2025 Best CSSLP Exam Preparation Material with New Dumps Questions
Free CSSLP Exam Files Verified & Correct Answers Downloaded Instantly
ISC2 CSSLP Exam Syllabus Topics:
| Topic | Details |
|---|---|
Secure Software Concepts - 10% | |
| Core Concepts | - Confidentiality (e.g., covert, overt, encryption) - Integrity (e.g., hashing, digital signatures, code signing, reliability, modifications, authenticity) - Availability (e.g., redundancy, replication, clustering, scalability, resiliency) - Authentication (e.g., multifactor authentication (MFA), identity & access management (IAM), single sign-on (SSO), federated identity) - Authorization (e.g., access controls, permissions, entitlements) - Accountability (e.g., auditing, logging) - Nonrepudiation (e.g., digital signatures, block chain) |
| Security Design Principles | - Least privilege (e.g., access control, need-to-know, run-time privileges) - Separation of duties (e.g., multi-party control, secret sharing and split knowledge) - Defense in depth (e.g., layered controls, input validation, security zones) - Resiliency (e.g., fail safe, fail secure, no Single Point of Failure (SPOF)) - Economy of mechanism (e.g., Single Sign-On (SSO), password vaults, resource) - Complete mediation (e.g., cookie management, session management, caching of credentials) - Open design (e.g., Kerckhoffs's principle) - Least common mechanism (e.g., compartmentalization/isolation, white-listing) - Psychological acceptability (e.g., password complexity, screen layouts, Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), biometrics) - Component reuse (e.g., common controls, libraries) - Diversity of defense (e.g., geographical diversity, technical diversity, distributed systems) |
Secure Software Requirements - 14% | |
| Define Software Security Requirements | - Functional (e.g., business requirements, use cases, stories) - Non-functional (e.g., operational, deployment, systemic qualities) |
| Identify and Analyze Compliance Requirements | |
| Identify and Analyze Data Classification Requirements | - Data ownership (e.g., data owner, data custodian) - Labeling (e.g., sensitivity, impact) - Types of data (e.g., structured, unstructured data) - Data life-cycle (e.g., generation, retention, disposal) |
| Identify and Analyze Privacy Requirements | - Data anonymization - User consent - Disposition (e.g., right to be forgotten) - Data retention - Cross borders (e.g., data residency, jurisdiction, multi-national data processing boundaries) |
| Develop Misuse and Abuse Cases | |
| Develop Security Requirement Traceability Matrix (STRM) | |
| Ensure Security Requirements Flow Down to Suppliers/Providers | |
Secure Software Architecture and Design - 14% | |
| Perform Threat Modeling | - Understand common threats (e.g., Advance Persistent Threat (APT), insider threat, common malware, third-party/supplier) - Attack surface evaluation - Threat intelligence (e.g., Identify credible relevant threats) |
| Define the Security Architecture | - Security control identification and prioritization - Distributed computing (e.g., client server, peer-to-peer (P2P), message queuing) - Service-oriented architecture (SOA) (e.g., Enterprise Service Bus (ESB), web services) - Rich internet applications (e.g., client-side exploits or threats, remote code execution, constant connectivity) - Pervasive/ubiquitous computing (e.g., Internet of Things (IoT), wireless, location-based, Radio-Frequency Identification (RFID), near field communication, sensor networks) - Embedded (e.g., secure update, Field-Programmable Gate Array (FPGA) security features, microcontroller security) - Cloud architectures (e.g., Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS)) - Mobile applications (e.g., implicit data collection privacy) - Hardware platform concerns (e.g., side-channel mitigation, speculative execution mitigation, embedded Hardware Security Modules (HSM)) - Cognitive computing (e.g., Machine Learning (ML), Artificial Intelligence (AI)) - Control systems (e.g., industrial, medical, facility-related, automotive) |
| Performing Secure Interface Design | - Security management interfaces, Out-of-Band (OOB) management, log interfaces - Upstream/downstream dependencies (e.g., key and data sharing between apps) - Protocol design choices (e.g., Application Programming Interface (APIs), weaknesses, state, models) |
| Performing Architectural Risk Assessment | |
| Model (Non-Functional) Security Properties and Constraints | |
| Model and Classify Data | |
