SSCP Online Practice Questions and Answers

Correct Answer: A

The Bell-LaPadula model, mostly concerned with confidentiality, was proposed for enforcing access control in government and military applications. It supports mandatory access control by determining the access rights from the security levels associated with subjects and objects. It also supports discretionary access control by checking access rights from an access matrix. The Biba model, introduced in 1977, the Sutherland model, published in 1986, and the Brewer-Nash model, published in 1989, are concerned with integrity.

Source: ANDRESS, Mandy, ram CISSP, Coriolis, 2001, Chapter 2: Access Control Systems and Methodology (page 11).

Correct Answer: C

Because scripts contain credentials, they must be stored in a protected area and the transmission of the scripts must be dealt with carefully. Operators might need access to batch files and scripts. The least privilege concept requires that each subject in a system be granted the most restrictive set of privileges needed for the performance of authorized tasks. The need-to-know principle requires a user having necessity for access to, knowledge of, or possession of specific information required to perform official tasks or services.

Source: WALLHOFF, John, CISSP Summary 2002, April 2002, CBK#1 Access Control System and Methodology (page 3)

Correct Answer: B

Confidentiality assures that the information is not disclosed to unauthorized persons or processes.

Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 31.

Correct Answer: B

The best way to properly verify an application or system during a stress test would be to expose it to "live" data that has been sanitized to avoid exposing any sensitive information or Personally Identifiable Data (PII) while in a testing environment. Fabricated test data may not be as varied, complex or computationally demanding as "live" data. A production environment should never be used to test a product, as a production environment is one where the application or system is being put to commercial or operational use. It is a best practice to perform testing in a non- production environment.

Stress testing is carried out to ensure a system can cope with production workloads, but as it may be tested to destruction, a test environment should always be used to avoid damaging the production environment. Hence, testing should never take place in a production environment. If only test data is used, there is no certainty that the system was adequately stress tested.

Incorrect answers:

Test environment using test data. This is incorrect because live data is typically more useful during stress testing

Production environment using test data. This is incorrect because the production environment should not be used for testing.

Production environment using live workloads. This is incorrect because the production environment should not be used for testing.

Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 299).

And:

KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 251.

And:

Correct Answer: A

Single Loss Expectancy (SLE) is the dollar amount that would be lost if there was a loss of an asset. Annualized Rate of Occurrence (ARO) is an estimated possibility of a threat to an asset taking place in one year (for example if there is a change of a flood occuring once in 10 years the ARO would be .1, and if there was a chance of a flood occuring once in 100 years then the ARO would be .01).

The following answers are incorrect:

gross loss expectancy x loss frequency. Is incorrect because this is a distractor.

actual replacement cost - proceeds of salvage. Is incorrect because this is a distractor.

asset value x loss expectancy. Is incorrect because this is a distractor.

Correct Answer: A

You do not want the alternate or recovery site located in close proximity to the original site because the

same event that create the situation in the first place might very well impact that site also.

From NIST: "The fixed site should be in a geographic area that is unlikely to be negatively affected by the

same disaster event (e.g., weather-related impacts or power grid failure) as the organization's primary site.

The following answers are incorrect:

It is close enough to become operational quickly. Is incorrect because it is not the best answer. You'd want

the alternate site to be close but if it is too close the same event could impact that site as well.

It is close enough to serve its users. Is incorrect because it is not the best answer. You'd want the alternate site to be close to users if applicable, but if it is too close the same event could impact that site as well It is convenient to airports and hotels. Is incorrect because it is not the best answer, it is more important that the same event does not impact the alternate site then convenience.

References:

OIG CBK Business Continuity and Disaster Recovery Planning (pages 368 - 369)

NIST document 800-34 pg 21

Correct Answer: B

Disaster Recovery should never be considered a discretionary expense. It is far too important a task. In order to maintain the continuity of the business Disaster Recovery should be a commitment of and by the organization.

A discretionary fixed cost has a short future planning horizon--under a year. These types of costs arise from annual decisions of management to spend in specific fixed cost areas, such as marketing and research. DR would be an ongoing long term committment not a short term effort only.

A committed fixed cost has a long future planning horizon-- more than on year. These types of costs relate to a company's investment in assets such as facilities and equipment. Once such costs have been incurred, the company is required to make future payments.

The following answers are incorrect:

committed expense. Is incorrect because Disaster Recovery should be a committed expense.

enforcement of legal statutes. Is incorrect because Disaster Recovery can include enforcement of legal statutes. Many organizations have legal requirements toward Disaster Recovery.

compliance with regulations. Is incorrect because Disaster Recovery often means compliance with regulations. Many financial institutions have regulations requiring Disaster Recovery Plans and Procedures.

Correct Answer: C

Although important, The monitoring of threat activity for adjustment of technical controls is not facilitated by a Business Continuity Planning The following answers are incorrect: All of the other choices are facilitated by a BCP: the continuation of critical business functions the rapid recovery of mission-critical business operations the reduction of the impact of a disaster

Correct Answer: D

The Answer: Rijndael. Rijndael is the new approved method of encrypting sensitive but unclassified information for the U.S. government. It has been accepted by and is also widely used in the public arena as well. It has low memory requirements and has been constructed to easily defend against timing attacks.

The following answers are incorrect: Twofish. Twofish was among the final candidates chosen for AES, but

was not selected.

Serpent. Serpent was among the final candidates chosen for AES, but was not selected.

RC6. RC6 was among the final candidates chosen for AES, but was not selected.

The following reference(s) were/was used to create this question:

ISC2 OIG, 2007 p. 622, 629-630

Shon Harris AIO, v.3 p 247-250

Correct Answer: D

Packet filtering firewalls use routers with packet filtering rules to grant or deny access based on source

address, destination address, and port.

They offer minimum security but at a very low cost, and can be an appropriate choice for a lowrisk

environment.

Source: TIPTON, Harold F. and KRAUSE, Micki, Information Security Management Handbook, 4th edition

(volume 1), 2000, CRC Press, Chapter 3, Secured Connections to External Networks (page 60).