ensures the certainty of the datagram’s origin to the receiver. Answer D is incorrect. Hypertext Transfer Protocol Secure (HTTPS) protocol is a protocol used in the Universal Resource Locater (URL) address line to connect to a secure site. If a site has been made secure by using the Secure Sockets Layer (SSL) then HTTPS, instead of HTTP protocol, should be used as a protocol type in the URL. Answer: A is incorrect. The SCP (secure copy) protocol is a network protocol that supports file transfers. The SCP protocol, which runs on port 22, is based on the BSD RCP protocol which is tunneled through the Secure Shell (SSH) protocol to provide encryption and authentication. SCP might not even be considered a protocol itself, but merely a combination of RCP and SSH. The RCP protocol performs the file transfer and the SSH protocol performs authentication and encryption. SCP protects the authenticity and confidentiality of the data in transit. It hinders the ability for packet sniffers to extract usable information from the data packets.

NEW QUESTION 26
John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. In order to do so, he performs the following steps of the pre-attack phase successfully: Information gathering Determination of network range Identification of active systems Location of open ports and applications Now, which of the following tasks should he perform next?

Perform OS fingerprinting on the We-are-secure network.

Map the network of We-are-secure Inc.

Install a backdoor to log in remotely on the We-are-secure server.

Fingerprint the services running on the we-are-secure network.

NEW QUESTION 27
You are the project manager for GHY Project and are working to create a risk response for a negative risk.
You and the project team have identified the risk that the project may not complete on time, as required by the management, due to the creation of the user guide for the software you’re creating. You have elected to hire an external writer in order to satisfy the requirements and to alleviate the risk event. What type of risk response have you elected to use in this instance?

Transference

Exploiting

Avoidance

Sharing

NEW QUESTION 28
An organization monitors the hard disks of its employees’ computers from time to time. Which policy does this pertain to?

Backup policy

User password policy

Privacy policy

Network security policy

NEW QUESTION 29
Which of the following persons in an organization is responsible for rejecting or accepting the residual risk for a system?

Information Systems Security Officer (ISSO)

Designated Approving Authority (DAA)

System Owner

Chief Information Security Officer (CISO)

NEW QUESTION 30
Which of the following access control models are used in the commercial sector? Each correct answer represents a complete solution. Choose two.

Biba model

Clark-Biba model

Clark-Wilson model

Bell-LaPadula model

NEW QUESTION 31
Which of the following are examples of passive attacks? Each correct answer represents a complete solution. Choose all that apply.

Dumpster diving

Placing a backdoor

Eavesdropping

Shoulder surfing

NEW QUESTION 32
SIMULATION
Fill in the blank with an appropriate phrase. A is defined as any activity that has an effect on defining, designing, building, or executing a task, requirement, or procedure.

NEW QUESTION 33
Which of the following steps of the LeGrand Vulnerability-Oriented Risk Management method determines the necessary compliance offered by risk management practices and assessment of risk levels?

Assessment, monitoring, and assurance

Vulnerability management

Risk assessment

Adherence to security standards and policies for development and deployment

NEW QUESTION 34
Which of the following approaches can be used to build a security program? Each correct answer represents a complete solution. Choose all that apply.

Right-Up Approach

Left-Up Approach

Top-Down Approach

Bottom-Up Approach

NEW QUESTION 35
Which of the following rated systems of the Orange book has mandatory protection of the TCB?

A-rated

B-rated

D-rated

C-rated

NEW QUESTION 36
Joseph works as a Software Developer for WebTech Inc. He wants to protect the algorithms and the techniques of programming that he uses in developing an application. Which of the following laws are used to protect a part of software?

Code Security law

Patent laws

Trademark laws

Copyright laws

NEW QUESTION 37
Bill is the project manager of the JKH Project. He and the project team have identified a risk event in the project with a high probability of occurrence and the risk event has a high cost impact on the project. Bill discusses the risk event with Virginia, the primary project customer, and she decides that the requirements surrounding the risk event should be removed from the project. The removal of the requirements does affect the project scope, but it can release the project from the high risk exposure. What risk response has been enacted in this project?

Mitigation

Transference

Acceptance

Avoidance

Explanation:
This is an example of the avoidance risk response. Because the project plan has been changed to avoid the risk event, so it is considered the avoidance risk response. Risk avoidance is a technique used for threats. It creates changes to the project management plan that are meant to either eliminate the risk completely or to protect the project objectives from its impact.
Risk avoidance removes the risk event entirely either by adding additional steps to avoid the event or reducing the project scope requirements. It may seem the answer to all possible risks, but avoiding risks also means losing out on the potential gains that accepting (retaining) the risk might have allowed.

NEW QUESTION 38
Digital rights management (DRM) consists of compliance and robustness rules. Which of the following features does the robustness rule have? Each correct answer represents a complete solution. Choose three.

It specifies the various levels of robustness that are needed for asset security.

It specifies minimum techniques for asset security.

It specifies the behaviors of the DRM implementation and applications accessing the implementation.

It contains assets, such as device key, content key, algorithm, and profiling data.