| Evaluate and Select Reusable Secure Design | - Credential management (e.g., X.509 and Single Sign-On (SSO)) - Flow control (e.g., proxies, firewalls, protocols, queuing) - Data loss prevention (DLP) - Virtualization (e.g., software defined infrastructure, hypervisor, containers) - Trusted computing (e.g., Trusted Platform Module (TPM), Trusted Computing Base (TCB)) - Database security (e.g., encryption, triggers, views, privilege management) - Programming language environment (e.g., Common Language Runtime (CLR), Java Virtual Machine (JVM)) - Operating System (OS) controls and services - Secure backup and restoration planning - Secure data retention, retrieval, and destruction |
| Perform Security Architecture and Design Review | |
| Define Secure Operational Architecture (e.g., deployment topology, operational interfaces) | |
| Use Secure Architecture and Design Principles, Patterns, and Tools | |
Secure Software Implementation - 14% | |
| Adhere to Relevant Secure Coding Practices (e.g., standards, guidelines and regulations) | - Declarative versus imperative (programmatic) security - Concurrency (e.g., thread safety, database concurrency controls) - Output sanitization (e.g., encoding, obfuscation) - Error and exception handling - Input validation - Secure logging & auditing - Session management - Trusted/Untrusted Application Programming Interface (APIs), and libraries - Type safety - Resource management (e.g., compute, storage, network, memory management) - Secure configuration management (e.g., parameter, default options, credentials) - Tokenizing - Isolation (e.g., sandboxing, virtualization, containers, Separation Kernel Protection Profiles (SKPP)) - Cryptography (e.g., payload, field level, transport, storage, agility, encryption, algorithm selection) - Access control (e.g., trust zones, function permissions, Role Based Access Control (RBAC)) - Processor microarchitecture security extensions (e.g., Software Guard Extensions (SGX), Advanced Micro Devices (AMD) Secure Memory Encryption(SME)/Secure Encrypted Virtualization(SEV), ARM TrustZone) |
| Analyze Code for Security Risks | - Secure code reuse - Vulnerability databases/lists (e.g., Open Web Application Security Project (OWASP) Top 10, Common Weakness Enumeration (CWE)) - Static Application Security Testing (SAST) (e.g., automated code coverage, linting) - Dynamic Application Security Testing (DAST) - Manual code review (e.g., individual, peer) - Look for malicious code (e.g., backdoors, logic bombs, high entropy) - Interactive Application Security Testing (IAST) |
| Implement Security Controls (e.g., watchdogs, File Integrity Monitoring (FIM), anti-malware) | |
| Address Security Risks (e.g. remediation, mitigation, transfer, accept) | |
| Securely Reuse Third-Party Code or Libraries (e.g., Software Composition Analysis (SCA)) | |
| Securely Integrate Components | - Systems-of-systems integration (e.g., trust contracts, security testing and analysis) |
| Apply Security During the Build Process | - Anti-tampering techniques (e.g., code signing, obfuscation) - Compiler switches - Address compiler warnings |
Secure Software Testing - 14% | |
| Develop Security Test Cases | - Attack surface validation - Penetration tests - Fuzzing (e.g., generated, mutated) - Scanning (e.g., vulnerability, content, privacy) - Simulation (e.g., simulating production environment and production data, synthetic workloads) - Failure (e.g., fault injection, stress testing, break testing) - Cryptographic validation (e.g., Pseudo-Random Number Generator (PRNG), entropy) - Regression tests - Integration tests - Continuous (e.g., synthetic transactions) |
| Develop Security Testing Strategy and Plan | - Functional security testing (e.g., logic) - Nonfunctional security testing (e.g., reliability, performance, scalability) - Testing techniques (e.g., white box and black box) - Environment (e.g., interoperability, test harness) - Standards (e.g., International Organization for Standardization (ISO), Open Source Security Testing Methodology Manual (OSSTMM), Software Engineering Institute (SEI)) - Crowd sourcing (e.g., bug bounty) |
| Verify and Validate Documentation (e.g., installation and setup instructions, error messages, user guides, release notes) | |
| Identify Undocumented Functionality | |
| Analyze Security Implications of Test Results (e.g., impact on product management, prioritization, break build criteria) | |
| Classify and Track Security Errors | - Bug tracking (e.g., defects, errors and vulnerabilities) - Risk Scoring (e.g., Common Vulnerability Scoring System (CVSS)) |
| Secure Test Data | - Generate test data (e.g., referential integrity, statistical quality, production representative) - Reuse of production data (e.g., obfuscation, sanitization, anonymization, tokenization, data aggregation mitigation) |
| Perform Verification and Validation Testing | |
Secure Software Lifecycle Management - 11% | |
| Secure Configuration and Version Control (e.g., hardware, software, documentation, interfaces, patching) | |
| Define Strategy and Roadmap | |
| Manage Security Within a Software Development Methodology | - Security in adaptive methodologies (e.g., Agile methodologies) - Security in predictive methodologies (e.g., Waterfall) |
| Identify Security Standards and Frameworks | |
| Define and Develop Security Documentation | |
| Develop Security Metrics (e.g., defects per line of code, criticality level, average remediation time, complexity) | |
| Decommission Software | - End of life policies (e.g., credential removal, configuration removal, license cancellation, archiving) - Data disposition (e.g., retention, destruction, dependencies) |
| Report Security Status (e.g., reports, dashboards, feedback loops) | |
| Incorporate Integrated Risk Management (IRM) | - Regulations and compliance - Legal (e.g., intellectual property, breach notification) - Standards and guidelines (e.g., International Organization for Standardization (ISO), Payment Card Industry (PCI), National Institute of Standards and Technology (NIST), OWASP, Software Assurance Forum for Excellence in Code (SAFECode), Software Assurance Maturity Model (SAMM), Building Security In Maturity Model (BSIMM)) - Risk management (e.g., mitigate, accept, transfer, avoid) - Terminology (e.g., threats, vulnerability, residual risk, controls, probability, impact) - Technical risk vs. business risk |
| Promote Security Culture in Software Development | - Security champions - Security education and guidance |
| Implement Continuous Improvement (e.g., retrospective, lessons learned) | |
Secure Software Deployment, Operations, Maintenance - 12% | |
| Perform Operational Risk Analysis | - Deployment environment - Personnel training (e.g., administrators vs. users) - Safety criticality - System integration |
| Release Software Securely | - Secure Continuous Integration and Continuous Delivery (CI/CD) pipeline - Secure software tool chain - Build artifact verification (e.g., code signing, checksums, hashes) |
| Securely Store and Manage Security Data | - Credentials - Secrets - Keys/certificates - Configurations |
| Ensure Secure Installation | - Bootstrapping (e.g., key generation, access, management) - Least privilege - Environment hardening - Secure activation (e.g., credentials, white listing, device configuration, network configuration, licensing) - Security policy implementation - Secrets injection (e.g., certificate, Open Authorization (OAUTH) tokens, Secure Shell (SSH) keys) |
| Perform Post-Deployment Security Testing | |
| Obtain Security Approval to Operate (e.g., risk acceptance, sign-off at appropriate level) | |
| Perform Information Security Continuous Monitoring (ISCM) | - Collect and analyze security observable data (e.g., logs, events, telemetry, and trace data) - Threat intel - Intrusion detection/response - Secure configuration - Regulation changes |
| Support Incident Response | - Root cause analysis - Incident triage - Forensics |
| Perform Patch Management (e.g. secure release, testing) | |
| Perform Vulnerability Management (e.g., scanning, tracking, triaging) | |
| Runtime Protection (e.g., Runtime Application Self-Protection (RASP), Web Application Firewall (WAF), Address Space Layout Randomization (ASLR)) | |
| Support Continuity of Operations | - Backup, archiving, retention - Disaster recovery (DR) - Resiliency (e.g., operational redundancy, erasure code, survivability) |
| Integrate Service Level Objectives (SLO) and Service Level Agreements (SLA) (e.g., maintenance, performance, availability, qualified personnel) | |
Secure Software Supply Chain - 11% | |
| Implement Software Supply Chain Risk Management | - Identify - Assess - Respond - Monitor |
| Analyze Security of Third-Party Software | |
| Verify Pedigree and Provenance | - Secure transfer (e.g., interdiction mitigation) - System sharing/interconnections - Code repository security - Build environment security - Cryptographically-hashed, digitally-signed components - Right to audit |
| Ensure Supplier Security Requirements in the Acquisition Process | - Audit of security policy compliance (e.g., secure software development practices) - Vulnerability/incident notification, response, coordination, and reporting - Maintenance and support structure (e.g., community versus commercial, licensing) - Security track record |
NEW QUESTION # 160
Which of the following are the initial steps required to perform a risk analysis process? Each correct answer represents a part of the solution. Choose three.
- A. Establish the threats likelihood and regularity.
- B. Evaluate potential threats to the assets.
- C. Valuations of the critical assets in hard costs.
- D. Estimate the potential losses to assets by determining their value.
Answer: A,B,D
Explanation:
The main steps of performing risk analysis are as follows: Estimate the potential losses to the assets by determining their value. Evaluate the potential threats to the assets. Establish the threats probability and regularity. Answer A is incorrect. Valuations of the critical assets in hard costs is one of the final steps taken after performing the risk analysis.
NEW QUESTION # 161
You work as an analyst for Tech Perfect Inc. You want to prevent information flow that may cause a conflict of interest in your organization representing competing clients. Which of the following security models will you use?
- A. Clark-Wilson model
- B. Biba model
- C. Chinese Wall model
- D. Bell-LaPadula model
Answer: C
Explanation:
Explanation/Reference:
Explanation: The Chinese Wall Model is the basic security model developed by Brewer and Nash. This model prevents information flow that may cause a conflict of interest in an organization representing competing clients. The Chinese Wall Model provides both privacy and integrity for data. AnswerD is incorrect. The Biba model is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity. The model is designed so that subjects may not corrupt data in a level ranked higher than the subject, or be corrupted by data from a lower level than the subject. AnswerC is incorrect. The Clark-Wilson model provides a foundation for specifying and analyzing an integrity policy for a computing system. The model is primarily concerned with formalizing the notion of information integrity. Information integrity is maintained by preventing corruption of data items in a system due to either error or malicious intent. The model's enforcement and certification rules define data items and processes that provide the basis for an integrity policy. The core of the model is based on the notion of a transaction. AnswerA is incorrect. The Bell-La Padula Model is a state machine model used for enforcing access control in government and military applications. The model is a formal state transition model of computer security policy that describes a set of access control rules which use security labels on objects and clearances for subjects. Security labels range from the most sensitive (e.g.,"Top Secret"), down to the least sensitive (e.g., "Unclassified" or "Public"). The Bell-La Padula model focuses on data confidentiality and controlled access to classified information, in contrast to the Biba Integrity Model which describes rules for the protection of data integrity.
NEW QUESTION # 162
Which of the following DITSCAP phases validates that the preceding work has produced an IS that operates in a specified computing environment?
- A. Phase 2
- B. Phase 3
- C. Phase 4
- D. Phase 1
Answer: B
Explanation:
The Phase 3 of DITSCAP C&A is known as Validation. The goal of Phase 3 is to validate that the preceding work has produced an IS that operates in a specified computing environment. Answer C is incorrect. The goal of this phase is to define the C&A level of effort, identify the main C&A roles and responsibilities, and create an agreement on the method for implementing the security requirements. Answer A is incorrect. The goal of this phase is to obtain a fully integrated system for certification testing and accreditation. Answer B is incorrect. This phase ensures that it will maintain an acceptable level of residual risk.
NEW QUESTION # 163
Which of the following are the primary functions of configuration management? Each correct answer represents a complete solution. Choose all that apply.
- A. It ensures that the change is implemented in a sequential manner through formalized testing.
- B. It analyzes the effect of the change that is implemented on the system.
- C. It reduces the negative impact that the change might have had on the computing services and resources.
- D. It removes the risk event entirely by adding additional steps to avoid the event.
Answer: A,B,C
Explanation:
The primary functions of configuration management are as follows: It ensures that the change is implemented in a sequential manner through formalized testing. It ensures that the user base is informed of the future change. It analyzes the effect of the change that is implemented on the system. It reduces the negative impact that the change might have had on the computing services and resources. Answer A is incorrect. It is not one of the primary functions of configuration management. It is the function of risk avoidance.
NEW QUESTION # 164
Which of the following sections come under the ISO/IEC 27002 standard?
- A. Security policy
- B. Financial assessment
- C. Risk assessment
- D. Asset management
Answer: A,C,D
Explanation:
ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC) as ISO/IEC 17799:2005. This standard contains the following twelve main sections: 1.Risk assessment: It refers to assessment of risk. 2.Security policy: It deals with the security management. 3.Organization of information security: It deals with governance of information security. 4.Asset management: It refers to inventory and classification of information assets. 5.Human resources security: It deals with security aspects for employees joining, moving and leaving an organization. 6.Physical and environmental security: It is related to protection of the computer facilities. 7.Communications and operations management: It is the management of technical security controls in systems and networks. 8.Access control: It deals with the restriction of access rights to networks, systems, applications, functions and data. 9.Information systems acquisition, development and maintenance: It refers to build security into applications. 10.Information security incident management: It refers to anticipate and respond appropriately to information security breaches. 11.Business continuity management: It deals with protecting, maintaining and recovering business-critical processes and systems. 12.Compliance: It is used for ensuring conformance with information security policies, standards, laws and regulations. Answer C is incorrect. Financial assessment does not come under the ISO/IEC 27002 standard.
NEW QUESTION # 165
Which of the following is generally used in packages in order to determine the package or product tampering?
- A. Tamper evident
- B. Tamper resistance
- C. Tamper data
- D. Tamper proof
Answer: B
Explanation:
Explanation/Reference:
Explanation: Tamper resistance is resistance tampered by the users of a product, package, or system, or the users who can physically access it. It includes simple as well as complex devices. The complex device encrypts all the information between individual chips, or renders itself inoperable. Tamper resistance is generally used in packages in order to determine package or product tampering. AnswerB is incorrect.
Tamper evident specifies a process or device that makes unauthorized access to the protected object easily detected. AnswerD is incorrect. Tamper proofing makes computers resistant to interference.
Tamper proofing measures include automatic removal of sensitive information, automatic shutdown, and automatic physical locking. AnswerC is incorrect. Tamper data is used to view and modify the HTTP or HTTPS headers and post parameters.
NEW QUESTION # 166
Which of the following describes a residual risk as the risk remaining after a risk mitigation has occurred?
- A. DAA
- B. DIACAP
- C. SSAA
- D. ISSO
Answer: B
Explanation:
DIACAP describes a residual risk as the risk remaining after a risk mitigation has occurred. The Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) is a process defined by the United States Department of Defense (DoD) for managing risk. DIACAP replaced the former process, known as DITSCAP (Department of Defense Information Technology Security Certification and Accreditation Process), in 2006. DoD Instruction (DoDI) 8510.01 establishes a standard DoD-wide process with a set of activities, general tasks, and a management structure to certify and accredit an Automated Information System (AIS) that will maintain the Information Assurance (IA) posture of the Defense Information Infrastructure (DII) throughout the system's life cycle.DIACAP applies to the acquisition, operation, and sustainment of any DoD system that collects, stores, transmits, or processes unclassified or classified information since December 1997. It identifies four phases: 1.System Definition 2.Verification 3.Validation 4.Re-Accreditation Answer D is incorrect. An Information System Security Officer (ISSO) plays the role of a supporter. The responsibilities of an Information System Security Officer (ISSO) are as follows: Manages the security of the information system that is slated for Certification & Accreditation (C&A). Insures the information systems configuration with the agency's information security policy. Supports the information system owner/information owner for the completion of security-related responsibilities. Takes part in the formal configuration management process. Prepares Certification & Accreditation (C&A) packages. Answer C is incorrect. The Designated Approving Authority (DAA), in the United States Department of Defense, is the official with the authority to formally assume responsibility for operating a system at an acceptable level of risk. The DAA is responsible for implementing system security. The DAA can grant the accreditation and can determine that the system's risks are not at an acceptable level and the system is not ready to be operational. Answer B is incorrect. System Security Authorization Agreement (SSAA) is an information security document used in the United States Department of Defense (DoD) to describe and accredit networks and systems. The SSAA is part of the Department of Defense Information Technology Security Certification and Accreditation Process, or DITSCAP (superseded by DIACAP). The DoD instruction (issues in December 1997, that describes DITSCAP and provides an outline for the SSAA document is DODI 5200.40. The DITSCAP application manual (DoD 8510.1-M), published in July 2000, provides additional details.
NEW QUESTION # 167
Which of the following terms refers to the protection of data against unauthorized access?
- A. Confidentiality
- B. Recovery
- C. Integrity
- D. Auditing
Answer: A
Explanation:
Explanation/Reference:
Explanation: Confidentiality is a term that refers to the protection of data against unauthorized access.
Administrators can provide confidentiality by encrypting data. Symmetric encryption is a relatively fast encryption method. Hence, this method of encryption is best suited for encrypting large amounts of data such as files on a computer. AnswerA is incorrect. Integrity ensures that no intentional or unintentional unauthorized modification is made to data. AnswerC is incorrect. Auditing is used to track user accounts for file and object access, logon attempts, system shutdown etc. This enhances the security of the network.
Before enabling auditing, the type of event to be audited should be specified in the Audit Policy in User Manager for Domains.
NEW QUESTION # 168
Fill in the blank with an appropriate security type. applies the internal security policies of the software applications when they are deployed.
- A. Programmatic security
Answer: A
Explanation:
Programmatic security applies the internal security policies of the software applications when they are deployed. In this type of security, the code of the software application controls the security behavior, and authentication decisions are made based on the business logic, such as the user role or the task performed by the user in a specific security context.
NEW QUESTION # 169
Which of the following processes provides a standard set of activities, general tasks, and a management structure to certify and accredit systems, which maintain the information assurance and the security posture of a system or site?
- A. NSA-IAM
- B. ASSET
- C. NIACAP
- D. DITSCAP
Answer: C
Explanation:
NIACAP is a process, which provides a standard set of activities, general tasks, and a management structure to certify and accredit systems that maintain the information assurance and the security posture of a system or site. Answer D is incorrect. DITSCAP is a process, which establishes a standard process, a set of activities, general task descriptions, and a management structure to certify and accredit the IT systems that will maintain the required security posture. Answer A is incorrect. The NSA-IAM evaluates information systems at a high level and uses a subset of the SSE-CMM process areas to measure the implementation of information security on these systems. Answer C is incorrect. ASSET is a tool developed by NIST to automate the process of self-assessment through the use of the questionnaire in NIST.
NEW QUESTION # 170
Which of the following organizations assists the President in overseeing the preparation of the federal budget and to supervise its administration in Executive Branch agencies?
- A. NSA/CSS
- B. NIST
- C. OMB
- D. DCAA
Answer: C
Explanation:
Explanation/Reference:
Explanation: The Office of Management and Budget (OMB) is a Cabinet-level office, and is the largest office within the Executive Office of the President (EOP) of the United States. The current OMB Director is Peter Orszag and was appointed by President Barack Obama. The OMB's predominant mission is to assist the President in overseeing the preparation of the federal budget and to supervise its administration in Executive Branch agencies. In helping to formulate the President's spending plans, the OMB evaluates the effectiveness of agency programs, policies, and procedures, assesses competing funding demands among agencies, and sets funding priorities. The OMB ensures that agency reports, rules, testimony, and proposed legislation are consistent with the President's Budget and with Administration policies.
Answer D is incorrect. The DCAA has the aim to monitor contractor costs and perform contractor audits.
Answer C is incorrect. The National Security Agency/Central Security Service (NSA/CSS) is a crypto-logic
intelligence agency of the United States government. It is administered as part of the United States Department of Defense. NSA is responsible for the collection and analysis of foreign communications and foreign signals intelligence, which involves cryptanalysis. NSA is also responsible for protecting U.S.
government communications and information systems from similar agencies elsewhere, which involves cryptography. NSA is a key component of the U.S. Intelligence Community, which is headed by the Director of National Intelligence. The Central Security Service is a co-located agency created to coordinate intelligence activities and co-operation between NSA and U.S. military cryptanalysis agencies. NSA's work is limited to communications intelligence. It does not perform field or human intelligence activities. Answer:
B is incorrect. The National Institute of Standards and Technology (NIST), known between 1901 and 1988 as the National Bureau of Standards (NBS), is a measurement standards laboratory which is a non- regulatory agency of the United States Department of Commerce. The institute's official mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve quality of life.
NEW QUESTION # 171
FIPS 199 defines the three levels of potential impact on organizations. Which of the following potential impact levels shows limited adverse effects on organizational operations, organizational assets, or individuals?
- A. Low
- B. Moderate
- C. High
- D. Medium
Answer: A
Explanation:
Explanation/Reference:
Explanation: The potential impact is called low if the loss of confidentiality, integrity, or availability is expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. Answer: C is incorrect. Such a type of potential impact level does not exist Answer: A is incorrect. The potential impact is known to be moderate if the loss of confidentiality, integrity, or availability is expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. Answer: D is incorrect. The potential impact is called high if the loss of confidentiality, integrity, or availability is expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
NEW QUESTION # 172
Mark works as a Network Administrator for NetTech Inc. He wants users to access only those resources that are required for them. Which of the following access control models will he use?
- A. Role-Based Access Control
- B. Discretionary Access Control
- C. Mandatory Access Control
- D. Policy Access Control
- E. Explanation:
Role-based access control (RBAC) is an access control model. In this model, a user can access resources according to his role in the organization. For example, a backup administrator is responsible for taking backups of important data. Therefore, he is only authorized to access this data for backing it up. However, sometimes users with different roles need to access the same resources. This situation can also be handled using the RBAC model.
Answer: A,E
Explanation:
is incorrect. Mandatory Access Control (MAC) is a model that uses a predefined set of access privileges for an object of the system. Access to an object is restricted on the basis of the sensitivity of the object and granted through authorization. Sensitivity of an object is defined by the label assigned to it. For example, if a user receives a copy of an object that is marked as "secret", he cannot grant permission to other users to see this object unless they have the appropriate permission. Answer A is incorrect. DAC is an access control model. In this model, the data owner has the right to decide who can access the data. This model is commonly used in PC environment. The basis of this model is the use of Access Control List (ACL). Answer C is incorrect. There is no such access control model as Policy Access Control.
NEW QUESTION # 173
Gary is the project manager for his project. He and the project team have completed the qualitative risk analysis process and are about to enter the quantitative risk analysis process when Mary, the project sponsor, wants to know what quantitative risk analysis will review. Which of the following statements best defines what quantitative risk analysis will review?
- A. The quantitative risk analysis process will review risk events for their probability and impact on the project objectives.
- B. The quantitative risk analysis seeks to determine the true cost of each identified risk event and the probability of each risk event to determine the risk exposure.
- C. The quantitative risk analysis process will analyze the effect of risk events that may substantially impact the project's competing demands.
- D. The quantitative risk analysis reviews the results of risk identification and prepares the project for risk response management.
Answer: C
Explanation:
Explanation/Reference:
Once the risk events have passed through qualitative risk analysis, then the risk events must be reviewed to determine the effect of the risks on the project's competing demands. Answer D is incorrect. While the quantitative risk analysis process will review the risk events for probability and impact, this statement does not answer the question as completely as answer option A Answer C is incorrect. The quantitative risk analysis process does not review every risk identified - only the risks which require further analysis. AnswerB is incorrect. Quantitative risk analysis process does not begin the risk response process. Its goal is to determine the effect of certain risk events on the project's competing demands.
NEW QUESTION # 174
You work as a security engineer for BlueWell Inc. Which of the following documents will you use as a guide for the security certification and accreditation of Federal Information Systems?
- A. NIST Special Publication 800-60
- B. NIST Special Publication 800-37
- C. NIST Special Publication 800-59
- D. NIST Special Publication 800-53
Answer: B
Explanation:
Explanation/Reference:
Explanation: NIST has developed a suite of documents for conducting Certification & Accreditation (C&A).
These documents are as follows: NIST Special Publication 800-37: This document is a guide for the security certification and accreditation of Federal Information Systems.
NIST Special Publication 800-53: This document provides a guideline for security controls for Federal Information Systems. NIST Special Publication 800-53A. This document consists of techniques and procedures for verifying the effectiveness of security controls in Federal Information System. NIST Special Publication 800-59: This document is a guideline for identifying an information system as a National Security System. NIST Special Publication 800-60: This document is a guide for mapping types of information and information systems to security objectives and risk levels.
NEW QUESTION # 175
Adrian is the project manager of the NHP Project. In her project there are several work packages that deal with electrical wiring. Rather than to manage the risk internally she has decided to hire a vendor to complete all work packages that deal with the electrical wiring. By removing the risk internally to a licensed electrician Adrian feels more comfortable with project team being safe. What type of risk response has Adrian used in this example?
- A. Acceptance
- B. Transference
- C. Avoidance
- D. Mitigation
Answer: B
Explanation:
Explanation/Reference:
Explanation: This is an example of transference. When the risk is transferred to a third party, usually for a fee, it creates a contractual-relationship for the third party to manage the risk on behalf of the performing organization. Risk response planning is a method of developing options to decrease the amount of threats and make the most of opportunities. The risk response should be aligned with the consequence of the risk and cost-effectiveness. This planning documents the processes for managing risk events. It addresses the owners and their responsibilities, risk identification, results from qualification and quantification processes, budgets and times for responses, and contingency plans. The various risk response planning techniques are as follows: Risk acceptance: It indicates that the project team has decided not to change the project management plan to deal with a risk, or is unable to identify any other suitable response strategy. Risk avoidance: It is a technique for a threat, which creates changes to the project management plan that are meant to either eliminate the risk or to protect the project objectives from this impact. Risk mitigation: It is a list of specific actions being taken to deal with specific risks associated with the threats and seeks to reduce the probability of occurrence or impact of risk below an acceptable threshold. Risk transference: It is used to shift the impact of a threat to a third party, together with the ownership of the response.
NEW QUESTION # 176
DRAG DROP
RCA (root cause analysis) is an iterative and reactive method that identifies the root cause of various incidents, and the actions required to prevent these incidents from reoccurring. RCA is classified in various categories. Choose appropriate categories and drop them in front of their respective functions.
Answer:
Explanation:
Explanation:
The various categories of root cause analysis (RCA) are as follows: Safety-based RC A.
It consists of plans from the health and safety areas. Production-based RCA. It integrates quality control paradigms. Process-based RCA. It integrates business processes. Failure-based RCA. It integrates failure analysis processes as employed in engineering and maintenance. Systems-based RCA. It integrates the methods from risk and systems analysis.
NEW QUESTION # 177
......
Career Opportunities
(ISC)2 CSSLP is an ideal option for the security professionals and software development specialists because it helps fortify and validate their skills to perform the required tasks efficiently. The individuals with this certificate can explore numerous career opportunities and take up the job titles as a Security Manager, a Cybersecurity Engineer, and a Security Consultant. They can also work as Information Managers, Information Security Consultants, Testing Managers, Information Security Managers, and IT Security Analysts. Their income will depend on their role, but looking at a possible average salary, they can expect about $98,000 per year.
Instant Download CSSLP Dumps Q&As Provide PDF&Test Engine: https://www.itpassleader.com/ISC/CSSLP-dumps-pass-exam.html
Fast Exam Updates CSSLP dumps with PDF Test Engine Practice: https://drive.google.com/open?id=1iTCVbsi9h9jLzZySuQWIvt-AgXiaRluQ